Security is a booming business. People who never gave it a second thought are suddenly scrambling to make sure that they can say that they’ve secured their systems. Even in a very tight time for IT budgets, security related expenses are getting approved. With so much attention on security projects, managers are demanding that the people they hire or contract to design and install security perimeters know what exactly they’re doing. To satisfy that demand, more than two dozen security certifications have been developed.
They fall into three categories:
Vendor product-based certifications
Training organization-sponsored certifications
Independent (also known as “vendor-neutral”) certifications
With so many certifications in play, security practitioners have a difficult time deciding which to obtain. One thing that remains uniform is that certification is now essential. When a prospective employer asks, "Why don’t you have any certifications?" the interview is over. Having a certification that the interviewer is unfamiliar with isn’t all bad; a good candidate can use that to explain his or her background in terms of the certificate's requirements. Of course, having a certification that the interviewer already respects is especially useful.
None of the certifications are free. Some require expensive training programs, others require one or more tests, a few require hands-on demonstration of skills (called "labs"). The sponsors of each certification have different motives for creating and promoting them.
Vendor-Based Certifications
Vendors are of two minds. They create certifications so they can promise potential buyers that there are a large number of people (potential employees and contractors) who have expertise in the product, thus making the product a safer purchase than one from a competitor who cannot deliver pre-trained people. As a rule, these vendors make their certification process only as difficult as it needs to be in order to make it legitimate. In some cases, the vendors will create introductory (relatively easy to get) and advanced (much harder to acquire) certifications. Cisco Systems is a case in point. The introductory certifications, CCNA® and CCDA® can be earned with one exam each. There are intermediate certifications such as Cisco’s CCSP™ and at the other extreme, the most advanced vendor certification is Cisco’s CCIE® Security; it has a lab requirement and is one of the hardest and most respected of all certifications.
Practitioners acquire these certifications in direct proportion to product sales. Having demonstrated expertise in a product that has no market share is pointless.
Vendor Specific Certifications
| Certification | Organization | Goals/Definition | Prerequisites |
| ACSCD: Avaya Certified Specialist in Computer Design | Avaya Inc. | Recognizes the technical skills to design voice and data applications. | Exam plus recertification every two years. |
| ACSCI: Avaya Certified Specialist in Computer Implementation | Avaya Inc. | Recognizes the technical skills to implement voice and data applications. | Exam plus recertification every two years. |
| CCSE: Check Point Certified Professional | Check Point | Certifies that an individual is prepared to deploy and properly configure Check Point firewall and VPN products. | Exam plus recertification when new product versions are released. |
| CCSP: Cisco Certified Security Professional | Cisco Systems | Certifies that the holder has expertise in designing and implementing Cisco secure networks. | CCNA plus five subject area exams and recertification every three year. |
| CCIE-Security | Cisco Systems | CCIE Security represents the industry's most comprehensive and rigorous security-related certification from any vendor. Candidates must demonstrate a high level of expertise by physically configuring a secure enterprise network under timed, stressful conditions. | Exam, lab, recertification. Lab scenarios involve a variety of products and technologies including firewalls, intrusion detection, authentication servers, routers and switches. |
| LCTE: Lucent Certified Technical Expert | Lucent Technologies | Certifies that the holder understands both the underlying security technologies such as firewalls and VPNs and the Lucent products used to implement them. | Exam and lab |
| RSA/CSE: RSA company Certified Systems Engineer | RSA Security | Designed for security professionals who need to demonstrate their knowledge and skill in maintaining security systems that use RSA security products. | Exam plus recertification upon major new product release |
| Protocol Analyst Specialist | Wildpackets | Certifies a high level of expertise in interpretation of protocol analysis trace files and performance statistics. | Exam, including live analysis of a packet trace |
Training Organization-Sponsored Certifications
Training organizations are in the business of selling courses. In order to convince a student to take an extra course or two, they’ll offer a multicourse discount and a certification as a reward for attending a series of courses (and passing a relatively simple exam). Students hope that the certification will help them in the job marketplace; to the extent that managers recognize the training company, it does.
Training Organization Certifications
| Certification | Organization | Goals/Definition | Prerequisites |
| Network Security Certified Professional | Learning Tree | Certifies the skills and knowledge necessary to maintain critical data and systems. | Four exams. Admittance to the exam is based on attendance at a LearningTree course. |
| Certified NetAnalyst: Security | Pine Mountain Group | Certification indicates an in-depth understanding of major information security issues and standards. | Exam, admittance to which is based on attending a course at an authorized training partner. |
Independent Organization Certifications
These certifications are designed to meet the needs of the employers who want to be assured that the certification holders have significant expertise in solving real-world problems. In many cases, they’re also in a profit making business. When an organization like the (ISC)2 or ISACA collects $500 from each examinee and tests a few thousand candidates a year, millions of dollars of revenue are being generated. Those certifications are generally much harder to get than the vendor or training organization certifications, but as a result, they’re more valuable to both the holder and the employer.
Because of the cost, the sponsors compete with each other to promote the value of their certification over another. The problem is that there are multiple audiences for any certification and multiple reasons for creating them.
Independent (non-vendor specific) Certifications
| Certification | Organization | Goals/Definition | Prerequisites |
| CISSP | (ISC)2 | "The CISSP was established to certify those professionals who have attained professional expertise in the field of InfoSec" | Four years full time InfoSec experience (or 3 plus a college degree) plus exam in ten topic areas plus recertification via continuing professional education requirements |
| CIWSA: CIW Security Analyst | CIW | Certifies that IT professionals can start a security policy, recognize security threats and use firewalls, VPNs and IDSes | Baseline certification (e.g., MCSE, CCNP, CNE, and others) plus exam |
| Security + | CompTIA | "Technical knowledge of foundation-level security administrators" | None. Pass tests given via Prometric |
| CCISM: Certified Counter-Espionage and Information Security Manager | Espionage Research Institute | CCISM prepares managers to deal with "all kinds of threats to information." | Background Investigation required. Courses by distance learning. |
| CCO: Certified Confidentiality Officer | Business Espionage Controls & Countermeasures Association (BECCA) | "The mission of the CCO is to protect the employer from compromise or theft of sensitive data." "The CCO is the only management level certification in the field of InfoSec. | Five modules plus tests |
| CISA: Certified Information Systems Auditor | ISACA | Holders have measured excellence in the areas of IS auditing, control and security | 120 question exam given annually, plus continuing professional education credit requirements |
| CISM: Certified Information Systems Manager | ISACA | This certificate has a business oriented focus. Holders have experience in information risk management assessment and technical security design. | 120 question exam given annually, plus continuing professional education credit requirements |
| SSCP:Systems Security Certified Practitioner | ISC2 | Practitioners who hold this certificate have demonstrated knowledge of seven areas of expertise. It is designed as an intermediate certificate to be earned while gaining the experience and knowledge necessary for the CISSP | 125 question exam, plus continuing professional education credit requirements |
| SCNP: Security Certified Network Professional | PKI Academy | The SCNP focuses on defensive technologies such as Firewalls, VPNs and IDSes. Level 2 certification adds trusted communication such PKI, Biometrics and Cryptography | One exam for level 1 and a second exam for level 2. Recertification every two years. |
| CWNA: Certified Wireless Network Administrator | Planet Three Wireless | Introductory certification for new wireless technology | Written exam (via Prometric) |
| CWNE: Certified Wireless Security Expert | Planet Three Wireless | Highest level of P3W program. Includes packet and protocol analysis, plus CWNI certification | Written exam (via Prometric) plus lab and annual recertification |
| CWNI: Certified Wireless Networking Integrator | Planet Three Wireless | Covers advanced RF technologies and the skills necessary to combine existing wired networks into newer wireless technologies | Written exam (via Prometric) [not yet available] |
| CWSP: Certified Wireless Security Professional | Planet Three Wireless | Measures an IT Professional's knowledge of how to defend a wireless network from LAN intruders | Written exam (via Prometric) |
| cSAGE | SAGE Certification | For junior level system administrators seeking verifiable validation of their abilities. | One year experience (paid, student or volunteer) as a system admin over a network serving more than one station and more than one user. |
| GCFW: GIAC Firewall Analyst | SANS Institute | Certifies the ability to design, implement, maintain and troubleshoot firewalls and VPNs | Practical assignment (research paper) plus exam plus recertification (every 4 years) |
| GCIA: GIAC Intrusion Analyst | SANS Institute | Certifies the ability to implement and administer network based and host based intrusion detection systems | Practical assignment (research paper) plus exam plus recertification (every 4 years) |
| GCIH: GIAC Incident Handler | SANS Institute | Certifies the ability to understand, anticipate and defend against common hacker attacks and act as members of a computer emergency response team | Practical assignment (research paper) plus exam plus recertification (every 2 years) |
| GCNT: GIAC Windows Security Administrator | SANS Institute | Certifies the ability to implement, administer, maintain and troubleshoot Windows 2000 and NT systems and networks | Practical assignment (research paper) plus exam plus recertification (every 2 years) |
| GCUX: GIAC Unix Security Administrator | SANS Institute | Certifies the ability to implement, administer, maintain and troubleshoot Unix/Linux systems and networks | Practical assignment (research paper) plus exam plus recertification (every 2 years) |
| GSNA: GIAC Systems Network Auditor | SANS Institute | Certifies the ability to audit secure computer network installations | Practical assignment (research paper) plus exam plus recertification (every 2 years) |
| ICSA Practitioner | TrueSecure | Focuses on foundation-level knowledge and certifies that the holder has the essential knowledge to participate enterprise security decisions | Two years of experience or 48 hours of approved conference/seminar attendance plus exam, plus an additional 48 hours per year of continuing professional education. |
Summary
Choosing which certification to pursue isn't an easy decision. The tables that accompany this article can help. First, decide which of the three kinds of certification you want. It will probably be easiest to eliminate the training-organization sponsored ones unless you're currently enrolled in their classes. Next, decide if you want a certification that identifies you as a specialist in a particular product or technology or if you want a one that identifies you as a generalist — one who has broad experience in a wide range of security issues. If you prefer to implement technology, then see if there's a vendor-sponsored certification that matches your current skill set, or even better, the skill set you need to advance a level, then go for it. However, if you prefer to integrate multivendor solutions than one of the vendor-neutral choices will serve you better.
The three tables that accompany this article show the leading security certifications, broken down by category. The various titles show the sponsoring organization, the certification name, the certification’s goals and promises, and the requirements for getting it.