Getting Certified in Information Security

Putting together a winning combination of certifications can be a very difficult but very rewarding task to undertake. On the other hand putting together the wrong combination of certifications will do nothing for you other than cost you countless hours and money. In this article I hope to give some advice on how to put together a solid combination of certifications in one of the hottest areas today, Information Security.

In the technology field one of the hottest and highest paying types of jobs are those in the area of security. Since security is one of the hot areas a lot of individuals have set their sights on this area with the hopes of cashing in and scoring the big jobs with thoughts of little else. While wanting to advance your career is an admirable goal getting into a field such a Information Security requires a lot more thought than this, the main thing being planning. Let's take a look at some of the things one needs to consider in order to successfully get into this field.

Before we get started let's cover the most obvious point first so I don't get crucified by the veterans in this field and address the topic of prerequisites. Before someone can successfully move into security they need to have the fundamentals and experience, namely I am referring to a strong background working with network administration, computers and the ins and outs of the various hardware, software and operational issues involved. I would recommend that those looking to pursue a career in security get at least 2 or 3 years behind them before they move on towards their goal. The reality is that you can't really get that far in security without understanding how the systems and organizations you are looking to secure work.

The next thing one needs to consider is how dedicated are you to the idea of keeping your skills current? In the technology field things change very rapidly, what was true three, six or 12 months ago might not be true today and this pace only gets more intense and hectic in the security field. Expect that in whatever aspect of security you choose to spend several hours each week outside of your normal work keeping up-to-date on the "What's happening" of the field. Any individual in the IT Security field will tell you that things can change quickly from day-to-day necessitating your reading up or researching what you might potentially be vulnerable too (note the paragraph above about learning the fundamentals and how they work first).

Now we get to the fun part, you have finally decided that this is the field for you and you really want to move forward, great let's take a look at the next step, research. A few years ago one could simply refer to themselves as the "Security" person and all was well, but nowadays this statement is no longer true. Nowadays you cannot say you want to get into security you have to think about what area you want to pursue, basically saying you want to go into security is like saying you want to be a Doctor without giving a thought about what you want to specialize in. I would suggest that one does research on what they want to do like looking up jobs on dice.com or monster.com or one of any number of job boards as well as look on other sites such as securityfocus.com to see what areas excite you.

Still with me? Let's take a look at our next step on the way to bliss.

Now we are at the point of laying our certification and training foundation by getting our basics out of the way. If you have a degree in IT and have at least 2 years experience you can move on to the next step, if not stick around and let's get some stuff out of the way. What you need to do to get a firm foundation is get some basic certifications to validate your skills, consider getting an MCSE or MCSA along with something from Cisco such as the CCNA. What you are doing is trying to get some certs that show you have knowledge of what you are doing and have the paper to back it up. Take a good look at whatever you have been doing in the IT field in the last few years and match your basic certs against to it, for example if you're are system admin get an MCSA, if you are a database person get an Oracle cert or MCTS.

I also want to throw something else in here, just because you have a piece of paper does not mean anything in most cases unless you can show experience as well. Expect future employers to test your skills in interesting and unique ways beyond throwing questions at you during an interview, expect them to give you practical tests on actual equipment and situations.

Next step in your journey, get your security basics out of the way by getting some foundation certs that will establish the security fundamentals for you. I would recommend getting certs such as CompTIA Security+ or, if you are feeling ambitious, ISC2's CISSP. Also consider that you should get certifications that acquaint you with the theory of security such as the CISSP and the practical side such as EC Council's CEH and ECSA. Again, what you are looking to do at this stage is to put down a solid foundation in security with the basics that everyone needs to know in the field.

Now here is where your job research comes in, if you did your homework you have a good idea of what you want to do in this exciting field. Let's take a look at some potential choices you might have:

Wireless Security Specialist

If you are like working with wireless technologies and have the experience under your belt consider getting into this field and getting Planet3's Certified Wireless Security Professional or CWSP certification. Now the CWSP requires a core certification called the Certified Wireless Network Professional, but getting both certifications will give you substantial knowledge of wireless concepts, technologies and security issues.

Firewall Specialist

Like firewalls? Then consider going after certifications from CheckPoint or Cisco that would give you additional knowledge and training in these areas.

Forensic Technician

Fancy yourself a CSI of the digital arena? Then consider pursuing a certification in the area of Forensic Investigation such as the Computer Hacking Forensic Investigator of CHFI from EC Council.

Penetration Tester

Interested in hacking, but not hot on the idea of going to prison? Well penetration testing might be the road for you. For this field consider getting the CEH, ECSA and CHFI from EC Council as well as other certs from companies such as Cisco and Sun as well as hands on with technologies such as Linux and UNIX (get intimate knowledge of applications and systems is key).

Information Systems Auditor

If you are looking to be someone who checks for policy compliance and works with companies in this capacity take a look at the ISACA Certified Information Systems Auditor certification which carries a lot of weight in this particular field.

Once you have chosen your area, got your certs and landed your dream job, congratulations, but don't pay yourself on the back for too long as there's work to be done. Get acquainted with the meetings, publications, conventions and other aspects of your field and stay on top of things.

In this article I have tried to put a path in front of you to make things as easy as I think they could be, but don't think it's the only way as other individuals will have their own ideas. My recommendation in any case is to do your homework and don't take things on faith. I have seen too many individuals get poor advice from a training center or counselor who doesn't know enough about the person's situation or goals before making recommendations, so that's why I recommend you check things out yourself and have a good idea before you see a counselor.

Until next time stay safe.