In Depth

Security Certifications? You're Certifiable

Are security certifications all they're cracked up to be? Here's your guide through the jungle of acronyms.

By Simone Kaplan

October 07, 2002 — CSO — The security profession has a secret language. Blunt and circumspect, it has nothing to do with IP addresses or code names for hack attacks. If you speak it, employers' doors swing wide for you. If not, you're out in the cold, even if you've walked the walk for 20 years. It's the language of certification, and it looks like this:

CISSP, CBCP, CPP, CFE, CISA, GIAC, ISSA, ISACA, ISC2, SANS, CCSE, MCSE, TICSA, VCPE, RSA/CSE, CCNA, CNE, CIW, FCSS, EWSCP.

Easy to decipher? No. But in the world of security certification, such acronyms can carry the same cachet as an Ivy League education or a PhD. And, often, salary is directly proportional to the number of letters you can attach to your name or résumé.

Security is hot these days, and everyone seems to want in. Unfortunately, there are very few qualified security workers who have a lot of experience under their belt, which leaves managers scrambling to fill vacancies.

In response to all that pent-up demand for trained staff, the certification industrythose companies that administer or provide training for examshas created a bevy of new certifications. There's so much money to be made from those seeking certification that everyone wants a piece of the action. The good news: There's a lot to choose from. The bad news: It's that much more difficult to differentiate between meaningful certifications and expensive diploma mills.

wo or three years ago, there were so few certifications that everyone knew what acronyms like mcse and ccse stood for, and what the exams entailed in terms of experience and knowledge. earning a certifi-

cation such as the CISSP, which was widely viewed as the most valuable and upstanding information security certification available, was seen as a measure of one's knowledge, and a validation and recognition of accomplishment in the security field. Today's proliferation of certifications, however, is less meaningful.

And navigating the certification battlefield is difficult and messy. "Some certifying bodies use the current focus on security as a way to make money," says Lew Wagner, CISSP, CPP and CISO of the University of Texas MD Anderson Cancer Center. Driving the need for certification is in the interest of those offering training and certifications.

New certifications are coming fast and furious. CompTIA recently launched the beta of Security+, a certification for entry-level security workers. In addition to offering the well-respected CPP, the American Society for Industrial Security will begin offering two new certifications in physical security and investigations next fall. And the Field Certified Professional Association is about to launch an advanced Field Certified Security Specialist certification that will debut later this year.