The Security Certification Quagmire
Security is a booming business. People who never gave it a second thought are suddenly scrambling to make sure that they can say that they’ve secured their systems. Even in a very tight time for IT budgets, security related expenses are getting approved. With so much attention on security projects, managers are demanding that the people they hire or contract to design and install security perimeters know what exactly they’re doing. To satisfy that demand, more than two dozen security certifications have been developed.
They fall into three categories:
Vendor product-based certifications
Training organization-sponsored certifications
Independent (also known as “vendor-neutral”) certifications
With so many certifications in play, security practitioners have a difficult time deciding which to obtain. One thing that remains uniform is that certification is now essential. When a prospective employer asks, "Why don’t you have any certifications?" the interview is over. Having a certification that the interviewer is unfamiliar with isn’t all bad; a good candidate can use that to explain his or her background in terms of the certificate's requirements. Of course, having a certification that the interviewer already respects is especially useful.
None of the certifications are free. Some require expensive training programs, others require one or more tests, a few require hands-on demonstration of skills (called "labs"). The sponsors of each certification have different motives for creating and promoting them.
Vendors are of two minds. They create certifications so they can promise potential buyers that there are a large number of people (potential employees and contractors) who have expertise in the product, thus making the product a safer purchase than one from a competitor who cannot deliver pre-trained people. As a rule, these vendors make their certification process only as difficult as it needs to be in order to make it legitimate. In some cases, the vendors will create introductory (relatively easy to get) and advanced (much harder to acquire) certifications. Cisco Systems is a case in point. The introductory certifications, CCNA® and CCDA® can be earned with one exam each. There are intermediate certifications such as Cisco’s CCSP™ and at the other extreme, the most advanced vendor certification is Cisco’s CCIE® Security; it has a lab requirement and is one of the hardest and most respected of all certifications.
Practitioners acquire these certifications in direct proportion to product sales. Having demonstrated expertise in a product that has no market share is pointless.
Vendor Specific Certifications
|ACSCD: Avaya Certified Specialist in Computer Design||Avaya Inc.||Recognizes the technical skills to design voice and data applications.||Exam plus recertification every two years.|
|ACSCI: Avaya Certified Specialist in Computer Implementation||Avaya Inc.||Recognizes the technical skills to implement voice and data applications.||Exam plus recertification every two years.|
|CCSE: Check Point Certified Professional||Check Point||Certifies that an individual is prepared to deploy and properly configure Check Point firewall and VPN products.||Exam plus recertification when new product versions are released.|
|CCSP: Cisco Certified Security Professional||Cisco Systems||Certifies that the holder has expertise in designing and implementing Cisco secure networks.||CCNA plus five subject area exams and recertification every three year.|
|CCIE-Security||Cisco Systems||CCIE Security represents the industry's most comprehensive and rigorous security-related certification from any vendor. Candidates must demonstrate a high level of expertise by physically configuring a secure enterprise network under timed, stressful conditions.||Exam, lab, recertification. Lab scenarios involve a variety of products and technologies including firewalls, intrusion detection, authentication servers, routers and switches.|
|LCTE: Lucent Certified Technical Expert||Lucent Technologies||Certifies that the holder understands both the underlying security technologies such as firewalls and VPNs and the Lucent products used to implement them.||Exam and lab|
|RSA/CSE: RSA company Certified Systems Engineer||RSA Security||Designed for security professionals who need to demonstrate their knowledge and skill in maintaining security systems that use RSA security products.||Exam plus recertification upon major new product release|
|Protocol Analyst Specialist||Wildpackets||Certifies a high level of expertise in interpretation of protocol analysis trace files and performance statistics.||Exam, including live analysis of a packet trace|