December 30, 2010 - Upasana Gupta, Contributing Editor
Not having an IT security certification doesn't disqualify you from getting that next job or promotion, but it could help.
"A certification today is like a college degree," says Grad Summers, Americas leader for information security program management services at Ernst & Young. "You may not hire a candidate just because they have one, but it is something that you come to expect in this field."
As you mull whether or not to get that certification, we've compiled the top five security certifications for 2011. Here's our list, which we based by scanning job boards and interviewing IT security recruiters and employers:
* Vendor Certifications
* CISSP: Certified Information Systems Security Professional
* CEH: Certified Ethical Hacker
* CISM: Certified Information Security Manager
* GIAC: Global Information Assurance Certification
A growing need for hands-on network engineers, along with social computing and Web 2.0 technology, has propelled network security even further. Vendor certifications including Cisco's Certified Network Associate Certification (CCNA), Microsoft's Certified Systems Engineer (MCSE) with focus on security and Check Point's Certified Security Expert (CCSE) top the list as organizations within banking, government and healthcare that look to fill open positions including network, system administrators and architects. "We look for completion of these certificates in potential network security candidates," Summers says. "As having those on their resume says a lot about someone's depth of knowledge."
The popularity of the Certified Information Systems Security Professional is high within the IT security community as it provides the basis of security knowledge. "We feel safe hiring candidates carrying this validation," says Ellis Belvins, division director at Robert Half International, a professional staffing consultancy, adding that the certification demonstrates the security professionals' high proficiency, commitment and deeper understanding of security concepts, principles and methodologies.
CISSP is viewed as the baseline standard for information security professions in government and industry. Companies are beginning to require CISSP certification for their technical, mid-management and senior management IT security positions. This certification is offered through (ISC) 2, the not-for-profit consortium that offers IT security certifications and training.
Certified Ethical Hacker is gaining popularity as organizations focus in securing their IT infrastructure and networks from internal and external attacks. CEH is offered by EC-Council and its goal is to certify security practitioners in the methodology of ethical hacking. This vendor-neutral certification covers the standards and language involved in exploiting system vulnerabilities, weaknesses and countermeasures. CEH basically shows candidates how the attacks are actually done. It also attempts to define the legal role of ethical hacking in enterprise organizations.
Some employers aggressively look to hire candidates with CEH validation for hands on security operations and intelligence activities. "In 2011, we see the need for very specific skill sets which can be obtained through training and certifications such as the CEH," says Vernon Ross, director of learning and organizational capability at Lockheed Martin Information Systems and Global Solutions.
Certified Information Security Manager is significantly in demand as the profession focuses on the business side of security. CISM offered by ISACA addresses the connection between business needs and IT security by focusing on risk management and security organizational issues. "ISACA's CISM are a few that are on our radar for 2011," Summers says.
CISM is ideal for IT security professionals looking to grow and build their career into mid-level and senior management positions. In fact, the CISM earned a place on the list of highest paying IT security certification by the 2010 IT Skills and Certifications Pay Index from independent research firm Foote Partners.
The demand is rising for Global Information Assurance Certification in specific disciplines such as digital forensics, intrusion detection, incident handling, security operations and application software security.
Employers and recruiters increasingly find GIAC credential as a requirement for hands-on technical positions. "GIAC's focus on open source tools and its aggressive in-depth training is very useful," says Daryl Pfeil, CEO of Digital Forensics Solutions, a computer security and digital forensics firm. She finds GIAC certified candidates highly skilled and proficient to handle the dynamic demands of real world job environment.
Other IT security certifications gaining importance include Certified Business Continuity Professional (CBCP), Cloud Security Alliance's new Certificate of Cloud Security Knowledge (CCSK) and CyberSecurity Forensic Analyst (CSFA).
"There is no replacement for real-world experience, Summers says. "However, certifications are important and have become de facto minimum criteria when screening resumes."