Download our in-depth report: The Ultimate Guide to IT Security Vendors
IT security certifications are a great way to get noticed and boost your career, but they're not enough to stand alone, nor do they mean that you’ll be ready for every security issue that comes along.
"The certification debate rages on," said Jason Kent, CTO at AsTech. "On the one hand, there are plenty of skilled professionals that I would say are experts and have no certifications. On the other hand, there are plenty of very good folks with many certifications."
Security certifications show basic knowledge levels and often indicate the person's true interests. There are many cyber security certifications, notes Joseph Carson, chief security scientist at Thycotic, "but it really comes down to what skillset or direction the individual wants to go. Certifications range from penetration testers, government/industry regulatory compliance, ethical hacking to industry knowledge. Some certifications are entry-level and some require several years of experiences with peer references before getting certified."
Here then are 9 top IT security certifications:
- CompTIA Security+
- Certified Information Systems Security Professional (CISSP)
- Certified Ethical Hacker (CEH)
- Global Information Assurance Certification (GIAC)
- GSEC Certification
- GSE (GIAC Security Expert)
- Systems Security Certified Practitioner (SSCP)
- Certified Information Systems Auditor (CISA)
- Certified Information Systems Manager (CISM)
Choosing the right IT security certification
IT security certifications are a way to ensure continuous education, which is important in an ever-changing threat landscape. But which certification is right for your interests, skills, and career goals?
If someone has no certifications and wants to learn about security, Security+ from CompTia is a great place to start, said Kent. "This crosses several domains and is a basic introduction to security. I don't know that anyone has been hired for this certification, but, as I said, it's a great start."
After that, there are so many domains of security it’s become necessary to specialize. For example, to best protect corporate infrastructure or to work with government, GIAC certifications would be a good focus. The "professional" level certifications are often coveted and held by many luminaries in the industry.
CISSP is the best-known security credential. It starts with a five-year professional working requirement; you must work in the field and gain some expertise. CISSP has a rigorous test that covers many aspects of security, which is one reason this tends to be the last certification that security professionals go for.
Security+ is an entry-level certification sponsored by CompTIA. Requirements include a minimum of two years of experience in IT with a security emphasis. The exam is 90 minutes long, with a maximum of 90 questions, and covers network security, compliance, threats and vulnerabilities, and application and data security. A score of 750 or above is necessary to pass. The certification is approved by the Department of Defense. Cost is $320 (all prices are in U.S. dollars).
The Certified Information Systems Security Professional (CISSP) certification is offered by (ISC)2 and is one of the more advanced certifications available. It covers eight domains of the common body of knowledge (CBK): Security and Risk Management; Asset Security; Security Engineering; Communications and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; and Software Development Security. CISSP is one of the most widely recognized certifications in the industry. Requirements include a minimum of five years of experience in at least two CBK domains or four years of experience in two CBK domains and a college degree. Exam time is six hours with 250 questions. A score of 700 out of 1000 points is needed to pass. Cost is $599.
Certified Ethical Hacker (CEH) is an intermediate-level certification offered by the International Council of E-Commerce Consultants (EC-Council). As Micro Focus security researcher Simon Puleo said about this credential, "As a CEH, I feel this is an important certification because it sheds light on the tools and methods of the dark side of security, specifically malicious hackers. It is a difficult certification as it is highly technical, but I think that it is worthwhile for everyone in the industry to take on a 'think like a bad guy' perspective, as only then will they come to see where vulnerabilities exist." Requirements include either taking the recommended training course that concludes with the exam or proof of at least two years of work experience and self-study. Exam time is four hours with 125 questions. Cost is at least $500 with an extra $100 for self-study participants. Credentials need to be renewed regularly.
The Global Information Assurance Certification (GIAC) offer a variety of certification areas, including penetration testing, incidence response and forensics, cyber defense, and industrial control systems, and these areas have different types of certification offerings. "GIAC certifies individuals who are working for or looking to work with the U.S. Government," said Puleo. "Many cybersecurity jobs that involve working directly for the US government or with a third-party contractor require different GIAC certifications." The certifications remain valid for four years, with the renewal process beginning after two years. Requirements include extensive experience in a subject area; you are given a four-month study period to prepare. Exam time is dependent on the type of certification; all are open book exams but no computers or internet. Costs range from $1249 for a GIAC Certification Attempt to $399 for a certification renewal.
The GIAC Security Essentials Certification (GSEC) is an entry-level offering for IT professionals who want to show they are qualified to handle cyber security duties. Requirements include a demonstration of cyber security knowledge beyond basic terminologies; otherwise, there are no job experience requirements necessary. Exam time is five hours with 180 questions. A score of 74 percent is necessary to pass. Cost is $1249.
GIAC Security Expert (GSE) is one of the most respected certifications in the cyber security industry. Cyber security professionals who are certified with GSE are highly trained and highly technical professionals who are involved in hands-on security work on a daily basis. Requirements include an all-around knowledge and skill level in cyber security with experience in intrusion detection and incident handling and GSEC, GCIH, GCIA with two gold certifications. Exam has two parts: a multiple-choice test and a hands-on lab component. You must successfully complete the written test portion before moving on to the lab section. Cost for the written exam is $429; cost for the lab is $2,199.
Systems Security Certified Practitioner (SSCP) is a mid-level certification offered by (ISC)2 and a stepping stone to the CISSP. Requirements include technical skills and hands-on experience in cyber security. The certification shows the ability to handle duties such as security testing, incident response and authentication. Exam time is three hours with 125 questions. A score of 700 out of 1000 points is necessary to pass. Cost is $250.
Certified Information Systems Auditor (CISA) is a high-level certification offered by the Information Systems Audit and Control Association (ISACA) for those who are responsible for information systems control and monitoring. Auditors are certified with CISA. Requirements include five years of experience as a cyber security professional. Exam time is four hours and 200 questions. A score of 450 on a 200-800 point scale is necessary to pass. Cost is $575 for ISACA members and $760 for non-members.
Certified Information Systems Manager (CISM) is high-level certification offered by ISACA and aimed at those who are working in or toward a security management position. Requirements include five years of experience in cyber security and three years of security management. Exam time is four hours with 200 questions. A score of 450 on a 200-800 point scale is necessary to pass. Cost is $575 for ISACA members and $760 for non-members.
Advice for aspiring security experts
This is only a sampling of the better known cyber security certifications available. As you get through the top-level certifications, you will find opportunities to become certified at more granular levels.
"I'm happy to see more specific industry security certifications out there, like CISA for systems auditing and controls," said Jeannie Warner, security strategist at WhiteHat Security. "Ditto the CHP/CSCS/CHSP certs for the healthcare industry. I look forward to seeing more certifications coming out of the AppSec sector, especially for developers."
While certifications are useful, they don't automatically make you an expert network defender. You have to understand security at a practical level. But becoming certified certainly doesn’t hurt, and it does show proficiency.
As Rick Howard, CSO with Palo Alto Networks stated, "My advice for anybody that asks me which certifications they should get is this: Find a certification in a subject that you wish to learn about. If you are going to study the subject anyway, you might as well get a certification out of it."