Security+

Need a guide to infosec certs? Check out this (our) survey!

One continuing bright spot in the IT specialization/employment world is information security. More and more companies and organizations are devoting personnel to this area, and more and more IT professionals are finding it worthwhile to obtain or demonstrate expertise in information security subjects, tools, and technologies. But with hundreds of options to choose from, what’s a savvy IT person to do when it comes to narrowing her or his selections? Why, consult our survey at SearchSecurity.com, of course!

Every year, my partner in grime, Kim Lindros, and I compile a survey of all the certification programs we can find in the area of information security. It’s called the “SearchSecurity.com guide to information security certifications” and covers 71 vendor-neutral and 36 vendor-specific credentials. It also includes analyses of these various offerings, and identifies the most popular and/or useful credentials across the various categories used to break the surveys up into manageable chunks.

Putting this survey together each year is a big job, and requires an enormous amount of checking (for existing certs, which come and go with amazing frequency) and surfing (to find new infosec certs, which pop up like mushrooms after the rain). As you look this material over, please e-mail me [mailto:etittel at techtarget dot com] or post here if you can point me at any credentials we’ve somehow managed to miss. There are so many of them, I’m sure we missed at least one or two. We’ll be updating this survey again in Q109 so I hope to hear from you on this score sooner, rather than later.

Thanks a bunch in advance for your help and support with this project. Those pondering infosec certs will also surely find it useful (our lowest reader ranking for any of this survey’s many parts is 4.68 out of 5.00, so I know we must be doing OK).

–Ed–

The Other CompTIA Certifications

OK, so everybody knows about the Big Three certs from CompTIA: A+, Network+, and Security+. A+ and Network+ are more or less checkbox items for aspiring entry-level IT, help desk, and tech support workers. Security+ is fast becoming a stepping stone to other, more senior, well-recognized and -rewarded information security certs as well (see our SearchSecurity.com guide to information security certifications for more information on this topic).

All this said, CompTIA offers a total of 13 certifications. What about the other 10? Here’s a list with information and commentary to help introduce them to those who haven’t come across them before, and to refamiliarize those who may have heard of them before:

CompTIA CDIA+ Certification: The CDIA+ was CompTIA’s first-ever certification and has been around for more than 10 years. It target a very specific niche market for digitizing, storing, and managing documents in digital form rather than paper form. It’s intended to demonstrate expertise in technologies and best practices involved in planning, designing, and specifying document imaging and management systems. Here again, this remains a narrowly-focused and relatively small market segment.

CompTIA Convergence+ Certification: Responding to industry requests for more skills and knowledge about communications technologies, which are said to reside where data communications, telephony and telecommunications, and video and broadcast multimedia technologies combine into a single IP-based delivery system, Convergence+ seeks to demonstrates basic skills and knowledge across all these areas. CompTIA faces stiff competition from the Telecommunications Industry Association’s (TIA’s) Convergence Technologies Professional (CTP) and Certified in Convergent Network Technologies (CCNT) certifications here, and has not been as widely adopted or recognized in the marketplace, either.

CompTIA CTT+ Certification: The Certified Technical Trainer, or CTT credential, predates its acquisition by CompTIA. It’s a vendor-neutral classroom training cert that is accepted as evidence of sufficient training skills in many vendor-specific training programs in lieu of their own in-house credentials (where available). Obtaining a CTT+ certification requires candidates to demonstrate their preparation, presentation, communication, and facilitation skills, and to submit a videotape for evaluation of classroom skills and behavior. It’s probably the best-known, most valuable, and most widely sought-after of all the “other” CompTIA certs.

CompTIA DHTI+ Certification: DHTI stands for Digital Home Technologies Integator, and covers a grab-bag of digital home technologies including alarm systems, control systems, entertainment systems, communications, networking, and more. The successor to the short-lived Home Technologies Integrator (HTI+) certification, the DHTI+ continues to face issues with breadth and depth of coverage in a collection of technology areas that are changing so rapidly as to defy codification and currency in coverage. Nevertheless, the DHTI+ certification seeks to demonstrate competence in configuring, integrating, maintaining, troubleshooting, and comprehending basic design concepts for electronic and digital home systems. Here again, this is a narrowly focused niche for high-end equipment vendors, installation companies, home builders, and so forth, that has yet to gain significant traction outside those organizations where hiring qualified technicians can be a real challenge.

CompTIA e-Biz+ Certification: E-business (or E-biz) is an area of technical activity that involves conducting business online. It’s kind of a combination of Web technology and e-commerce; e-Biz+ is no longer available worldside (it’s only available in Korean and Japanese languages). This is a credential whose time has largely come and gone.

CompTIA Linux+ Certification: Linux certifications are many, and their coverage is often scattered, where focus on actual distributions may be tightly focused or all over the place. Linux+ is vendor-neutral, and focuses on open source and Linux basics, including fundamentals of user administration, file permissions and access controls, and setup and software configuration, plus local storage and network management. Linux+ has not really been widely adopted and faces stiff competition from the longer-lived, multi-tiered, and more wide-ranging Linux Professional Institute credentials (LPIC levels 1 through 3), as well as well-recognized vendor Linux certs from Red Hat, Novell/Suse, and others.

CompTIA PDI+ Certification: The PDI+ certification takes printing and document imaging devices as its focus, and seeks to demonstrate knowledge and skills necessary for to support and operate high-end printing and document imaging devices. Topics covered include print and scan processes and components, basic electromechanical tools, and color theory, along with soft skills such as customer service and professionalism, safety, and environmental sensitivity. This is another niche cert that aims to supply printing and imaging service providers with qualified technical staff.

CompTIA Project+ Certification: Project+ might be described as a set of “training wheels” for the Project Management Institute’s (PMI’s) Project Management Professional (PMP) certification. That is the Project+ focuses on fundamental project management skills including the whole project life cycle starting with initiation and planning, all the way through execution, acceptance, support and closure. The PMP remains “the” certification for project management professionals, while Project+ is a stepping-stone to that goal at best.

CompTIA RFID+ Certification: RFID stands for Radio Freqency Identifier, a special kind of hardware device that announces itself to inquiring transponders and provides other data as well. The RFID+ seeks to demonstrate knowledge and skills in the areas of installation, maintenance, repair, and upkeep of hardware and software functionality of RFID products. This credential is designed with a very specific audience in mind, and is relevant for those seeking work with RFID technologies. But it’s still a fairly small niche.

CompTIA Server+ Certification: Server+ was designed as a higher-level credential, which makes sense given its focus ontechnical competencies surround network server issues and technologies. Coverage includes installation, configuration, upgrading, maintenance, and environment, plus troubleshooting and disaster recovery. Server+ is accepted in some vendor-specific programs, but at most it takes the place of a single exam in programs that require passing four or more exams to earn vendor certification.

As you look over these certs, it’s wise to consider where CompTIA gets its name and mission: at its heart it’s an industry association whose mandate is to identify areas of technical competency where industry needs workers and to design certifications based on job requirements to match. For some of these credentials, there’s a happy fit between what IT professionals want and need to learn and what industry is looking for. For others, exposure, interest, and experience in specific industry niches drives the certs, and must therefore drive professionals into seeking the related certs as well.

To CompTIA, or Not?

Many of the questions I get from readers and IT professionals might best be summarized as “If I earn the following cert(s), will it help my career?” More than half the time, in fact, one or more of the specific IT certifications mentioned in the query comes from the Computing Technology Industry Association or CompTIA. To be even more specific A+ is mentioned most frequently, with Network+ close behind, and Security+ in third place by the numbers.

Thus, I’d like to address the issue of what kinds of value these and other CompTIA certifications can provide, and what kinds of people are most likely to benefit from their pursuit and attainment. Both A+ and Network+ focus solidly on entry-level personnel, or as CompTIA likes to put it “individuals embarking on a career in technology.” A+ seeks to identify PC technicians with at least 6 months of experience or its functional equivalent, where Network+ ups that ante by three months and recommends its pursuers to earn the A+ as a stepping stone to this credential.

By design, both A+ and Network+ serve as steppings stones to other, more advanced CompTIA certifications, and to some extent, they’re also referenced or recognized in other vendor-specific and -neutral certification programs. But the fact remains that these credentials work best to identify those inexperienced or new-to-the-industry workers who have sufficient interest in and motivation to demonstrate some basic PC (A+) and networking (Network+) knowledge and proficiency.

By themselves, neither or both of these credentials is probably enough to land somebody a job in IT, however. Even an associate’s degree remains worth more to most organizations hiring entry-level workers, or those switching from other fields to IT. Thus, while I can (and do) recommend A+ and Network+ to aspiring IT workers in PC or network technician, help desk, tech support, operator, and other traditional first rung IT jobs, I usually have to temper that recommendation by observing that other signs of education, skill, and ability will add to one’s chances of parlaying these credentials into a job.

Security+ is a slightly different animal. It recommends earning both A+ and Network+ first, and seeks to identify individuals with two or more years of security-related job experience. Thus, it’s not quite as “entry-level” as the other two certs, though it is very much an entry-level information security certification by virtue of its depth and breadth of coverage. Here again this is a certification that while helpful and worth pursuing may not be enough by itself to parlay into an information security position. That’s partly because the phrase “entry-level security position” is something of an oxymoron, and something of a rare bird besides that. However, earning the Security+ is a useful stepping stone toward the CISSP, CISM, and other more senior infosec certs that and often do help IT professionals move into information security jobs, or up the information security component in network and systems administration positions.

Thus, to answer the question posed in the title of this blog, the answer is: “Yes, but…” The buts include “don’t expect to turn this into immediate gold, a first job, or a promotion” and “be prepared to proceed from these ’stepping-stone’ credentials to other, more substantial and serious vendor-neutral and/or -specific certifications to really boost your career and your future earning potential.”

–Ed–

Time for a sanity check: How am I doing? And yourself?

This is my 18th entry for this continuing “IT Career JumpStart” blog. I’m about six weeks into the process, and both I and my masters at TechTarget are reasonably pleased with the way things are going so far. I’ve managed to get some discussion going on over half of my posts, and have fielded at least a dozen related e-mails from others who were perhaps too shy or who didn’t want to post comments directly to the blogs.

My objectives here are two-fold:

1. I’d like to ask for your input on how useful or otherwise the kind of content I’ve posted so far has been. Either way, please tell me what you liked best and why, and what you didn’t like (and why for that also, if you’re inclined to tell me).
2. I’m going to present some ideas on future topics for coverage and would like to get your reactions. Please, if you ask me not to cover something, do suggest an alternative topic to take its place if you can–preferably something that interests you, or where you’re currently seeking information or advice and haven’t been able to get what you need.

Here are the topics that I’m planning to cover over the next couple of months, some of which will be multi-part postings:

1. CompTIA Revisited: a look at the CompTIA cert stable, with more coverage on the most popular items, A+, Network+, and Security
2. The Next Microsoft Generation: What’s up with MCTS, MCITP, MCPD, and Microsoft Certified Master?
3. Another take on information security certifications: updating the semi-annual infosec cert survey
4. Industry-motivated academic programs: where certificates, certification, classroom education, and workforce preparation meet

That should probably get us into November, perhaps even as far as Thanksgiving. But with your help and input, I’m more than happy to add and drop items, or to refocus coverage to help address your needs and answer your questions. Ultimately, that really why I’m doing this, so please give me the benefit of your input, not to mention your insight, as we plan for some next steps in the great chain of blogging!

Best,
–Ed–

Security+: Third Time Lucky?

At the end of August, CompTIA announced that its Security+ certification had passed a significant milestone, as the total count of credentials granted topped the 50,000 mark. Over the past six years since this certification made its initial debut in December, 2002, Security+ has slowly gained increasing acceptance and adoption as one of a small number of entry-level information security certifications worth pursuing.

That said, Security+ has played to mixed reviews from information security and certification experts, including yours truly. At various times, it’s been suggested that the exam has gotten a bit stale, wandered off-topic, and failed to cover important topics. With an average three-year update cycle (do the math) most of these observations tend to occur beyond the half-way point between exam refreshes. It’s possible that the CompTIA methodology and timing is more responsible for the occasional gaffes and gripes that get reported about its exams, including Security+.

That said, there’s a lot to like about the latest upcoming version of Security+, slated for release in Q4 2008, as a quick review of its draft objectives (in PDF format) will attest. As it has always done, the latest Security+ incarnation seeks to validate that individuals have at least 2 years experience in network administration with a security focus, including day-in, day-out security activity, along with broad basic knowledge of “security concerns and implementation.”

The original 5 domains in the exam’s body of knowledge have acquired another domain: assessments and audits (4), along with Systems Security (1), Network Infrastructure (2), Access Control (3), Cryptography (5) and Organizational Security (6, formerly known as “Operational Security”). These objectives have also been completely refreshed and overhauled, and deliver reasonably complete and comprehensive coverage of the information security landscape as we know it today.

In my last blog, I provided a list of certifications that the DoD has mandated for IT professionals whose responsibilities at various levels touch on information security. As I read over that list, I’d wondered about the suitability of Security+ in the Level 2 Technical Worker category. Now that I’ve revisited the requirements and objectives for this exam, I wonder no longer: Security+ is definitely worth further investigation and possiible pursuit, especially for those looking for a stepping stone to the CISSP. Just be sure to wait for the 2008 version to go live, and use preparation materials (books, practice tests, flash cards, and so forth) to match!

DoD Directive 8570 and the OMB Follow-up

Back in 2005, the US Department of Defense aka DoD, issued Directive 8570 entitled “Information Assurance Workforce Improvement Program.” In a nutshell, this document states workforce responsibilites and requirements for personnel tasked with “information assurance,” a locution that means more or less the same thing as “information security” outside military circles.

There’s a lot of interesting information in this document, but what many readers of this blog will find most interesting is a list of accepted and mandated infosec certifications required for tecnical and management level workers in this technical niche. Because many of these items come from the SANS GIAC program (all of which start with the letter “G” in the lists that follow), you’ll find a nice summary of this information on their Web site.

Here is the way things break down at a very high level.

Technical Track
Level 1: A+, Network+, ISC² SSCP
Level 2: GSEC, Security+, SCNP, SSCP
Level 3: GSE, CISSP, SCNA, CISA

Management Track
Level 1: GSLC, GISF
Level 2: GSLC, CISSP, CISM
Level 3: GSLC, CISSP, CISM

What’s interesting about this list is that nearly all of these certifications are well-recognized outside the DoD, and that many of them have considerable cachet on the current job market as well. What’s even more interesting is this recent story at CertCities.com, which indicates that the Office of Management and Budget (OMMB) is working on a similar set of requirments for professional certification for IT workers in civilian agencies inside the US Government (and hence also, any contractors that do business with same).

This certainly creates rampant opportunities for individuals who hold one or more of these credentials, and makes the already-valuable CISSP, CISA, CISM, and SANS GIAC certs into a sort of “gold standard” for doing infosec business with the feds.

Need I say more, to those looking for more and better ways to feather their nests?

Why Entry-Level Certs Aren’t Enough to Get You a Job

Pick a popular entry-level IT certification, I don’t care which one: MCP (Microsoft single-exam credential, Microsoft Certified Professional), any major CompTIA cert (A+, Network+, Security+,…), CCNA (Cisco Certified Network Associate), and so forth. For each of these items, and others I don’t mention as well, I often find myself involved in answering questions that might be summarized as “Let’s assume I earn the . What kind of job will that get me?”

Before I respond to this question, let me make some observations about IT jobs in the civilized world:
1. Right now, it’s an employer’s market. That means employers currently enjoy the upper hand over prospective job candidates, in the sense that there are more candidates looking for jobs, than there are jobs looking for candidates. This goes double for entry-level jobs.
2. IT Certification, especially at the entry level, has become a “checkbox item” for individuals, rather than a “differentiator.” In simpler language, this means employers often expect candidates to hold certain certifications, and find those expectations met rather more often than not, rather than being able to pick outstanding candidates on the basis of whether or not they hold certain certifications. Again, this goes double for entry-level jobs, especially now that so many associate’s and bachelor’s degree programs include certification opportunities or requirements along with the rest of their degree plans.
3. Employers want people with degrees, certifications, AND experience. Anyone who’s lacking in any of these areas is automatically a less attractive job candidate. Paradoxically, the experience criterion even applies to entry-level positions, where a lack of experience is not supposed to matter, but often does matter a lot.

How should aspiring and active IT professionals look at entry-level certs in this light? My answer: “Purely as stepping stones. Treat any other additional benefits as pure gravy, and expect nothing from these credentials.” Entry-level certs have always been designed to certify minimal skills, knowledge, and competence and that’s really how employers treat them nowadays. Gone are the go-go days of the late 90s and early part of this century when any certification looked like a sure ticket to a good job, or a key ingredient for hopping from a current position to a new one.

OK, it’s still the case that certain certs–such as the CISSP, CCIE, SAP Consulting, and so forth–are indeed enough to make the difference between landing a job and missing out on an offer. But entry-level certs appear nowhere in this list, nor are they likely to make this grade any time soon, barring a radical and global economic upturn.

Does this mean that entry-level certs have no value, or that you can skip them? The answer to both of these queries is “No,” and both ultimately point to where the value of entry-level certs really come from–namely, what kinds of things they entitle you to learn and earn next. Hence the term “stepping stone.” Unless you plan to climb to the next rung in a multi-step program that treats a particular cert as a pre-requisite or that satisfies certain component requirements, it may not be worth spending the time, effort, and money needed to acquire one.

‘Nuff said.

–Ed–