For this update to our survey we added only one new certification overall, the GIAC Certified Incident Manager or GCIM. We dropped a total of 39 vendor-neutral credentials this time around, including various moribund items (TICSA and all the CIW credentials), 5 individual BrainBench courses, since they don't really produce certifications, and 23 GIAC certificate and tune-up course offerings, which also don't produce certifications; certificates rather.
This drops the overall count of vendor-neutral certifications to under 100 for this year, while the count of vendor-specific certifications jumps to around 40. As we indicate in our vendor-specific survey, it's pretty easy to decide which vendor-neutral certs to pursue -- either earn those that apply to what your employer or customer uses, or those that some employer or customer you'd like to work for uses. Deciding what to pursue on the vendor-neutral side involves understanding where they fit in the overall scheme of coverage, which explains why we divide things up in the survey the way that we do, but also requires comparing similar programs to decide which ones to pursue.
In fact, with about 60 vendor-neutral certifications comprising the security certification landscape, there's obviously no shortage of options for would-be computer security experts to choose from. The question is, how do you know which certification is right for you? Here's a brief analysis of the landscape and a suggested educational path you can pick up at any point of your career.
Today, the Certified Information Systems Security Professional (CISSP), the SANS Institute's Global Information Assurance Certification (GIAC) and the Certified Protection Professional (CPP) are probably the best known and most widely followed IT security certifications/programs. The number of certified individuals in these programs varies from a low of 9,000 to a high of over 60,000. Broader programs such as the Certified Information Systems Auditor (CISA) or the Certified Fraud Examiner (CFE), which both cover more than information security topics, have populations as large as 80,000 or more.
CompTIA's Security+ has changed the entry-level security certification landscape as it continues to attract strong interest and participation. Today the number of Security+ certifications is over 40,000. Microsoft and IBM have incorporated Security+ into some of their own certification programs. Security+ can also substitute for one year of job experience for the Certified Information Security Manager (CISM) certification. Security+ remains our leading choice as the best recognized and arguably the best entry-level information security certification currently available. Be warned, however, that this exam hasn't been updated in four years and several experts have publicly expressed issues with some of its coverage, question clarity and intelligibility.
Thus, the entry-level credentials with the most "oomph" are CompTIA's Security+, SANS GIAC Security Essentials Certification (GSEC) and the ISC²'s Systems Security Certified Practitioner (SSCP). Today, the CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more senior security credentials, with the Certified Ethical Hacker (CEH) coming on strong for those interested in current system penetration techniques and counter-hacks. The Certified Protection Professional (CPP), Professional Certified Investigator (PCI), Physical Security Professional (PSP) and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to qualify for the exam!
Given this landscape, we recommend the following security certification ladder that individuals can start and climb at any point depending on their current knowledge, skills and experience.
Start your adventure with a broad, but still entry-level security cert. This could be one of the following credentials, any of which will provide you with an excellent and thorough background in computer security theory, operations, practices and policies:
- CompTIA's Security+
CompTIA's Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. That's why it's our first choice and leading recommendation at this level.
- ISC²'s Systems Security Certified Practitioner (SSCP)
The International Information Systems Security Certification Consortium is also home to the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.
- SANS GIAC Security Essentials Certification (GSEC)
The SANS Institute is an ongoing and well-recognized powerhouse in the security industry. Likewise, its certifications continue to accrue visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.
Finally, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention, and pick up where the previous three leave off:
- ISC²'s Certified Information Systems Security Professional (CISSP)
The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and is often requested by name in job postings and classified ads. Those who are interested in extending their CISSP credentials should also look into its three add-on credentials. Although one of them applies only to those working in national security-related positions, the other two deal with policy and practice matters and are of definite value and interest to security practitioners outside the national defense infrastructure.
- SANS GIAC Security Specialist Certifications
The SANS Institute offers numerous topical specializations that extend on the GSEC, including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. For those willing to acquire three of these individual credentials and sit for two lengthy exams, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.
- Qualified Information Security Professional Certification
Security University's certification requires some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.
For additional information on these certifications and more, visit the SearchSecurity.com Guide to Infosec Certifications. Don't hesitate to let us know if our analysis of this landscape has missed anything. We can't claim to know, see or be able to find everything, so all feedback will be gratefully acknowledged. As always, feel free to e-mail us with comments or questions at etittel@yahoo.com.
About the authors
Ed Tittel is a full-time freelance writer, trainer and consultant who has written more than 130 books, including his latest (with lead author, Laura Chappell), Guide To TCP/IP, third edition, (Course Technology, 2006, ISBN: 1418837555). He has been active in the computing industry for more than 20 years and has worked as a software developer, manager, writer and trainer.
Kim Lindros has more than 15 years of experience in the computer industry, from technical support specialist to network administrator to book and course content manager. She has edited and developed more than 200 IT-related books and online courses, and co-authored two certification books and numerous online articles with Ed. Kim runs Gracie Editorial, a content development company.
