Information security certifications, like any IT certifications, can be a magnet for controversy based on whether...
they provide meaningful data about the certification holders, or whether they are simply a distraction from attaining -- and demonstrating -- top security skills. The challenge for information security novices can be even greater due to the wide variety of certifications, as well as the increasing number of certifications offered in specialties and sub-specialties.
This series comprehensively reviews the current state of information security certifications, highlighting which are best for achieving goals specific to an information security career path. The series is a companion to three other articles that cover the vendor-specific information security certification landscape, vendor-neutral certification career paths and cloud security certifications in detail.
As the table below shows, the number and diversity of information security certifications continue to grow. In just two years, the overall number of certifications covered here has grown by almost 17%, so it is becoming easier than ever to find a suitable certification. While some certifications have been discontinued, 19 credentials have been added, and some certifications have been moved to new categories to more accurately classify them.
The information security certifications space continues to evolve and expand, and some new introductory certifications worth watching over the next few years include the CyberSec First Responder (CFR) by Logical Operations Corp. and the Cybersecurity Nexus Practitioner (CSX-P) by Information Systems Audit and Control Association (ISACA), profiled below.
Some other new and notable certifications covered in the second part of this series, on intermediate certifications, include the CompTIA Cybersecurity Analyst certification, and two new EC-Council certs: the EC-Council Certified Network Defender and the EC-Council Certified Encryption Specialist.
Part three covers advanced certifications, part four includes certifications for forensics and antihacking and part five covers more specialized cybersecurity certifications.
The sheer number of credentials can make navigating the information security certification landscape a dizzying experience. Simply identifying and differentiating among the vast array of offerings can be time-consuming and overwhelming, never mind determining which certification best fits your needs.
This SearchSecurity series covering information security certifications provides a comprehensive overview of the many information security certification options currently available. It's intended for anyone looking to get on the information security certification path, whether they are starting up the information security career ladder or already have security experience and wish to hone their skills in some specialized area.
Consider this series a reference to the most sought-after certifications. Part one of this series outlines basic information security certifications for introductory-level professionals.
Editor's note: All entries are listed in alphabetical order according to certification title.
General information security: Basic
Brainbench Inc. basic security certifications
Brainbench offers several basic-level information security certifications, each requiring the candidate to pass one exam. Examples of these certifications include:
- Firewall Administration Concepts;
- Information Technology Security Fundamentals;
- Internet Security;
- Information Technology Association of America Information Security Awareness;
- Network Authentication; and
- Network Security.
Mile2 Certified Disaster Recovery Engineer (CDRE)
This credential, from Iowa-based training company Mile2, recognizes individuals with foundational knowledge of disaster recovery (DR) and business continuity (BC) planning methodologies. A CDRE recipient recognizes real-world risks and vulnerabilities to an IT infrastructure, understands how to safeguard assets against threats, and can write DR and BC plans and policies. Candidates must have at least one year of information systems management experience.
The CDRE is recognized by the National Security Agency (NSA) as meeting the requirements for "CNSS-4016: National Information Assurance Training Standards for Risk Analyst and the Risk Management Framework (RMF)."
Mile2 Certified Professional Ethical Hacker (CPEH)
The CPEH is a foundation-level information security certification in the Mile2 lineup of penetration testing credentials. Candidates for the CPEH certification are expected to understand how to perform vulnerability assessments, how malware functions and the types of countermeasures to put in place to prevent attacks. The credential is structured around a five-day online course, and candidates must pass one exam to achieve certification.
Mile2 Certified Vulnerability Assessor (CVA)
The CVA is for ethical hackers, IT engineers, security analysts and the like who are tasked with assessing an organization's security posture. A CVA recipient should be able to use a variety of common vulnerability assessment tools to identify malware and viruses and must be able to interpret the results of scans. Candidates must pass a single exam to achieve certification.
The associated course is accredited by the NSA CNSS 4011-4016 training standard and is on the FBI Cyber Security Certification Requirement approved list.
Prometric Cyber Security Essentials
This credential is designed to compete directly against the CompTIA Security+ information security certification. The areas that the Cyber Security Essentials credential covers include general information security, application security, governance and compliance, operational security, network security, physical security, environmental security, and vulnerability management.
ISACA Cybersecurity Nexus Practitioner
The CSX-P certification is an ISACA credential aimed at first responders to security incidents. Professionals holding a CSX-P must know how to work with firewalls, patch systems, respond to antivirus alerts and implement security controls. Response techniques include performing vulnerability scans and analyzing threat and breach data.
Candidates must pass a four-hour performance-based exam, adhere to ISACA's code of ethics, and comply with continuing education and retesting policies. The certification must be renewed every three years.
GIAC Information Security Fundamentals Certification (GISF)
This certification is the introductory part of the Global Information Assurance Certification (GIAC) program. The GISF certifies individuals with foundational knowledge of information assurance, such as risk management, defense-in-depth techniques, security policies, disaster recovery and business continuity. No training or prerequisites are required. Candidates must pass one exam, and the certification is valid for four years.
CompTIA Security+ certification
This certification validates knowledge and skills related to security fundamentals, security concepts and theory, and best operational practices. In addition to functioning as a stand-alone exam for CompTIA, the Security+ certification is required for some IBM certs -- such as the IBM Certified Advanced Deployment Professional -- IBM Service Management Security and Compliance V5.
Some companies, including Apple and Dell, have incorporated the Security+ information security certification into their training programs or require job candidates to gain the certification, and the U.S. Department of Defense accepts the Security+ credential to meet Directive 8570.01-M requirements.
There are no prerequisites, but CompTIA recommends that candidates obtain the Network+ certification and have at least two years of IT administration experience before attempting the Security+ credential.
Source: CompTIA Security+
(ISC)² Inc. Systems Security Certified Practitioner (SSCP)
The International Information System Security Certification Consortium, or (ISC)², offers this entry-level certification as a precursor credential to its Certified Information Systems Security Professional (CISSP) certification.
The SSCP exam covers seven domains in the Common Body of Knowledge (CBK), with the exam focusing more on the network and administration aspects of information security that are germane to the duties of a day-to-day security administrator, as opposed to the issues of information policy implementation, architecture design and application development security that senior IT security professionals are more likely to handle.
Candidates must have at least one year of experience in one or more of the seven SSCP CBK domains. (ISC)² offers the Associate of (ISC)² credential for candidates who pass the Certified Authorized Professional, Certified Cyber Forensics Professional, Certified Cloud Security Professional, CISSP, Certified Secure Software Lifecycle Professional, HealthCare Information Security and Privacy Practitioner or SSCP exam, but who do not yet meet the experience requirement.
About the author:
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking consultant, technical trainer, writer and expert witness. Perhaps best known for creating the Exam Cram series, he has contributed to more than 100 books on many computing topics, including titles on information security, Windows OSes and HTML.