Information Security Certifications
Reknown security expert Bruce Schneier has written an eloquent article on security certifications. It is a compelling read that is quite provacative. It makes for a good alternative view on certifications, which means that it does not tow the party line. Ultimately, it boils down to the person doing the hiring, the person looking for a job and the skill requirements for the position itself. There is no formula set in stone, therefore it is up to each person to decide for themselves whether certifications are worthwhile or not.
I’ve long been hostile to certifications — I’ve met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I’ve come to believe that, while certifications aren’t perfect, they’re a decent way for a security professional to learn some of the things he’s going to know, and a potential employer to assess whether a job candidate has the security expertise he’s going to need to know.
Many readers might come of the article wonder if obtaining a certification is really all that important. Ultimately, it boils down to your goals and aspirations. While it certainly can not hurt to have a certification, if the job you are seeking does not require certifications then it might be pointless. Although, every little edge counts, therefore I can only see having a certification as a good thing.
At the very least, it shows initiative and interest. How bad is that?
If you are new to information security, and have little to no experience, then you probably should study the Security+ materials. Ultimately, taking the exam will show that you have an understanding of basic information security principles and practices.
Most anyone else should really head towards the CISSP direction. It is the premier security certification to hold right now, no matter what some folks may say. It is especially important to have if you are planning to work for the U.S. Government in an information security capacity.
Once you have knocked out the CISSP, then you should look towards the GSEC or the CISA. If you are a techno-geek, then the GSEC is all yours. However, if you are in management, or interesting in sliding in to that arena, then the CISA is the way to go. This, along with the CISSP, is the certification to have, mainly because of the lack of truly qualified information security managers available today.
Like I said, holding a certification surely will not hinder. All it will do is help. However, it is up to you to evaluate the worthiness of spending the time and money on studying and taking the tests.
Good luck!