IT Security Certifications?

certifiedSecurely asks: "Network security seems to be a hot topic these days, but I have seen very little on Security Certifications. Searching the web has turned up several offerings: http://www.securitycertified.net/ and http://www.isc2.org/ are two examples. I was wondering if any of the readers had any insight into the various security certifications and their respective market value and dominance, future longevity, etc."

CISSP & GIAC

[Jeremiah+Cornelius]

To paraphrase Bruce Schneier Security is a set of procesess and a means of approach for systems.

I can vouch for the CISSP certification from (isc)2 as reinforcing this view of security. The CISSP is a significant valuator for businesses, who can be confident that candidates with this certification are literate in both technology and business considerations. This certification is exactly that: a CERTIFICATION. It is not a vendor technology program. It can be likened to a CPA designation for auditors and accountants.

The GIAC certifications from SANS are an excellent instruction in the working mechanisms of security technology. The curricula and basis for certification by SANS are under continous revision and are the most current in the industry.

The fact is that the CISSP is currently highly valued by employers as a valid assesment of domain awareness, best-practice assesment and professionalism. To combine this with specific GIAC tracks is a good way to identify formidable security personnel.

CISSP candidacy requires 3-5 years of work experience in one of the 10 domains identified. Additionally, (isc)2 will require a BS in an associated major, beginning in 2003. Studying for this is no piece of cake!
Some resources:

http://www.cissp.com/default.html
CISSP Library of Free Study References
The CISSP Open Study Guide

The basic run down

[eldub1999]

There are basically four security certification that merit mention when someone asks about it.

CISSP - Focuses on policy and practice. The most recognized out of the certifications (meaning people have heard of it. No comment on quality). Sponsored by ISC2 (www.isc2.org).

CISA - Certification for IT auditors. Accountants are probably the primary audience, but anyone can take it. Probably the second most recognized. Sponsored by ISACA (www.isaca.org/cert1.htm).

GIAC - The new kid on the block. Balances policy and technical knowledge. Third most recognized. Sponsored by SANS (www.giac.org).

SSCP - ISC2's more "technical" oriented certification. Few people have heard of this yet. Sponsored by ISC2 (www.isc2.org).

*Hard dose of truth follows*
Knowledge is only useful if a person can apply it. In cognative theory there is the concept of "transfer". This is the ability of a person to apply knowledge gained to real world situations. Cognative theorists would argue that without transfer you haven't really learned anything. *None* of these exams test for anything more that your ability to memorize large amounts of data. To that end, you will find many people with security certifications who have absolutely no ability to solve simple real-world, security-oriented business problems. Do not mistake certification for experience and the ability to solve problems.

*Cynical reality follows*
At this moment in time, the CISSP has the most value in the job market, and arguably in the industry. This is because it is the most recognized certification. It is also the certification that is easiest to gain through rote memorization. One of life's great catch-22s.

I won't comment as to which is the "best" as this is highly subjective. Do your homework. Figure out which one has the buzz in your specific area of knowledge/expertise and memorize on!

-Laudon