Desirable Certifications
The traditional gold standard among information security professionals is the CISSP from (ISC)2. The CISSP is vendor neutral and targets 10 areas within the security common body of knowledge (CBK), ranging from cryptography to law, investigation, and ethics. The certification exam has 250 multiple-choice questions, and candidates have as many as 6 hours to complete it. Plenty of study aids exist online and for sale as book and CD-ROM combinations, and (ISC)2 and many training companies offer CISSP exam preparation classes. If you join the Information Systems Security Association (ISSA), an organization closely related to (ISC)2, you can participate in yearly study groups led by a CISSP. The CISSP requires 4 years of direct full-time security professional work experience in one or more of the exam's test domains.
The CISSP covers a broad subject area, and some of its domains are areas that a more technical IT security pro might never touch. Or, perhaps you haven't worked for 4 years as a full-time security professional. In those cases, an alternative certification to the CISSP is the (ISC)2 's SSCP, which targets more hands-on, practical areas of information security. The SSCP exam contains half the number of questions that the CISSP exam does and requires only 1 year of cumulative work experience in one or more of seven test domains. However, don't assume that the SSCP is just a subset of the CISSP. The SSCP goes into more detail in certain areas than the CISSP does. The SSCP is a good place to start if you already have some experience, a good understanding of information security at the technical level, and don't want to spend a lot of time preparing for the CISSP exam's 10 domains.
A security certification that's well suited for IT professionals who are fairly new to the information security field is the Security+ certification from the nonprofit Computing Technology Industry Association (CompTIA). The Security+ targets individuals with at least 2 years of on-the-job networking experience. Although such experience is recommended, CompTIA doesn't require it for certification. The Security+ exam is timed for a total of 90 minutes, contains 100 questions, and covers five networking security objectives. The certification is a respected, solid first-step certification for a career in information security.
If you want a certification that focuses on network security, check out Security Certified Program's (SCP's) Security Certified Network Professional (SCNP) and Security Certified Network Architect (SCNA) certifications. Each certification requires you to pass two exams. Although SCP is a for-profit organization, it doesn't require candidates to take training for its certification exams, nor does it charge candidates who forgo training extra to take the exams. The SCNP covers subject areas such as router ACL, TCP/IP packet structure, signature analysis, VPN, IDS, and firewall. The SCNP certification requires the Security+ or equivalent experience as a prerequisite. The SCNA requires SCNP certification as a prerequisite and covers enterprise security subjects, including law, forensics, biometrics, PKI, and cryptography.
Considering wireless networking's meteoric rise in popularity and the challenges involved in securing it, you might be interested in the CWSP certification from Planet3 Wireless. Although it's a for-profit training company, Planet3 Wireless has done a good job with the CWSP of crafting a certification that represents an important area of expertise. The CWSP requires that you hold Planet3 Wireless's Certified Wireless Network Administrator (CWNA) certification. However, although Planet3 Wireless offers training for the CWSP and CWNA that amounts to approximately $2500, the company doesn't require candidates to take the training before sitting for the exams, and both exams together cost a total of $350 whether you take the training or not. Each certification exam contains 60 questions and allows 60 minutes to take the exam. Each certification is valid for 3 years and targets wireless LAN (WLAN) intrusion, security policy, and solutions.
Go for It
If you're serious about becoming certified, measure the costs and set a realistic goal. As a holder of certifications, I can state without hesitation that experience will help you prepare for any certification exam and greatly reduces the investment you must make in study time and training expenses. Make sure you know how much the certification might cost after you account for training, self-study materials, practice exam tools, exam fees, and any traveling to training sessions or to take the exam. When you select a certificate, plan ahead. At minimum, you'll need enough time to prepare for the exam. And bear in mind that some certification exams are held only once a year. Before you start studying for an exam, a helpful practice is to take a practice exam to help you identify objectives or the subject areas that need most of your attention. (Some exams assign more or less of your overall score to various subject areas within the exam. If you need to brush up on two areas, but one counts for 30 percent of the overall score and the other counts only for 15 percent, you know where to spend more of your study time.) Whatever certification you settle on, you can't help but be enriched by the experience of setting and achieving a worthwhile goal. Good luck!