I’ve long been hostile to certifications — I’ve met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I’ve come to believe that, while certifications aren’t perfect, they’re a decent way for a security professional to learn some of the things he’s going to know, and a potential employer to assess whether a job candidate has the security expertise he’s going to need to know.

Many readers might come of the article wonder if obtaining a certification is really all that important. Ultimately, it boils down to your goals and aspirations. While it certainly can not hurt to have a certification, if the job you are seeking does not require certifications then it might be pointless. Although, every little edge counts, therefore I can only see having a certification as a good thing.

At the very least, it shows initiative and interest. How bad is that?

If you are new to information security, and have little to no experience, then you probably should study the Security+ materials. Ultimately, taking the exam will show that you have an understanding of basic information security principles and practices.

Most anyone else should really head towards the CISSP direction. It is the premier security certification to hold right now, no matter what some folks may say. It is especially important to have if you are planning to work for the U.S. Government in an information security capacity.

Once you have knocked out the CISSP, then you should look towards the GSEC or the CISA. If you are a techno-geek, then the GSEC is all yours. However, if you are in management, or interesting in sliding in to that arena, then the CISA is the way to go. This, along with the CISSP, is the certification to have, mainly because of the lack of truly qualified information security managers available today.

Like I said, holding a certification surely will not hinder. All it will do is help. However, it is up to you to evaluate the worthiness of spending the time and money on studying and taking the tests.

Good luck!

The first notable change is that there are now four exams instead of two. One of the four, called CompTIA A+ Essentials, is required and there is no way to become certified without it. In addition to it, candidates must pass another exam — an elective — but this time there are three to choose from and they are named after their exam numbers: 220-602, 220-603, and 220-604. The first exam, 220-602, is really a mirror of the Essentials exam with the same topic categories (called domains) and just a few deviations here and there. The other two exams (220-603 and 220-604) resemble subsets of the 220-602 exam.

It is good to see that CompTIA finally added multiple electives. This should help to create a more diverse skill set for those with the certification, rather than essentially forcing individuals to learn Microsoft products in order to pass the exams. Overall, this is a smart move.