So you want to be a security superstar and are asking questions like: "Which cert!@ CISSP, CISM, CISA, OSCP, C|EH, CHFI, NSA IAM!" In an effort to explain it all to those new to the industry, I will offer some detail about the pros and cons of security "certifications". Take it with a grain of salt, your mileage may vary.

What exactly is it you want to focus on. Security is a broad field and there is no one all inclusive security certification to "prove your worth". There is experience, intuition, know how, broad knowledge, but no one certification will make you a security guru period. If you think the CISSP will make you a star, an OPST, a GPEN, you're wrong. One hundred percent wrong.

Let me start with a primer for the beginner... Five year plan

Study
A+
Network+
Security+
MCSA
RHEL
CCNA

What the hell? A+ gives you a good understanding of computers. You will HAVE TO KNOW about how the hardware involved if you ever wanted to move into the forensics arena. Aside from this, its best to understand it all from the ground up.

Network+ and CCNA!@ You must be smoking... Understanding networking is a MUST period. In order to understand security, you MUST understand how networks connect on all levels. I threw the CCNA into the mix since it offers a comprehensive overview into routing, the OSI layer, and how networks mingle with each other.

Security+!@!@ That's for newbies!@... Security+ is a primer, enough to give you a kickstart into information security. It will allow you to learn and apply some core fundamentals of security. Nothing spectular, and surely nothing simplistic as some may think.

MCSA and RHEL studied for two years... This does not imply become a Microsoft Systems admin or Redhat admin. Its thrown in to give you experience on the Microsoft side of things and a primer into Linux. Forget about Ubuntu, forget Debian, forget about Linux zealotry altogether. Think about this for a second... Do you think someone in say 80% of the Fortune 500's will know what Ubuntu is as opposed to Redhat Enterprise Linux? Let's be realistic and keep the trolling for kids.

If I had to give say a relative advice, this would be the advice I would give them. Understanding the fundamentals of computing - hardware and software will certainly make learning easier down the road.

Intermediate Plan...

This is where we make huge decision. Which route do we want to go. Since security is so broad, ask yourself, what do you envision yourself doing. Pushing papers, reading and writing policies, understanding regulatory controls and governance. Do you see yourself doing penetration testing, cryptography, forensics. You have to make this decision. Here is my breakdown for various fields...

Penetration Testing...
1) C|EH - Love it or hate it, the C|EH will give you a primer on what tools to use, how they work.
2) OSCP - Offensive Security Certified Professional... Your exam... Own the box. And its not easy I can tell you firsthand.
3) OPST - This to me is the grandfather/Masters Degree of Pentesting related certifications
4) GPEN - Another value added certification from SANS

The C|EH was very introductory for me as was the CHFI. However, I'd already had years of experience prior to taking them both. I finished them both in about an hour and a half (yes I said both). I was disappointed, but understood what they were trying to accomplish. For the beginner to mid level pentester, you may learn a thing or two from this exam. Aside from that, browse over to Dice and you will see that there are companies slowly demanding C|EH/CNDA, CHFI certifications including IBM.

OSCP. If you truly want to understand penetration testing, shoot for this exam. Either purchase the lab time and exam online, or attend a class in person. Its definitely worth having an explanation on subjects you might not know about. It will give you a thorough understanding of buffer overflows, SQL injection, ARP spoofing, etc., however, its mainly geared towards users of Backtrack, in fact, your exam will be based off of the tools used on Backtrack. I personally created my personal scripts for the exam, but you will need to know enough about a variety of tools, exploits, and definitely buffer overflows to pass this exam. It is NOT an easy exam.

OPST. Good old Pete Herzog. I'd read so many things from Pete over the years and ISECOM hits an exam right on the nose of "knowing your stuff". For the OPST, you should have minimum - 3 to 5 years doing penetration testing however, verification is key. It's one thing to say you know of a Proof of Concept, even running one once upon a time. Double checking and verifying this will be the key here. You should have a sound understanding of enumeration, applications, networking, etc.

GPEN... SANS has been around for a while and I hear sensational stories about GPEN. Since I've never taken the exam, I cannot state nothing other than, I know some seriously talented individuals who've told me this exam is not a walk in the park.

Forensics...
CCE (period...) http://www.certified-computer-examiner.com/ Having the CHFI to me doesn't mean I can qualify as an outright "Forensics Investigator" at least not by my standards. The Certified Computer Examiner (CCE) is the certification of choice. EnCE is nothing more than a vendor specific certification. So unless you plan on using EnCase for the rest of your forensic career - which in that case won't be too long, you want to maybe start with the CHFI to understand the different tools, arenas of information security/carving, etc., then follow it off with the CCE

Intro to management
SSCP - ISC2's mini CISSP. This cert will give you a thorough into the realm of information security management.

Mid-Experienced manager
CISSP, CISM, NSA IAM/IEM - All certifications mentioned are managerial and are for experienced security individuals. I don't want to troll about any specific cert, but take note, holding any one of these certs will not make you a security expert as anyone can memorize from a book to pass an exam.

Others worth mentioning... CISA if you'd like to spend your time auditing information security policies, procedures, etc.. A CISA is not a "uber hacker investigator" so if you're confused about this cert, I suggest you read up more about it on ISACA's website.

Bottom line...
Its up to you to determine what you want to do in life. If you envision yourself being responsible for the security mechanisms of a company, you'd want to shoot for the CISM, CISSP. Want to do a bit of high level auditing, NSA IAM complements any of the pentesting certs.

If you truly want to be impressive from my perspective... Shoot for the CCIE-Security. You need to understand a heapload about security and prove it in a lab. While tailored for Cisco based products, studying at the CCIE Security level introduces a lot more than meets the eye. I've studied for the CCIE Security for some time now and have learned extensively about VPN's, IPSec, IKE, RADIUS, connectivity as a whole, LDAP, Windows networking, Unix networking, network forensics. It definitely helps to understand these concepts from the RFC level up. Do I want to become a CCIE, not really, I just like learning. Take note, to fully grasp it all, you'd want to set up a decent lab... (http://www.infiltrated.net/AugDeskPix/)

My lab's hardware
2 Juniper SSG 350M's, Cisco 3620 w/VIC 2XS, Cisco 3640, Cisco 3620, Cisco 3620, Cisco 4500-M, Cisco 2511 term, Cisco 2524, Cisco MCS-3810-V, Cisco MCS-3810-V 6 port FXS, Sonicwall 2040 paperholder, Cisco MCS-3810-V 6 port FXS, 4 Cisco 2610's with assorted WIC's, Netscout Fiber taps, Mercury M5 RFID voodoo gizmo, Cisco 35xx switch, Marconi Fore ATM switch, Dinosaur Sun U1, ISDN simulator, Sparc 10, Netscout ETHERNET tap, Sun Netra, Cisco Pix 506e, Juniper Netscreen 5XT, 4 Stonegate SG1100's, 2 Sun 280's, 3 Cisco 4500m's, 1 Cisco LS1010, 2 Juniper EX switches (shh), Foundry BigIron

Mu current study path... CISM, NSA IAM, JNCIA, CCIE Security... All at the same time. Will I take the certs... Unsure yet. I just like learning For those wondering - "Well who the hell are you..." ... Just me

The most important point of the article: If you think a cert will make you a star you are 100% wrong. I agree with silxp that the focus should be on learning the content well and not what a cert gets you. Also another point I like, which was kinda hinted at. Don't make your certification selection based on trendiness or job boards, you should think out your career path first to make sure you align your certification goals correctly.

I have to echo Chris' thoughts. How can you have such strong opinions on certifications that you do not hold? Have you co-authored the course material? Taken the associated classes?

I do however agree with your statements on learning as much as possible about operating systems and networking.

I have a lot of respect for Eric Cole. But, throwing around names of people at SANS and titles of books that you are mentioned in still doesn't qualify you to give opinions on certifications that you do not hold, unless you have taken the exams, written course material for, or evaluated the material of the associated class.

I can say that the CCIE is garbage, but my opinion is not valid as I do not have it, have not evaluated the course material. etc.  I have only heard what others say about it.

Some of the best IA professionals have written nothing and some not so great professionals have written books. That argument is pointless.

It does the community no good for you to come here and provide blanket opinions on certifications that you do not really have knowledge of. Same as it would do not good for me or anyone else to offer opinions of certifications that we have not been involved in. It also does the community no good for you to come here and get rude when people ask how you can speak to certifications that you apparently have not been involved with.

I can say that anything is garbage based on interviews with people in the know, that doesn't make it so. My point is that if you are going to try to sway people's opinions on a certification, or anything else for that matter, it would be useful to offer up your reasons why and provide background on your reasons, so that we can make our own judgement on your thoughts. It does no good to offer opinions based on heresay. Plenty of people in the know, turn out to really know nothing or are pulling their opinions out of thin air.


EDIT:

I just wanted to add, I don't think anyone here is trying to be a jerk to you. I think we just want to understand your reasoning. Name dropping doesn't help us understnad why you think GPEN is good for example.
 

I actually liked silxp's post and enjoy people that post with a little passion, regardless if I agree 100% with them. I still maintain that a cert is only as good as the person behind it. So much depends on what you want to focus on.  For instance some doors will be completely closed to you if you don't have a CISSP. In other IT fields you might get along just fine without it.   As he stated, take it with a grain of salt and mileage may very.  Thanks for taking the time to post your thoughts here silxp. 

i wasn't trying to be a jerk or start a cert war.  I just personally feel that if you are going to give advice you should either have experience in what you are giving advice on or other experience to make your advice valid (everyone can have an opinion regardless of experience).

I think silxp has since dropped enough information that we can google him and get a feel for his background which to me was wasnt apparent with the initial post in this thread.

you'll have to pardon my pessimism because we've had people talking out their ass on this forum before (not the case this time) and most people dont seem to have any balls to call people out.