Certifications could secure your future

I recently wrote a column for the print version of Network World asserting that IT technical certifications still hold value (see link below).  Many readers wrote to me, asking which certifications are the most valuable today.  Value, like beauty, is in the eye of the beholder. 

The value of a certification is defined by the demand created for it by employers and clients.  Given the fast pace of change in the IT industry, demand for certain certifications shifts swiftly.  So how do you know which certifications to pursue?  Follow the money trail.  That is, analyze what CIOs are spending their money on now and over the next few years and you’ll begin to see which certifications employers will demand.

In today’s environment, the big money is going toward improving enterprise security.  According to a recent spending survey by “CIO” magazine, even while budgets for other aspects of IT are being cut to the bone, many CIOs are increasing their spending on security.  Not all of the money is going toward technology; some of it is aimed at improving policies and people.  Reading between the lines, I’d say that security certifications are growing in importance.

Perhaps one of the best-known certifications for security pros is the CISSP, or Certified Information System Security Professional.  This certification is issued by the International Information Systems Security Certification Consortium, known as (ISC)2.

The CISSP Certification recognizes the mastery of an international standard for information security and understanding of a Common Body of Knowledge (CBK), which includes:

* Access Control Systems & Methodology.

* Applications & Systems Development.

* Business Continuity Planning.

* Cryptography.

* Law, Investigation & Ethics.

* Operations Security.

* Physical Security.

* Security Architecture & Models.

* Security Management Practices.

* Telecommunications, Network & Internet Security.

CISSP is considered the premier international credential for establishing that a candidate possesses the necessary knowledge, skills and abilities for competent practice of information security with at least four years professional experience. At the end of December 2002, only 13,397 people worldwide held the CISSP certification.  Compare that to the hundreds of thousands of people who hold operating system or hardware-specific certifications, and you can see why these certified professionals are so highly in demand.

A second certification offered by (ISC)2 is called System Security Certified Practitioner, or SSCP.  SSCP Certification was designed to recognize an international standard for practitioners of information security and understanding of a CBK. It focuses on practices, roles and responsibilities as defined by experts from major IS industries.  The seven areas of the CBK include:

* Access Controls.

* Administration.

* Audit and Monitoring.

* Risk, Response and Recovery.

* Cryptography.

* Data Communications.

* Malicious Code/Malware.

If you’re looking for a good foundation certification in security, have a look at CompTIA’s Security+ certification.  Less stringent than the certifications offered by (ISC)2, CompTIA’s Security+ verifies a candidate’s knowledge and skills in the following areas:

* General security concepts.

* Communication security.

* Infrastructure security.

* Basics of cryptography.

* Operational/organizational security.

Another option for a security certification is offered by the SANS Institute.  This organization founded the Global Information Assurance Certification (GIAC) in 1999 to meet the demand for security professionals who possess a standard set of knowledge and skills in the security realm.  GIAC certifications address a range of skill sets including entry level Information Security Officer and broad based Security Essentials, as well as advanced subject areas like:

* Audit.

* Intrusion Detection.

* Incident Handling.

* Firewalls and Perimeter Protection.

* Forensics.

* Hacker Techniques.

* Windows and Unix Operating System Security.

As with most IT certifications, the applicant must demonstrate his or her knowledge and skills by taking one or more proctored tests.  Training is not specifically required, although it helps. 

I’ve listed several choices for security certifications, and there are many more.  Some are vendor-neutral, and others focus on a particular vendor’s solutions or products.  So how can you tell which of these certifications are most valuable?  Take a look at job postings for security professionals and see what the employers are looking for. 

No matter which security certification you choose to pursue, having such a certification will increase your market value and open more doors for you.  Security professionals are in big demand today, and there’s no let up in the foreseeable future.

Linda Musthaler is vice president of Currid & Company.  You can write to her at mailto:Linda.Musthaler@currid.com