As I’ve mentioned on a previous entry on this blog, there are a variety of vendor specific and vendor neutral ‘security professional’ certifications recognized in the marketplace today. As with any high technology field, however, standardization and cross-applicability is very difficult.
As CPU Tech examines these different certifications, it also becomes obvious that large companies and small companies have very different goals with respect to building knowledge and credentials in security. Larger companies tend to be involved in systems integration and systems development, and tackle the ‘holistic’ questions of security, access, and information protection. Smaller companies tend to focus more on the component and module level, and develop the mechanics and tactics of intrusion detection, prevention, and response.
However, the systems integrator needs to understand how to assess the tactical solutions, just as the sub-system developer needs to understand the overall security goals of the larger program. This drives individuals and organizations to set wider training goals for their key security personnel.
I won’t attempt to describe which certifications are ‘worth the money’, nor which vendor-specific ones I recommend in the future. But I will share a brief sketch of the landscape of security certifications and credentials that may be relevant to work with the secure processor.
I will note one other thing: standards and certifications are something that arise in primarily ‘established’ fields or technologies, and built-in hardware security is an arguably new field with little standardization. There will be several gaps in both knowledge and practice in their use, which will need to be filled with investigation, experimentation, and possibly partner services through CPU Tech. Until some of the applications and field use of secure processors is standardized, practioners will need to rely on associated certifications and standards related to secure systems and software.
Feel free to use for your own evaluations and assessments of the value of security certifications.
EDIT: Just discovered that the GSSP-C has been discontinued, most of the research I’ve done on this is about 6 months old, and needs some revision.