Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Information security certifications: Introductory level

This series looks at the top information security certifications for IT professionals. Part one reviews basic, vendor-neutral certifications for entry-level positions.

Information security certifications, like any IT certifications, can be a magnet for controversy based on whether...

they provide meaningful data about the certification holders, or whether they are simply a distraction from attaining -- and demonstrating -- top security skills. The challenge for information security novices can be even greater due to the wide variety of certifications, as well as the increasing number of certifications offered in specialties and sub-specialties.

This series comprehensively reviews the current state of information security certifications, highlighting which are best for achieving goals specific to an information security career path. The series is a companion to three other articles that cover the vendor-specific information security certification landscape, vendor-neutral certification career paths and cloud security certifications in detail.

As the table below shows, the number and diversity of information security certifications continue to grow. In just two years, the overall number of certifications covered here has grown by almost 17%, so it is becoming easier than ever to find a suitable certification. While some certifications have been discontinued, 19 credentials have been added, and some certifications have been moved to new categories to more accurately classify them.

Growth of information security certifications
The breadth and depth of information security certifications continue to grow, with nearly 17% growth over two years.

The information security certifications space continues to evolve and expand, and some new introductory certifications worth watching over the next few years include the CyberSec First Responder (CFR) by Logical Operations Corp. and the Cybersecurity Nexus Practitioner (CSX-P) by Information Systems Audit and Control Association (ISACA), profiled below.

Some other new and notable certifications covered in the second part of this series, on intermediate certifications, include the CompTIA Cybersecurity Analyst certification, and two new EC-Council certs: the EC-Council Certified Network Defender and the EC-Council Certified Encryption Specialist.

Part three covers advanced certifications, part four includes certifications for forensics and antihacking and part five covers more specialized cybersecurity certifications.

Information security certifications guide
SearchSecurity guide to vendor-neutral information security certifications

The sheer number of credentials can make navigating the information security certification landscape a dizzying experience. Simply identifying and differentiating among the vast array of offerings can be time-consuming and overwhelming, never mind determining which certification best fits your needs.

Ed TittelEd Tittel

This SearchSecurity series covering information security certifications provides a comprehensive overview of the many information security certification options currently available. It's intended for anyone looking to get on the information security certification path, whether they are starting up the information security career ladder or already have security experience and wish to hone their skills in some specialized area.

Consider this series a reference to the most sought-after certifications. Part one of this series outlines basic information security certifications for introductory-level professionals.

Editor's note: All entries are listed in alphabetical order according to certification title.

General information security: Basic

Brainbench Inc. basic security certifications
Brainbench offers several basic-level information security certifications, each requiring the candidate to pass one exam. Examples of these certifications include:

  • Firewall Administration Concepts;
  • Information Technology Security Fundamentals;
  • Internet Security;
  • Information Technology Association of America Information Security Awareness;
  • Network Authentication; and
  • Network Security.

Source: Brainbench

Mile2 Certified Disaster Recovery Engineer (CDRE)
This credential, from Iowa-based training company Mile2, recognizes individuals with foundational knowledge of disaster recovery (DR) and business continuity (BC) planning methodologies. A CDRE recipient recognizes real-world risks and vulnerabilities to an IT infrastructure, understands how to safeguard assets against threats, and can write DR and BC plans and policies. Candidates must have at least one year of information systems management experience.

The CDRE is recognized by the National Security Agency (NSA) as meeting the requirements for "CNSS-4016: National Information Assurance Training Standards for Risk Analyst and the Risk Management Framework (RMF)."

Source: Mile2 Certified Disaster Recovery Engineer certification

Mile2 Certified Professional Ethical Hacker (CPEH)
The CPEH is a foundation-level information security certification in the Mile2 lineup of penetration testing credentials. Candidates for the CPEH certification are expected to understand how to perform vulnerability assessments, how malware functions and the types of countermeasures to put in place to prevent attacks. The credential is structured around a five-day online course, and candidates must pass one exam to achieve certification.

Source: Mile2 Certified Professional Ethical Hacker

Mile2 Certified Vulnerability Assessor (CVA)
The CVA is for ethical hackers, IT engineers, security analysts and the like who are tasked with assessing an organization's security posture. A CVA recipient should be able to use a variety of common vulnerability assessment tools to identify malware and viruses and must be able to interpret the results of scans. Candidates must pass a single exam to achieve certification.

The associated course is accredited by the NSA CNSS 4011-4016 training standard and is on the FBI Cyber Security Certification Requirement approved list.

Source: Mile2 Certified Vulnerability Assessor

Prometric Cyber Security Essentials
This credential is designed to compete directly against the CompTIA Security+ information security certification. The areas that the Cyber Security Essentials credential covers include general information security, application security, governance and compliance, operational security, network security, physical security, environmental security, and vulnerability management.

Source: Prometric Cyber Security Essentials

ISACA Cybersecurity Nexus Practitioner
The CSX-P certification is an ISACA credential aimed at first responders to security incidents. Professionals holding a CSX-P must know how to work with firewalls, patch systems, respond to antivirus alerts and implement security controls. Response techniques include performing vulnerability scans and analyzing threat and breach data.

Candidates must pass a four-hour performance-based exam, adhere to ISACA's code of ethics, and comply with continuing education and retesting policies. The certification must be renewed every three years.

Source: ISACA Cybersecurity Nexus Practitioner

GIAC Information Security Fundamentals Certification (GISF)
This certification is the introductory part of the Global Information Assurance Certification (GIAC) program. The GISF certifies individuals with foundational knowledge of information assurance, such as risk managementdefense-in-depth techniques, security policies, disaster recovery and business continuity. No training or prerequisites are required. Candidates must pass one exam, and the certification is valid for four years.

Source: GIAC Information Security Fundamentals Certification

CompTIA Security+ certification
This certification validates knowledge and skills related to security fundamentals, security concepts and theory, and best operational practices. In addition to functioning as a stand-alone exam for CompTIA, the Security+ certification is required for some IBM certs -- such as the IBM Certified Advanced Deployment Professional -- IBM Service Management Security and Compliance V5.

Some companies, including Apple and Dell, have incorporated the Security+ information security certification into their training programs or require job candidates to gain the certification, and the U.S. Department of Defense accepts the Security+ credential to meet Directive 8570.01-M requirements.

There are no prerequisites, but CompTIA recommends that candidates obtain the Network+ certification and have at least two years of IT administration experience before attempting the Security+ credential.

Source: CompTIA Security+

(ISC)² Inc. Systems Security Certified Practitioner (SSCP)
The International Information System Security Certification Consortium, or (ISC)², offers this entry-level certification as a precursor credential to its Certified Information Systems Security Professional (CISSP) certification.

The SSCP exam covers seven domains in the Common Body of Knowledge (CBK), with the exam focusing more on the network and administration aspects of information security that are germane to the duties of a day-to-day security administrator, as opposed to the issues of information policy implementation, architecture design and application development security that senior IT security professionals are more likely to handle.

Candidates must have at least one year of experience in one or more of the seven SSCP CBK domains. (ISC)² offers the Associate of (ISC)² credential for candidates who pass the Certified Authorized Professional, Certified Cyber Forensics Professional, Certified Cloud Security Professional, CISSP, Certified Secure Software Lifecycle Professional, HealthCare Information Security and Privacy Practitioner or SSCP exam, but who do not yet meet the experience requirement.

Source: (ISC)² Systems Security Certified Practitioner

About the author:
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking consultant, technical trainer, writer and expert witness. Perhaps best known for creating the Exam Cram series, he has contributed to more than 100 books on many computing topics, including titles on information security, Windows OSes and HTML. 

This was last published in December 2017

Dig Deeper on Security industry certifications

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

12 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What types of cybersecurity certifications are most -- or least -- valuable for infosec novices, and why?
Cancel
I am very surprised that there is no mention of Cloud Security certifications?
Cancel
We are working on a cloud-specific guide that we hope to have up soon!
Cancel
1, no such cert as the "Prometric Cyber Security Fundamentals".
2, how is the CCISH a Basic cert? It requires 1 year of experience in Incident Handling, and is offered by CMU, a top US University.
3, CISSO a direct competitor to the CISSP is a basic cert?!
Cancel
The actual name of the cert is Prometric Cyber Security Essentials, and the URL for same is: https://www.prometric.com/en-us/clients/cybersecurity/Assets/default.html?cshp. This should be fixed above soon. Will also move CCISH and CISSO into advanced category, where they should have been placed all along. My mistakes, happy to correct them all! Thanks for the feedback.
Cancel
Why is the OSCP (Offensive Security) not in here?
Cancel
I'm not sure how you don't mention the EnCE certification. It actually requires hands on proven results to get the certification unlike some other certifications in which they only require a written test.
Cancel
There are quite a few certifications available, but as I understand it, the EnCE credential covers the use of Guidance Software's EnCase computer forensic software; this article covers certifications that are not specific to particular vendors -- but this:


article does include coverage of the EnCE credential.
Cancel
Thought-provoking blog post. I was fascinated by the details! Does anyone know where I could find a template 2013 DS-82 form to use?
Cancel
The fact that this doesn't even include a single Offensive Security Certification, shows how out dated and biased this list is.
Cancel
in my experience some certifications are not all that important. Real world experience is more than enough to compensate for them.
Cancel
It's a mixed bag; some high-profile professionals have been able to make it without any certifications -- or even without any college.

OTOH, certifications give newcomers to an industry a way to get a foot in the door, so to speak.

The certification debate has been ongoing for decades and will surely continue, but the best approach is to strive to get real world experience when it is possible/practical, but when not, a certification can help fill in some of the gaps.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close