You might be one of the many people considering obtaining a certification, whether your goal is to make more money in your existing job, to further your career in other ways or just to augment your own personal satisfaction.What's out there?
The problem is there are so many certifications available. Choosing the best one might prove to be a challenge. Not only are there security-specific certifications (such as Certified Information Systems Security Professional, Security+ and TruSecure ICSA Certified Security Associate), but there are also vendor-specific security certifications (such as those from Cisco and Check Point), and network/system-only certifications (like Microsoft Certified System Engineer and Red Hat Certified Engineer). Which one should you choose? Which one is best for you? Later in this article I will tell you about some of my personal experiences. Perhaps my experience will help you choose your path. Follow your strengths
Should you go after network or security certifications? The answer depends on your personal strengths and goals. For people who are hands-on, the more vendor-specific certifications might be more appropriate. Perhaps you aren't a hands-on person but desire to become more specialized in a particular type of information security technology, such as firewalls or intrusion detection. Here's a list of some of the popular vendor-specific security certification programs:
- Cisco Certified Security Professional
- Cisco Firewall Specialist
- Cisco VPN Specialist
- Cisco IDS Specialist
- Check Point Certified Security Administrator
- Check Point Certified Security Engineer
- RSA Certified Professional Program
- Symantec Certified Security Specialist
Certification Magazine's survey of the most popular non-security certifications include Microsoft Certified Systems Engineer (MCSE), Microsoft Certified Professional (MCP), Red Hat Certified Engineer (RHCE) and Certified Internet Webmaster (CIW).Don't rule out networking
While the trend seems to be focusing on security certifications, there's still much interest in network-only certifications, such as the Cisco Certified Internetwork Expert (CCIE) certification. The CCIE has three distinct tracks: routing and switching, communications and services, and security. These tracks require mastery of core internetworking topics, such as:
- Internet Protocol
- IP Routing
- Frame relay
- IP multicast
- Performance management
The study topics required for a network certification are vastly different from those for a security certification. In fact, many of the training programs for network certifications involve extensive hands-on lab experience. For example, in the CCIE lab the candidate is presented with a complex design to implement from the physical layer up. This is not for the faint of heart.What's in demand?
So what's in store for the future? Becky Nagel wrote an article for CertCities.com that talks about the hottest certifications for 2003. Nagel ranks the fastest-growing titles based on the site's annual survey results and on "buzz score," which is a number that reflects the industry's "take" on a certification, its reputation, accolades it's received, reader response and the magazine editors' ranking of it. Nagel's list includes:
- Cisco Certified Internetwork Expert (CCIE)
- Red Hat Certified Engineer (RHCE)
- Cisco Certified Network Professional (CCNP)
- Certified Information Systems Security Professional (CISSP)
- Check Point Certified Security Administrator (CCSA)
- Microsoft Certified Systems Administrator (MCSA)
- Sun Certified System Administrator for Solaris Operating Environment
- (Tie) Citrix Certified Enterprise Administrator (CCEA), Microsoft Certified Database Administrator (MCDBA)
Judging from this list, it seems that the focus is now changing from all-purpose to more technology-specific certifications.
Cushing Anderson, program director for learning services research at Framingham, Mass.-based International Data Corp., follows network and security certifications very closely. He said that in 2001, nearly 25,000 IT professionals received security-related certifications. The total number of security-certified professionals is close to 40,000. This is a very small amount compared with the hundreds of thousands of people who have networking and administration certifications. He also noted that more specialized certifications for application development and database management also experienced fast growth. An interesting trend, Anderson noted, was that many non-security certifications include some security component. Take, for instance, the CCIE certification. While its emphasis is on network-related topics, there's also a security component.My personal path to certification
Many people have asked me why I selected the certifications I have and what I thought of the exams. First of all, I should say that for many years I didn't believe in certifications. I've worked with many certification holders who basically were able to attend a boot camp class and pass the test but didn't have the hands-on experience that comes from doing any real work. I'm not saying that everyone attending a boot camp course fits in this category, but there are many non-certified people out there that can run rings around those with certifications. Nevertheless, because of corporate layoffs and the need to distinguish oneself from the rest during a job interview, I decided to go down the certification path.
I also had the same dilemma that many of you face: vendor-neutral or vendor certification? I decided to go down the vendor-neutral path. Why? It wasn't my desire to specialize in one specific information security technology. So those vendor-specific certifications weren't an option. All areas of information security are fascinating to me, and the CISSP seemed to have all of those aspects in one certification. At that time, I was writing a book that covered the CISSP, TruSecure ICSA Certified Security Associate (TICSA), SANS GSEC and Systems Security Certified Practitioner (SSCP). I ended up taking the SSCP only because it was included in the book. Next, I became involved in the beta program for the TruSecure ICSA certification. The TICSA covers some, but not all, of the same topics as the CISSP. Finally, this year the beta exam for the Security+ certification came out. Truth be told, I signed up to take the test at the last minute (the beta test was only $90). I'm not sure how well I did, but I passed. This isn't to say it's an easy test, but having taken the other three exams helped a lot. In addition, I teach information security courses for the SANS Institute, so I work with this material day in and day out.
Of the four certifications I have, I would say the CISSP was the hardest to get because of the number of questions (250) and the six hours they give you to take the test. Granted, the CISSP was the first test I took, and I had been out of the test-taking mindset for a long time. Taking these tests can be nerve-racking and exhausting. Other certification exams that are difficult include any from the SANS Institute. Not only do you have many questions to answer, but also you have to write a paper. My next goal is to take the SANS Security Essentials Certification (GSEC) exam.Certified choice
The thing to consider when selecting your certification track is to determine what path you want to take: generic certification or vendor/technology-specific. There's nothing wrong with being a "jack of all trades and master of none." However, with an increasing number of people obtaining their certifications, your strategy might be to adopt the motto, "Certification differentiation by specialization." About the author
Mark Edmead (CISSP, SSCP, TICSA, Security+) is president of MTE Software Inc. (www.mtesoft.com). He has more than 25 years' experience in software development, product development and network systems security. Fortune 500 companies have turned to Edmead often to help them with projects related to Internet and computer security. He was managing editor of SANS Digest and contributing editor to the SANS Step-by-Step Windows NT Security Guide. Mark previously worked as part of KPMG's information risk management group and IBM's privacy and security group, where he performed network security assessments and security system reviews and worked on the development of security recommendations and ethical hacking. Other projects included assisting companies in developing secure and reliable network system architectures for their Web-enabled businesses. Mark is co-author of the book Windows NT: Performance, Monitoring and Tuning, published by New Riders, and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide. He also writes Security Spotlight tips for SearchSystemsManagement.com, where he serves as a security expert. MORE ON THIS TOPIC:
>> Read certification guru Ed Tittel's survey of vendor-specific security certifications. >> This tip offers an overview of vendor-neutral security certifications. >> Read expert advice on the most valuable security certification.
This was first published in January 2003