I was just wondering what certs you keep current for your job? Or perhaps you are getting new certifications to make yourself more competitive and marketable as a job candidate? Below are some of mine. Microsoft Certified Systems Engineer (MCSE) http://www.microsoft.com/LEARNING/MCP/MCSE/ Certified Information Systems Security Professional (CISSP) http://www.isc2.org/ SysAdmin, Audit, Network, Security (SANS Institute) http://www.sans.org/ Global Information Assurance Certification (GIAC) http://www.giac.org/ GIAC Systems and Network Auditor (GSNA) http://www.giac.org/certifications/audit/gsna.php The only other things I do are vendor-specific, so I don't know how much those count unless I am asked to do something at another company that uses the exact version and hardware. There are also self-tests like the ones from brainbench.com and the custom tests administered to you by the hiring agencies. Which ones do you have? And what do you recommend studying for in 2009 that are actually worth something? Thanks for your input.
I don't actually hold any certificates or qualifications. I did about half of my Computer Science degree (but I didn't get up to the Data Security subject) but I decided to get some experience in the industry before returning to finish it. It's 6 years later and I still haven't gone back. In 2007 I did a Sun course on security called Personalizing Security on the Solaris 10 Operating System (SC-301-S10) after which I got a certificate to say that I had completed it but I didn't do the associated exam which means I am not actually certified. In most places I work or interview at I am (or would be) "The security guy". As such, I doubt that anyone interviewing me for a job has the knowledge to separate one certificate from another. For a company that uses Solaris, this certificate is pretty much as good as the one you get after the exam and probably better than any of the ones you mentioned. Banks use Solaris a lot and tend to care about security. In fact, the only other two guys on that course where both from the same bank. I have heard good things about the RedHat security course. Of course, both the Sun and RedHat courses are based on open source software that anyone can install anywhere so they are useful even if you don't use RedHat or Solaris. If you already have a bunch of generic security certs, I guess going for specific ones would be the next step. Try to guess what will be in demand a year from now or just go for something you enjoy. Secure Java coding is not everyone's cup of tea but if that's what floats your boat then go for it.
"None" is a bit of an exaggeration. Two of them (CISSP and SANS) are among the most well known security certificates available. The word "security" is even in the title of both. If I had to pick one security certificate that is most likely to be known by managers or HR drones then the CISSP would be it. I can't argue about the MCSE, however most HR drones and managers recognise the acronym and hence it might just make the difference between getting an interview and not getting one. One thing I have learned about interviews is that you must match the job and your CV and your expectations all to each other. If you go for a junior sysadmin position and ask for a manager's wage, you won't get it. If you go into a senior sysadmin interview without the required job experience then you won't get it either. The most frustrating one is when you have 10 certificates on your CV and they pass you over because you are "too qualified". Back on certificates again, a mate of mine has his CCNP (which is vendor specific) and it affords him the luxury of knowing that his job is pretty secure. CCNAs are fairly common but CCNPs aren't. He can request large pay rises and rock up late to work, secure in the knowledge that any company that uses Cisco equipment would jump at the chance to employ him.
I was just putting that out there (the MCSE) to show it was part of my background. But there are individual exams from Microsoft that are specific to security. Just curious to know how popular those individual exams are instead of the full blown MCSE or MCSA, especially moving forward with Windows 2003 and Windows 7. In my opinion, it began to make sense in recent years to seek other certs outside of Microsoft, to cover different operating systems (AIX, Linux, HP-UX), and network hardware (Cisco, Checkpoint, Nokia).
This is an interesting topic. I hold several degrees and several certifications. But what I have found over the years when it comes down to it. Doesn't matter what degrees you have and what certifications you have. A lot of the time it doesn't mean jack squat. Some of the best security people you'll find have had no formal training and hold no certifications. Why? Most likely because they have learned by trial and error and are keeping up on technology as it grows. I would never hire someone based off there training or certifications. They would get a hands on test developed by me personally. Ive seen some people with computer science degrees with multiple certifications that still didn't really know what they are doing. It all a matter of memory retention and doing the work hands on.
Good input zeromaster. On the one hand I have discovered through the interview process that job candidates with certifications should indicate a minimum level of knowledge and proficiency, but sometimes that is not always the case. During interviews I try to break it down to a practical level instead of theory, and probe to see what critical thinking skills are being applied (if any exist). On the other hand, I have served a lot of time in technical support roles since about 1999, and after adding a few certifications, I came to realize it really does have to do with customer confidence. Sometimes in order to make progress, the customer has to believe in you first. They need to follow what you are telling them to solve their problem. In a small way, the certs help to inform the customer quickly that you are prepared to address their issue, and it starts the troubleshooting process off with a boost in confidence the customer has for you. For me, this subtle change has meant the difference between trouble tickets that linger on indefinitely, and those other tickets I can close within the hour.
This has been a good one for me. The exam was several hours long and cost about $450, but you can get reimbursed from your employer if you pass the exam. The cert lasts for three years, and the renewals don't involve the exam, they involve continuing education credits earned from security seminars, workshops, reading books, writing articles, training and presentations, and other things. I'm also looking into the Certified Information Systems Auditor (CISA) available from the Information Systems Audit and Control Association (ISACA). I am involved in a lot of auditing and vulnerability assessment duties at work with Internet Scanner, Qualys, nmap, Nessus, and other tools, so I think the CISA will compliment the GSNA I already have from SANS. Are there any other certs that people can recommend or have experience with, related to vuln assessment? Just trying to get a feel for what others are doing in this area. Thanks.