Another certification, the Certified Information Systems Auditor (CISA), emphasizes practical knowledge over theory. Sponsored by the Information Systems Audit and Control Association, the certificate has a track record of 22 years and attracts professionals from IS security, IS management, and general auditing backgrounds, says Terry Trsar, chief professional development officer at the association.

Derek Oliver, director of IS audit and security for Ravenswood Consultants in Essex, England, says his CISA designation gives him credibility in his field: He helps major banks, large hospitals, and government departments comply with British Standard BS7799, which is the Specification for an Information Security Management System. "The greatest security risk lies, of course, in the weakest link in the E-commerce chain," he says. Compliance with the standard is meant to eliminate those weak links, ensuring true, trusted third-party status so that companies can have confidence in the organizations with which they do E-business.

As more businesses embrace E-commerce, the need for qualified security professionals at companies of all sizes will increase, analysts say. "E-commerce doesn't work if security is treated as an additional layer of overhead," says Hunt. "Security is fundamental to the initiative."

It may become more important for larger companies to have certified security professionals on staff, predicts David Mantica, director of security training for Global. These organizations typically already have better access to qualified security professionals than smaller businesses, but they can't forget that they're the big targets for hackers, he says.

It uncommon for security vendors to offer certification for their own products, Hunt says. But many companies can benefit from sending employees to product-specific certification courses, says analyst Wright, because it's unlikely that a business will migrate off of its major security platforms. Choosing between a vendor-neutral certification and a vendor-specific one, he says, is "like choosing between a Microsoft Certified Systems Engineer certification and a computer science degree. MCSE will teach you all about Microsoft products, while the computer science degree will be broader focused."

One popular product-specific certification, Wright says, is that offered by firewall vendor Check Point. The Check Point Certified Systems Administrator certification provides a technical understanding of its FireWall-1 offering, teaching students how to install and set up simple configurations. And the Check Point Certified Systems Engineer designation teaches users with sophisticated security requirements the best ways to manage multiple FireWall-1 systems.

Bill Hentschell, senior security consultant at World Wide Technology, a Web-site development company, earned both Check Point certifications. He has since created a firewall design for the Kentucky Department of Education. The challenge: Keep hackers from accessing sensitive information and from using the department's computers to launch attacks on other systems, as well as monitor the sites students visit.

Not an easy task, especially since 125,000 students access the Internet via the department's computer system. The firewall design, if not done correctly to accommodate such intense traffic, could slow down connections. Hentschell's design addresses this by including a clustered pair of firewalls that provides load balancing so traffic is divided between the firewalls, which is "like multiple bouncers at the front door of a night club." Clustering also provides failover.

Another vendor, Argus Systems Group, will soon start a certification program for its PitBull product. That software turns a commercial operating system into a "trusted," or secure, operating system, the company says. Argus has informally granted about 50 certifications to experienced users of its product, but will soon begin a full certification program.

Internet Security Systems also offers the ISS Certified Engineer designation for its own SafeSuite products, which provide intrusion-detection and vulnerability scanning, as well as a Check Point Certified Engineer designation for Check Point's firewall. Starting in June, ISS will blend vendor-neutral and vendor-specific courses together, in three separate certifications. ISS will offer certified security courses for security auditors who need to understand checking and verifying processes; for security engineers who need to know how to deploy and install products; and for operations managers such as CIOs who need to understand the technology but not the nuts and bolts of product installations. All three certificates will focus on intrusion detection and vulnerability scanning, firewall and VPN technology, and how to defend against computer attacks.