Problem solve Get help with specific problems with your technologies, process and projects.

Intermediate-level security certifications

In this security management Ask the Expert Q&A, certification specialist Shon Harris provides an overview of intermediate-level security certifications.

Other than the CISSP, CISA and CISM, what is the most useful, hands-on, intermediate-level security certification that's also applicable to the real world?
While most people understand the benefits of the widely accepted and known certifications, CISSP and CISA, they still get confused when examining other available certifications. Additionally, while some certification exams are useful, unfortunately many are not. The fact that there isn't a committee to qualify the existing exams, a holistic certification roadmap to follow, and that many exams are created by training companies looking to sell more training sessions, leave people unsure how to properly advance their knowledgebase and careers.

At this time, SANS has the best process and exams. They have mature curriculum, some of the best instructors in the industry and difficult practical exams. In addition, these certifications are currently more recognizable than many of the other industry certifications. However, SANS does have a couple of drawbacks:

  1. SANS is proprietary. If you want to take an exam, you must enroll in their training program.

  2. Their practical exams are difficult and time-consuming. While SANS offers numerous exams, only approximately 10,000 people have been certified -- mainly due to the difficulty of the exams.

When researching types of certifications, consider what you want to accomplish. CISSP is a broad exam that provides a good foundation for anyone in the security sector. More people are taking the Certified Information Systems Auditor (CISA) exam, because of the increased government regulations affecting organizations. However, even if you are not and do not want to be an auditor, I recommend taking this exam, because at some point in your career, you'll need to pass audit evaluations and it would be beneficial to understand the auditing process.

Now that we've examined the benefits of the more recognizable certifications, here's an overview of some others:

  • CompTIA has an entry-level security exam called, Security+. It does not hold a lot of value in the market, but it is a good place to start if you're new to security.

  • If you are a networking professional, you may want to look at Microsoft and/or Cisco's security certifications.

  • If you're a forensics professional, look into taking the Certified Computer Examiner (CCE) exam. It's currently the most recognized and respected exam because of its practicality and hands-on approach. Since EnCase is the most popular tool used in forensics, it's beneficial to achieve their certification.

  • If you want to be a wireless security professional, look into the CWNP series. You can find information about these at http://www.cwnp.com.

  • If you're a government contractor, in the military or work for a government agency, I suggest you look into (ISC)2's ISSEP and their new CAP exam. The CAP is specific to DoD certifications and accreditation requirements.

Although you can benefit from ISC(2)'s SSCP and CISSP concentrations (ISSAP, ISSMP), TruSecure's TICSA or TICSE, and other certifications offered by various training companies, they're not accepted by the industry. Therefore, most employers do not recognize them, so they will not necessarily help with job advancement.

Overall, the CISSP and CISA are useful to almost anyone in the security sector. From there you will need to specialize. There are certification exams that cover broad topics, but they are not as recognized as the CISSP and CISA certifications and overlap in material.

More Information:

  • Learn why it pays to be a security professional.

  • Learn how to break into security.

This was last published in January 2006

Dig Deeper on Information security certifications, training and jobs