Guide to information security certifications
Check out the other guides in this series:
This special report highlights the best vendor-neutral security industry certifications for achieving goals specific to your information security career path. It's a companion to two other surveys, which cover the vendor-neutral and vendor-specific security certification landscapes in detail.
The following table summarizes the overall certification counts in these surveys. On the whole, there are five new vendor-neutral certification categories since 2012, although we abandoned some retired credentials along the way. The overall counts for the specialized security certs remained the same, with a gain of five vendor-neutral certs, and only one vendor-specific credential.
As was indicated in our vendor-specific certification analysis, it's pretty easy to decide which vendor-specific certs to pursue; earn those that apply to the technology your employer or customers use, or those that have value to potential future employers or customers. Deciding what to pursue on the vendor-neutral side not only involves understanding where individual certs and cert programs fit in the overall scheme of coverage, but also requires comparing similar programs to decide which ones to pursue.
To be sure, with more than 120 certifications comprising the security certification landscape, there's obviously no shortage of options. The question is, how do you know which certification is right for your IT career path? Here's a brief analysis of the landscape and suggested educational options for your information security career path that you can pursue at any point in your career.
Today, the (ISC)2's Certified Information Systems Security Professional (CISSP), the SANS Institute's Global Information Assurance Certification (GIAC) and the ISACA Certified Information Security Manager (CISM) are probably the best-known and most widely followed IT security certification programs. That said, the new CompTIA Advanced Security Practitioner (CASP) is included in the U.S. Department of Defense Directive 8570.01-M, which means that credential is bound to be extremely popular with government employees and government contractors alike. The number of certified individuals in these programs varies (some have as fewer than 10,000 certified members, while there are now more than 75,000 individuals worldwide who hold the CISSP designation). Broader programs, such as the Certified Information Systems Auditor (CISA) or the Certified Fraud Examiner (CFE), which both cover more than strictly information security topics, have populations that number 60,000 or more.
CompTIA's Security+ still weighs heavily among the entry-level certs as it continues to attract strong interest and participation. Today the number of Security+ certifications tops 50,000. IBM, EC-Council, Security University (SU) and mile2 include Security+ in some of their own certification programs. Holders of Security+ can also substitute it for one year of job experience toward the Certified Information Security Manager (CISM) certification requirements, and Security+ remains our leading selection as the best recognized and the best overall entry-level information security certification currently available. To earn Security+ certification, candidates must pass a single exam.
More broadly, the entry-level credentials with the most weight are CompTIA's Security+, SANS GIAC Information Security Fundamentals Certification (GISF) and the (ISC)2's Systems Security Certified Practitioner (SSCP). It’s too early to tell if the recently introduced (February 2013) Prometic Cyber Security Fundamentals credential will join this group. The CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more than entry-level security credentials, while the Certified Ethical Hacker (CEH) is now a viable option for those interested in highlighting their current system penetration techniques and counter-hacking skills. The Certified Protection Professional (CPP), Professional Certified Investigator (PCI), Physical Security Professional (PSP) and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to even qualify for the exams.
Given this landscape, we recommend the following security certification ladder that individuals can start and climb at any point, depending on their current knowledge, skills and experience.
Start your security certification journey with a broad, entry-level security cert. This could be one of the following credentials, any of which will provide an excellent and thorough background in computer security theory, operations, practices and policies:
CompTIA's Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. That's why it's our first choice and leading recommendation at this level.
(ISC)2's Systems Security
Certified Practitioner (SSCP)
The International Information Systems Security Certification Consortium is also home to the CISSP, the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.
Information Security Essentials Certification (GISF)
The SANS Institute is long-standing and well-recognized powerhouse in the security industry. Likewise, its certifications continue to accrue visibility and acceptance. The GISF opens the door to other credentials in the respected SANS GIAC program.
From here, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, four are particularly worthy of mention, and pick up where the previous three leave off:
Advanced Security Practitioner (CASP)
The CASP is intended as a follow-on to Security+, and is intended to recognize IT professionals with three or more years of direct, day-to-day information security experience, with skills and knowledge to match. CASP requires continuing education for maintenance, or a re-take of the exam every three years. It costs around $200 less than the CISSP (that exam goes for between $500 and $600) but is ranked the same for a variety of Department of Defense-related IT positions, which will no doubt contribute to its future popularity.
(ISC)2's Certified Information
Systems Security Professional (CISSP)
The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and is often requested by name in job postings and classified ads. Those who are interested in extending their CISSP credentials should also look into its three concentrations -- Architecture (CISSP-ISSAP), Engineering (CISSP-ISSEP) and Management (CISSP-ISSMP).
SANS GIAC Security Certifications
The SANS Institute offers numerous topical specializations that extend the GISF and the GIAC Security Essentials Certification (GSEC), including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. For those willing to acquire four of these individual credentials (two of them “gold”) and sit for a lengthy exam in two parts, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.
Qualified Information Security
Security University's certification requires some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.
For additional information on these certifications and more, visit the SearchSecurity.com guide to information security certifications, as well as the SearchSecurity.com vendor-neutral security certifications guide. Don't hesitate to let us know if our analysis of this landscape has missed anything. We can't claim to know, see or be able to find everything, so all feedback will be gratefully acknowledged. As always, feel free to email us with comments or questions at firstname.lastname@example.org.
About the authors:
Ed Tittel is a 30-plus year veteran of the computing industry, and has contributed to over more than 100 computing books. Perhaps best known for creating the Exam Cram series of IT cert prep books in the late 1990s, Ed has contributed to 5 editions of the CISSP Study Guide, and numerous other infosec-related titles. These days, Ed blogs regularly for TechTarget, Tom’s IT Pro, and PearsonITCertification.com. Visit his website at edtittel.com.
Mary Lemons is a professional writer, editor, and content manager who has worked with Tittel for more than 15 years. She has contributed to books on markup languages and information security, and has edited and managed content for such companies as HP, Sony, Verizon, and Microsoft.
Editor's note: Contributor Kim Lindros contributed to previous versions of this article.
This was first published in May 2013