There are a lot of security certifications available, ranging from entry level to advanced and from very general to focused on specific areas of security. Some security certifications include a focus on hands on skills whereas others entirely dismiss them. Picking the top three is bound to be controversial, and certainly (polite) feedback on my choices of the top three security certifications is invited.
Although security certifications can force one to learn valuable skills
and acquire useful knowledge, I see this as a byproduct of the
certification process. Yes, I’ll gladly agree that these skills and
knowledge are important, very often much more so than the actual "cert"
itself, but I didn't consider the actual body of knowledge that certs
required learning as one of the criteria to pick the top three. I
reasoned that if the body of knowledge were totally useless for any of
the certifications, then the criteria I used wouldn't be satisfied. Call
me an optimist!
I used the following criteria to pick the top three information security certifications:
Note that this is not an ordered list of certifications: I make no attempt to claim one is better than the other. In fact which certification, if any, is most valuable will vary from individual to individual.
The CISSP certification is the granddaddy, the oldest security certification, and the best known. There are over 60,000 CISSPs as of late 2008.
The CISSP exam covers a wide array of topics, many not traditionally associated with information security. There is no attempt to be remotely cutting edge nor is there any hands on type information. The test is a bear, and no one enjoys taking it!
The SANS GIAC GSEC certification is a very popular certification comparable in difficulty to the CISSP. Unlike the CISSP, it emphasizes skills that are immediately useful in the workplace, including hands on skills.
The Security+ certification is an entry level security certification. Numerically it's extremely popular, with 50,000 certified professionals as of late 2008, however as it's entry level and much easier than CISSP or GSEC, not nearly as well regarded.
I have all three security
certifications. It's rare that anyone considering hiring me cares, but
that's in large part because I've been in the security field a long
time. All three certs have value.
I occasionally teach classes to help people prepare for all three certifications, and I may sometimes be happily on the payroll of one or more of the companies mentioned above. For the full story, visit your favorite search engine.
I'm a consultant, I'm for hire, so yes, I am not entirely impartial and don't pretend to be. However I try to present the information in a clear and concise way, the good, the bad, and the annoying too.
Ted Demopoulos, IDNNFIMNILE (I Don't Need No Friggin’ Initials My Name Is Long Enough)