Security Certification Guide
This special report highlights the best vendor-neutral security industry certifications for achieving goals specific to your information security career path. It's a companion to three other surveys, which cover an intro to security certifications (aka the vendor-neutral survey), vendor-specific security certifications and popular cloud security certifications in detail.
The following table summarizes the certification counts in the vendor-neutral survey. Although we added 10 new vendor-neutral certifications since 2013, we also removed several retired credentials and recategorized a few others. In the end, the overall count increased by six certifications.
With nearly 130 certifications covered in our vendor-neutral, vendor-specific and cloud security surveys, there's obviously no shortage of options. The question is, how do you know which certification is right for your career path? This article provides a brief analysis of the vendor-neutral landscape and suggested educational options for your information security career path that you can pursue at any point in your career.
Today, (ISC)2's Certified Information Systems Security Professional (CISSP), SANS Institute's Global Information Assurance Certification (GIAC) and the ISACA Certified Information Security Manager (CISM) are the best-known and most widely followed IT security certification programs. That said, the CompTIA Advanced Security Practitioner (CASP) is included in the U.S. Department of Defense Directive 8570.01-M, which means that credential is bound to be extremely popular with government employees and government contractors alike. The number of certified individuals in these programs varies; some have fewer than 10,000 certified members, while there are now more than 93,000 individuals worldwide who hold the CISSP designation. Broader programs, such as the Certified Information Systems Auditor (CISA) and the Certified Fraud Examiner (CFE), which both cover more than strictly information security topics, have populations that number 109,000 and nearly 45,000, respectively.
CompTIA's Security+ still weighs heavily among the entry-level certs as it continues to attract strong interest and participation. Today, the number of Security+ certifications tops 284,000. IBM and Security University (SU) include Security+ in some of their own certification programs, and the U.S. Department of Defense accepts Security+ to meet its most basic information assurance (IA) certification requirements. Holders of Security+ can also substitute it for one year of job experience toward the CISM certification requirements. Security+ remains our leading selection as the best recognized and the best overall entry-level information security certification currently available. To earn Security+ certification, candidates must pass a single exam.
More broadly, the entry-level credentials with the most weight are CompTIA's Security+, SANS GIAC Information Security Fundamentals Certification (GISF) and the (ISC)2's Systems Security Certified Practitioner (SSCP). Keep your eye on the Prometric Cyber Security Fundamentals credential, introduced in February 2013, which could eventually join this group. The CISSP, the CISM and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more than entry-level security credentials, while the Certified Ethical Hacker (CEH) is now a viable option for those interested in highlighting their current system penetration techniques and counter-hacking skills. The Certified Protection Professional (CPP), Professional Certified Investigator (PCI), Physical Security Professional (PSP) and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to even qualify for the exams.
There have been some interesting changes to the requirements for individuals who wish to work in information security for any arms of the U.S. government, branches of the U.S. military or contractors who supply workers and/or services into those markets. In this realm, IA means more or less the same as what computer scientists -- and your humble authors -- often refer to as information security. This is also a world where the word "qualification" means that individuals have obtained clearance and competence documents necessary to fill IA job roles, and have met certification and hands-on requirements to demonstrate their skills and abilities and real-world performance. Thus, when you see the word "qualified" in some infosec or IA certification names, you must understand that this speaks to a hands-on orientation and testing that includes performance-based methods in its scope and coverage.
Given this landscape, we recommend the following security certification ladder that individuals can start and climb at any point, depending on their current knowledge, skills and experience.
Start your security certification journey with a broad, entry-level security cert. This could be one of the following credentials, any of which will provide an excellent and thorough background in computer security theory, operations, practices and policies:
CompTIA's Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. That's why it's our first choice and leading recommendation at this level.
(ISC)² Systems Security Certified Practitioner (SSCP)
The International Information Systems Security Certification Consortium is also home to the CISSP, the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.
Those interested in pursuing the SSCP need to possess at least one year of experience in one or more of the seven SSCP Common Body of Knowledge domains. Candidates must also pass an exam to obtain the credential. Those who do not yet meet the experience requirement may choose to first obtain the Associate of (ISC)2 certification, which is available to any candidate who passes the CAP, CCFP, CISSP, CSSLP, HCISPP or SSCP exam.
SANS GIAC Information Security Fundamentals Certification (GISF)
The SANS Institute is long-standing and well-recognized powerhouse in the security industry. Likewise, its GIAC certifications continue to accrue visibility and acceptance. The GISF opens the door to other credentials in the respected SANS GIAC program. Since the GISF is an entry-level credential, there are no prerequisites; candidates need only pass a single exam to obtain the credential.
From here, practitioners can tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many also require submitting papers or research results in addition to passing exams, as well as taking specific classes. Of these, four are particularly worthy of mention, and pick up where the previous three leave off:
CompTIA Advanced Security Practitioner (CASP)
The CASP is intended as a follow-on to Security+ and is intended to recognize IT professionals with three or more years of direct, day-to-day information security experience, with skills and knowledge to match. The CASP requires continuing education for maintenance or a re-take of the exam every three years. It costs around $390, which is less than the CISSP, but it is ranked the same for a variety of Department of Defense-related IT positions, which will no doubt contribute to its future popularity. CompTIA announced an update to the CASP certification exam in February 2015 that includes new questions about contemporary threats as well as troubleshooting processes related to data, endpoint and network security.
(ISC)² Certified Information Systems Security Professional (CISSP)
The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and it is often requested by name in job postings and classified ads. Those who are interested in extending their CISSP credentials should also look into its three concentrations -- Architecture (CISSP-ISSAP), Engineering (CISSP-ISSEP) and Management (CISSP-ISSMP). The CISSP exam costs $599 with an additional fee of $399 for each of the three specialty concentration areas.
Candidates without a college degree must possess at least five years of paid professional experience to qualify for the credential; degreed individuals only need four years of paid experience. A waiver for one year of experience may be obtained (approval required) if the candidate possesses an (ISC)2 credential from an approved (ISC)2 list.
SANS GIAC Security Certifications
SANS Global Information Assurance Certification offers numerous topical specializations that extend the GISF and the GIAC Security Essentials Certification (GSEC), including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. For those willing to acquire four of these individual credentials (two of them "gold") and sit for a lengthy exam in two parts, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.
Qualified Information Security Professional Certification
Security University's certification requires some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.
Don't hesitate to let us know if our analysis of this landscape has missed anything. We can't claim to know, see or be able to find everything, so all feedback will be gratefully acknowledged. As always, feel free to email us with comments or questions.
About the Authors:
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking consultant, technical trainer, writer and expert witness. Perhaps best known for creating the Exam Cram series, Ed has contributed to more than 140 books on many computing topics, including titles on information security, Windows OSes and HTML. Ed also blogs regularly for TechTarget (Windows Enterprise Desktop), Tom's IT Pro, GoCertify and PearsonITCertification.
Mary Kyle is a full-time freelance writer, editor and project manager based in Austin, TX. A former IBMer, Mary has over 10 years of project management experience in IT, software development and IT-related legal issues.