With all the security certifications available today, how is an IT manager to know which certifications should be required of applicants or even which might be helpful to pursue personally? To analyze this, begin by examining the need for certifications and what they offer.
The first question is: do certifications mean anything at all? Some people consider them to be barely worth the paper on which they're printed. Nevertheless, many companies are beginning to require security certification either before or shortly after hire to validate an employee's skills.
Spectrum Health requires candidates for any IT security-related position to either have or obtain the Global Information Assurance Certification's GIAC Security Essentials Certification (GSEC) within six months of hire, says Darrin Wassom, a technical architect at the organization.
Next, the certification must test skills that prove more than "book-level" proficiency. I have always been good at testing on material I have recently read, but this doesn't prove that I will be able to apply that knowledge in complex networks.
Security certification must be vendor-neutral. While certifications from market leaders such as Cisco Systems and Microsoft are useful in a focused environment, security professionals must be able to demonstrate a range of skills and understand what is required to secure a heterogeneous network of products from different manufacturers.
Using these three criteria, three security certification programs merit a closer look: CompTIA Security+, International Information Systems Security (ISCy) Certified Information Systems Security Professional (CISSP) and the aforementioned GIAC GSEC.
Security+ is designed as an entry-level security certification for people with at least two years of network experience. The test consists of a proctored exam with 100 questions that must be completed in 90 minutes. There is no requirement to renew the certification or prove ongoing education.
Security+ is a good credential to require of general IT staff, according to Julie Baumler, a senior systems administrator who holds CISSP, Security+ and several GIAC certifications.
"I see Security+ as of more value to system and network administrators than security professionals. I think it shows a basic understanding of the security concepts necessary to be a good administrator," she says.
The CISSP is the most well-known IT security certification. Applicants must attest that they have either four years experience in the security field or three years of experience and a degree. The certification also requires successful completion of a 250-question exam within six hours.
To maintain the certification in good standing, a CISSP must submit 120 continuing professional education (CPE) credits within each three-year renewal period or retake the exam to remain certified.
The CISSP exam covers all major areas of IT security with a focus at a somewhat high level, making it well targeted for IT managers and security consultants. The credential demonstrates the candidate understands security from a top-level view, and the CPE requirement proves ongoing training.
Being the best known also gives the CISSP a lot of weight in the marketplace.
"I've held my CISSP certification since 1998, and I know that it's been instrumental in my career both in the military and as a government contractor. With it comes credibility," says Robert Ashworth, a security consultant.
The GSEC certification covers material similar to the CISSP but with greater emphasis on the technical details. To become certified, candidates must write a research paper on a security topic of their choice (referred to as a practical assignment) and successfully complete two open-book exams of 100 questions each. Candidates must complete each online exam within three hours. The certification must be renewed every two years by passing a 90-question exam.
The GSEC certification is not as well known as the first two, but has been gaining popularity and is beginning to show up in more job postings. In addition to the 10 security domains included in the CISSP, GSEC tests specific knowledge of network fundamentals such as TCP/IP and many other detailed technologies. These additional aspects of the curriculum are critical for any hands-on security practitioner.
Hiring managers also might consult a GSEC-certified applicant's written practical assignment and GSEC test scores on the GIAC Web site, as Spectrum Health's Wassom does before an interview.
"We can get a really good feel of how a person is technically or process-wise just by reading their practical," Wassom says. As such, this is a good certification for hands-on technical positions such as consultants or security administrators.
Overall, any of these highlighted certifications can help demonstrate an applicant's interest in security and varying levels of knowledge and expertise. However, the lack of any follow-up requirements for Security+ diminishes its usefulness after a few years, and the ongoing value of CISSP is somewhat dependent on the specific training taken to meet the CPE credit requirement.
The technical focus, published technical paper and renewal test requirements of the GSEC provide the best assurance of security knowledge and ability on an ongoing basis.
Kenneth Rode is manager of internal operations for Unapen Inc and holds the GSEC, GIAC Certified Firewall Analyst and GIAC Certified Incident Handler certifications