This survey highlights the best vendor-neutral security industry certifications for achieving goals specific to your information security career path. It's a companion to two other surveys, which cover the vendor-neutral and vendor-specific security certification landscapes in detail.

The following table summarizes the overall certification counts in these surveys. On the whole, the vendor-neutral categories increased by four certifications since 2010, although we abandoned some programs entirely (most notably the CERI offerings). The overall counts for the forensics/antihacking

category, specialized security certs, and vendor-specific certs remained the same, which reflects losses and gains within sub-categories and the shuffling of a few certs between categories.

Summary of changes, by the numbers

Counts	2010	2012
Vendor-neutral	45	49
Basic	12	14
Intermediate	16	7
Advanced	17	28
Forensics/antihacking	24	24
Basic	9	10
Intermediate	8	8
Advanced	7	6
Specialized	10	10
Vendor-specific	38	38
Basic	8	8
Intermediate	21	20
Advanced	9	10
TOTALS	117	111

As was indicated in our vendor-specific certification analysis, it's pretty easy to decide which vendor-specific certs to pursue; earn those that apply to the technology your employer or customers use, or those that have value to potential future employers or customers. Deciding what to pursue on the vendor-neutral side involves understanding where individual certs and cert programs fit in the overall scheme of coverage, but also requires comparing similar programs to decide which ones to pursue.

In fact, with just over 110 certifications comprising the security certification landscape, there's obviously no shortage of options. The question is, how do you know which certification is right for your IT career path? Here's a brief analysis of the landscape and suggested educational options for your information security career path that you can pursue at any point in your career.

Today, the (ISC)²'s Certified Information Systems Security Professional (CISSP), the SANS Institute's Global Information Assurance Certification (GIAC) and the ISACA Certified Information Security Manager (CISM) are probably the best-known and most widely followed IT security certification programs. The number of certified individuals in these programs varies (some have as few as 10,000 certified members, while there are more than 75,000 for the CISSP designation). Broader programs, such as the Certified Information Systems Auditor (CISA) or the Certified Fraud Examiner (CFE), which both cover more than strictly information security topics, have populations that number 55,000 or more.

CompTIA's Security+ still weighs heavily on the entry-level security certification landscape as it continues to attract strong interest and participation. Today the number of Security+ certifications tops 45,000. IBM, EC-Council, Security University (SU) and mile2 include Security+ in some of their own certification programs. Holders of Security+ can also substitute it for one year of job experience toward the Certified Information Security Manager (CISM) certification requirements, and Security+ remains our leading choice as the best recognized and the best overall entry-level information security certification currently available. To earn Security+ certification, candidates must pass a single exam.

More broadly, the entry-level credentials with the most weight are CompTIA's Security+, SANS GIAC Information Security Fundamentals Certification (GISF) and the (ISC)²'s Systems Security Certified Practitioner (SSCP). The CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more than entry-level security credentials, while the Certified Ethical Hacker (CEH) is now a viable option for those interested in highlighting their current system penetration techniques and counter-hacking skills. The Certified Protection Professional (CPP), Professional Certified Investigator (PCI), Physical Security Professional (PSP) and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to even qualify for the exam.

Given this landscape, we recommend the following security certification ladder that individuals can start and climb at any point, depending on their current knowledge, skills and experience.

Start your security certification journey with a broad, but still entry-level security cert. This could be one of the following credentials, any of which will provide an excellent and thorough background in computer security theory, operations, practices and policies:

CompTIA's Security+
CompTIA's Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. That's why it's our first choice and leading recommendation at this level.

(ISC)²'s Systems Security Certified Practitioner (SSCP)
The International Information Systems Security Certification Consortium is also home to the CISSP, the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.

SANS GIAC Information Security Essentials Certification (GISF)
The SANS Institute is an ongoing and well-recognized powerhouse in the security industry. Likewise, its certifications continue to accrue visibility and acceptance. The GISF opens the door to other credentials in the SANS GIAC program.

Finally, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention, and pick up where the previous three leave off:

(ISC)²'s Certified Information Systems Security Professional (CISSP)
The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and is often requested by name in job postings and classified ads. Those who are interested in extending their CISSP credentials should also look into its three concentrations -- Architecture (CISSP-ISSAP), Engineering (CISSP-ISSEP) and Management (CISSP-ISSMP).

SANS GIAC Security Certifications
The SANS Institute offers numerous topical specializations that extend the GISF and the GIAC Security Essentials Certification (GSEC), including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. For those willing to acquire four of these individual credentials (two of them “gold”) and sit for a lengthy exam in two parts, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.

Qualified Information Security Professional Certification
Security University's certification requires some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.

For additional information on these certifications and more, visit the SearchSecurity.com guide to information security certifications, as well as the SearchSecurity.com vendor-neutral security certifications guide. Don't hesitate to let us know if our analysis of this landscape has missed anything. We can't claim to know, see or be able to find everything, so all feedback will be gratefully acknowledged. As always, feel free to email us with comments or questions at etittel@yahoo.com.

About the authors:
Ed Tittel is a full-time freelance writer, trainer and consultant who has written more than 140 books, including his latest, the CISSP Study Guide, 5th edition with J. Michael Stewart and Mike Chapple (Sybex). He has been active in the computing industry for more than 20 years and has worked as a software developer, manager, writer and trainer.

Kim Lindros has more than 20 years of experience in the computer industry, from technical support specialist to network administrator to book and course content manager. She has edited and developed more than 400 IT-related books and online courses, and co-authored two certification books and numerous online articles with Ed. Kim runs Gracie Editorial, a content development company.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.