If you are looking for career advancement in information security, you might need more than a strong work ethic. To be sure that job candidates have the knowledge they seek, rising numbers of employers are searching for one specific ingredient on a resume - a certification.
Candidates are judged according to certifications, which are seen as a guarantee that someone has the required level of knowledge to be considered for a job, according to some experts.
"It's increasingly important to have a certification, particularly if you're going to get to the level of chief information security officer," says David Cullinane, president of Information Systems Security Association (ISSA). "I know some really good people who don't have their CISSP (Certified Information Systems Security Professional), or some equivalent certification, and are having a hard time getting the jobs they want for that simple reason - they can't get past the first cut."
The CISSP designation from the International Systems Security Certification Consortium - or (ISC)2 - is often referred to as the de facto standard when it comes to information security certifications. It is described as the "International Gold Standard," according to (ISC)2. But companies and government agencies also place importance on more technical certifications, such as the SANS Institute's Global Information Assurance Certification (GIAC).
Depending on the type of job, other certifications may come into play, such as Certified Information Systems Auditor (CISA) or vendor-specific ones that demonstrate proficiency with particular products like Check Point firewalls. And new certifications are appearing all the time, like the recently introduced Certified Information Security Manager (CISM) from the Information Systems Audit and Control Association (ISACA).
A certification not only boosts credibility and helps get your foot in the door, but it can also mean more money. Premium bonus pay for security certifications rose 2.3 percent in the past 12 months and nearly 16 percent in the past two years, according to a recent report by management consultants Foote Partners. That compares to a drop of about six percent in value for overall IT certifications, says president and chief research officer David Foote.
"Security certifications have been holding their value much better than most other categories of certifications, with the exception of project management," he says. These certifications can be a dizzying array of abbreviations, but here is a rundown of some of the primary security certifications, along with newer programs that are gaining in popularity.
The U.S. Department of Veterans Affairs uses the CISSP to judge an individual's overall security knowledge, explains Bruce Brody, the department's associate deputy assistant for cyber and information security.
"We put a tremendous emphasis on it because we believe it helps professionalize the work force," he adds. "Those people who have it compared to those who don't are generally one more rung up the professional ladder."
Jeff Johnson, a 20-year security veteran and vice-president of professional services at security startup OverSight Technologies, says CISSP is aimed at career security professionals. He believes it's the only universally recognized certification in the security industry.
"If you're going to get into a manager role and not just be a security auditor or administrator, sooner or later you're going to want that promotion. As soon as you go from 'I configure firewalls' to 'I manage firewall programs', that's when you need CISSP, because it has the backbone for how to think through the risk analysis, the budgetary aspects, the other things that impact the firewall. It provides the broad base of skills that any manager in our field should have," he says.
Some 20,000 CISSP credentials have been awarded worldwide since (ISC)2 began issuing them in the mid 90s, says Dow Williamson, (ISC)2 director of communications.
The CISSP examination is based on the Common Body of Knowledge (CBK), a compendium of information security best practices developed and maintained by (ISC)2, a non-profit organization formed in 1989. The CBK is made up of 10 domains:
- access control systems and methodology;
- application and systems development security;
- business continuity and disaster recovery planning;
- investigations and ethics;
- operations security;
- physical security;
- security architecture;
- telecommunications and network security.
Williamson notes that CISSP is vendor neutral. "You won't find specific information on a particular piece of Microsoft software or Cisco hardware... It's policies and procedures and best practices that don't pertain to any specific piece of technology," he says.
To earn a CISSP, a person must pass the exam and have four years of professional information security experience in one or more of the CBK domains, or three years of experience plus a bachelor's degree. The candidate must also subscribe to the (ISC)2 code of ethics. Maintaining the certification requires earning 120 Continuing Professional Education credits every three years.
"It [CISSP] is not one of those things that you wake up one day and decide you want to be, go downtown and sit in a class for eight hours and get your certificate," insists Williamson. "It's a multi-year commitment."
If someone chooses to take a training course, (ISC)2 Institute, the organization's training arm, offers CBK review seminars. The cost of a one-week training course is $2,495. The exam costs $450. Training is also offered by official (ISC)2 partners as well as unofficial training organizations.
According to Foote Partners' study, bonus premium pay for the CISSP rose 22 percent over the past year.
This year, new concentrations to the CISSP - management and architecture - were added by (ISC)2 to allow security professionals to validate their expertise. The organization also launched a new government concentration that it developed with the National Security Agency. The Information Systems Security Engineering Professional (ISSEP) is designed for security professionals who want to work for NSA.
As well as CISSP, (ISC)2 administers the Systems Security Certified Practitioner (SSCP). While the CISSP focuses on policy and management, and targets senior and mid-level security managers, SSCP is geared for more technical staffers, including senior security and network administrators, says Williamson. (ISC)2 has issued about 500 SSCPs.
Like CISSP, SSCP is vendor neutral. To earn an SSCP, applicants must subscribe to the (ISC)2 code of ethics, have a minimum of one year's experience in one or more of the SSCP CBK domains, and, of course, pass the exam.
The GIAC certifications demonstrate technical proficiency in specific areas, such as firewalls, forensics, and incident handling, something that is becoming increasingly important to companies, says the ISSA's Cullinane.
"You're hiring people to work on your network security... You want not only the engineering background, but to make sure that they understand the capabilities of firewalls, the differences between different firewalls and how to configure them properly," he explains. SANS has a reputation for "excellence" with rigorous requirements for their instructors, he adds.
The SANS Institute founded GIAC in 1999 and has awarded GIAC certifications to 5,538 individuals since 2000. In addition to certifications for firewall analyst, intrusion analyst, systems and network auditor and other security specialties, GIAC offers a Security Essentials certification for entry-level people, as well as a Security Expert designation for top practitioners.
GIAC certifications are vendor neutral, which is advantageous, claims Stephen Northcutt, GIAC director. For example, someone who works with a particular firewall cannot know that the company won't decide to switch to another firewall.
SANS has a "bit of a bias towards free tools", such as Snort network intrusion detection and Nessus security scanner, adds Northcutt. For each GIAC certification, a candidate has to complete a written "practical assignment" that demonstrates hands-on expertise, and pass one or more exams. Most GIAC certifications must be renewed every two years by taking a refresher exam.
SANS offers training for the GIAC certifications online and through conferences. Either option costs $250 and includes the exam. Someone can also take the "GIAC Challenge" - or exam only - for $450.
Foote Partners' study showed that bonus premium pay rose 13 percent for two GIAC certifications: Certified Unix Security Administrator and Certified Windows Security Administrator.
The Computing Technology Industry Association's (Comptia) Security+ is among the newer security certifications. Launched last December, Security+ was developed by a Comptia committee of vendors, government agencies and professional organizations. The goal of the certification is to provide a "foundation level in security," explains Kris Madura, Comptia's security program manager.
"What we promote to the candidate is that Security+ is a place to start. It's the foundation from which they can work to begin and advance their career in security," she says.
However, while Security+ is broad in reach, adds Madura, it is very specific and technical. To earn the certification, an individual must pass an exam that tests them on a range of topics, including access control, authentication, basics of cryptography and operational security. Candidates should have at least two years of networking experience with an emphasis on security.
Security+ is gaining traction quickly, with companies such as IBM making it a requirement for certain employees, she continues. So far, around 2,500 professionals have earned the Security+ certification in 65 countries.
The Security+ exam is available to Comptia corporate members for $175 and non-members for $225. Candidates have a number of options for training, including self-study books, online courses or classroom training. Comptia doesn't produce or sell training for exams, says Madura, but puts its stamp of approval on quality training through its Authorized Quality Curriculum and Learning Alliance programs.
GIAC's Northcutt says several new security certifications are lightweight and amount to shams, but Security+ is one of the exceptions. The program was developed with plenty of consensus and doesn't purport to be more than a foundation in security.
"If someone comes in with Security+ ... it shows they bothered learning this task before applying for a job," he says. "I like that, it shows initiative. It doesn't mean I'm going to put them in charge of my whole security program."
Another new certification drawing attention to itself is CISM from the Information Systems Audit and Control Association (ISACA). Introduced last year, with the first exam offered in June, the CISM is designed for experienced professionals responsible for managing an enterprise-wise information security program.
CISM recognizes the changing role of the security manager, a role that now requires understanding business issues as much as technical knowledge, says Leslie Macartney, chair of the CISM Certification Board and CISO for Reuters.
"During the 15 years that I've held senior management positions in security, the way we manage security has changed," she explains. "Security managers nowadays are looking at business just as much as they are looking at technology."
In addition to passing an exam, CISM candidates must adhere to the ISACA Code of Professional Ethics, submit evidence of a minimum of five years of information security work experience, with a minimum of three years' security management experience in three or more job practice areas.
Until December 31, experienced security managers can earn a CISM without taking the exam, under a grandfathering program.
So far, nearly 800 professionals have received the CISM designation. The next exam will be held June 12. Registration fees range from $325 to $495, depending on whether someone is an ISACA member or registers early. Study aids cost $35 to $100. Some ISACA chapters offer study programs.
David Foote predicts that CISM will build momentum and rank among the top certifications as demand grows for management-level certifications. It "fits the bill for those qualities most in demand" in security managers, he says.
Companies "are looking for global experience, experience in regulatory matters, not just the technical fundamentals," he continues. "They're really looking for an executive who can sell the concept of investing in security, which is very difficult."
ISACA also offers the CISA designation, which is important for certain security positions, says Paul Rohmeyer, chief operating officer with security-services firm Icons: "In security, you have a lot of people who straddle that line between security and audit."
Auditors play a large role in the U.S. government, making the CISA key for some federal security personnel, says Brody of the Veterans Affairs department. "We have to be accountable to that oversight, so we need to understand the terminology of the audit community and we need to understand how they go about doing their work, so we can be responsive," he adds.
Of the 57 overall IT certifications covered by Foote Partners, CISA had the highest growth in premium pay over the past year, up 25 percent.
The more hands-on the role, the more important a vendor technical certification becomes, believes Rohmeyer. "Those certifications don't only imply that they are competent on exams for market-leading products, but imply an overall strength to their [certificate holders'] background as technologists," he says.
With Check Point Software Technologies' dominance in the enterprise firewall market, its certifications are in great demand. More than 250 Check Point Authorized Training Centers currently offer training worldwide for the Check Point Certified Security Administrator and the Check Point Certified Security Expert.
Symantec's certifications are also cited as useful by some security professionals for Symantec environments. The vendor offers Symantec Certified Security Engineer, Symantec Certified Technology Architect and Symantec Certified Security Practitioner. This summer, the vendor overhauled its certification program, replacing product-specific exams with tests in broad security areas and recognizing vendor-neutral security certifications.
But there's more
While it's good that organizations are recruiting people who have taken the time and have proved they have the discipline to acquire and maintain certifications, such designations don't mean that someone can do everything, warns Reuters' Macartney.
"A lot of industry people would like to say... He's got an A, B, C or D, therefore he can do this job," she says. "Life is never going to be that easy. You have to look at the industry that the person's worked in, the type of environments, the size of the organization."
So qualifications are a good thing, but experience still counts for a lot. According to Icons' Rohmeyer, while certifications are important, they test someone's understanding on a limited set of factors.
"I don't think a certification replaces experience or educational credentials," he says. "Certifications are part of the puzzle, but by no means should people confuse them with true measures of competence."