For this update to our survey, which highlights the best vendor-neutral security certifications for achieving specific IT career goals, we added a total of 17 certifications, which reflects both losses and gains for various certifications

by category. On the whole, all categories are up, even though we abandoned some entire programs (most notably the SCNP offerings).

For October 2010, the overall count of vendor-neutral certifications is 45, with another 24 in the forensics and anti-hacking category, and 10 more for specialized security certs. Once again, the count of vendor-specific certifications jumps, this time from 34 to 43. As was indicated in our vendor-specific certification analysis, it's pretty easy to decide which vendor-specific certs to pursue: Either earn those that apply to the technology your employer or customer uses, or those that have value to potential future employers or customers. Deciding what to pursue on the vendor-neutral side involves understanding where individual certs and cert programs fit in the overall scheme of coverage, but also requires comparing similar programs to decide which ones to pursue.

In fact, with about 120 certifications comprising the security certification landscape, there's obviously no shortage of options for would-be computer security experts. The question is, how do you know which certification is right for you? Here's a brief analysis of the landscape and a suggested educational path you can pick up at any point in your career.

Today, the Certified Information Systems Security Professional (CISSP), the SANS Institute's Global Information Assurance Certification (GIAC) and the ISACA Certified Information Security Manager (CISM) are probably the best known and most widely followed IT security certification programs. The number of certified individuals in these programs varies from a low of 10,000 to a high of more than 70,000 for the CISSP designation. Broader programs, such as the Certified Information Systems Auditor (CISA) or the Certified Fraud Examiner (CFE), which both cover more than strictly information security topics, have populations as large as 75,000 or more.

CompTIA's Security+ still weights heavily on the entry-level security certification landscape as it continues to attract strong interest and participation. Today the number of Security+ certifications is more than 45,000. The Security Certified Program (CSP), EC-Council, Security University (SU) and mile2 include Security+ in some of their own certification programs. Security+ can also substitute for one year of job experience for the Certified Information Security Manager (CISM) certification, and remains our leading choice as the best recognized and, arguably, the best overall entry-level information security certification currently available. New candidates need to pass a single exam; persons holding the Security+ certification from 2002 may take the new exam or a special bridge exam to update their credential.

Thus, the entry-level credentials with the most weight are CompTIA's Security+, SANS GIAC Security Essentials Certification (GSEC) and the (ISC)²'s Systems Security Certified Practitioner (SSCP). The CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more senior security credentials, with the Certified Ethical Hacker (CEH) coming on strong recently as a viable option for those interested in highlighting their current system penetration techniques and counter-hacking skills. The Certified Protection Professional (CPP), Professional Certified Investigator (PCI), Physical Security Professional (PSP) and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates even to qualify for the exam.

Given this landscape, we recommend the following security certification ladder that individuals can start and climb at any point, depending on their current knowledge, skills and experience.

• Start your adventure with a broad, but still entry-level security cert. This could be one of the following credentials, any of which will provide an excellent and thorough background in computer security theory, operations, practices and policies:
  • CompTIA's Security+
    CompTIA's Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. That's why it's our first choice and leading recommendation at this level.
    
    
  • (ISC)²'s Systems Security Certified Practitioner (SSCP)
    The International Information Systems Security Certification Consortium is also home to the CISSP, the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.
    
    
  • SANS GIAC Security Essentials Certification (GSEC)
    The SANS Institute is an ongoing and well-recognized powerhouse in the security industry. Likewise, its certifications continue to accrue visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.
    
    
• Finally, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention, and pick up where the previous three leave off:
  
  • (ISC)²'s Certified Information Systems Security Professional (CISSP)
    The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and is often requested by name in job postings and classified ads. Those who are interested in extending their CISSP credentials should also look into its three concentrations -- Architecture (CISSP-ISSAP), Engineering (CISSP-ISSEP) and Management (CISSP-ISSMP®).
    
    
  • SANS GIAC Security Certifications
    The SANS Institute offers numerous topical specializations that extend the GSEC, including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. For those willing to acquire four of these individual credentials (two of them “gold”) and sit for a lengthy exam in two parts, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.
    
    
  • Qualified Information Security Professional Certification
    Security University's certification requires some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.
    

For additional information on these certifications and more, visit the SearchSecurity.com guide to information security certifications. Don't hesitate to let us know if our analysis of this landscape has missed anything. We can't claim to know, see or be able to find everything, so all feedback will be gratefully acknowledged. As always, feel free to email us with comments or questions at etittel@yahoo.com.

About the authors
Ed Tittel is a full-time freelance writer, trainer and consultant who has written more than 140 books, including his latest, the CISSP Study Guide fifth edition with J. Michael Stewart and Mike Chapple (Sybex, due out in Dec 2010/January 2011). He has been active in the computing industry for more than 20 years and has worked as a software developer, manager, writer and trainer.

Kim Lindros has more than 15 years of experience in the computer industry, from technical support specialist to network administrator to book and course content manager. She has edited and developed more than 400 IT-related books and online courses, and co-authored two certification books and numerous online articles with Ed. Kim runs Gracie Editorial, a content development company.