Iíve seen the question asked more than a few times recently about what the best information security certifications are. Some people already have one or more and are looking to expand, others are just getting started and want to know how to do so. This page will hopefully offer some help in this area. Iím going to highlight a few of the options and discuss who I think should be going for which, and why.
Iíll be rating each one based on the criteria below:
*Note: I only have the Security+, CISSP, and GSEC credentials. My comments on the others are based on information I have gathered from various sources.
Difficulty - How hard the test itself is, i.e. study-time neeeded, etc.
Who - Who should be looking at this as an option.
Respect - Technical respect rating within the infosec-geek community.
Renown - How well-know the certificate is throughout the industry.
Requirements - Whatís needed to get the cert, i.e. project, exam, etc.
Cost: - What itíll cost you (or your company) to sit for the exam.
Pros - Positive comments about the certification.
Cons - Downsides to the certification.
Comments - My own input about the credential.
*Note: Numbers are on a scale from 1-10 (10 being the highest)
Requirements: Single Exam, +-100 Questions
Cost: $225 USD (discounts available online)
Who: This certification is for people just getting into the field. If you donít have any other certifications, and your experience/skills are still developing, this is the certification for you.
Pros: Itís a fairly easy cert to get and I understand itís getting a decent amount of recognition within federal organizations. Itís also a fair, solid test that asks decent questions rather than a bunch of fluff.
Cons: Itís entry-level and thus not strong as a standalone bargaining chip.
SSCP (Systems Security Certified Practitioner)
Requirements: Single Exam, 125 Questions
Cost: $350 USD
Who: The SSCP is for serious, dedicated information security professionals who are not quite ready to take the CISSP exam. Only one (1) year of experience is required for this exam vs. 3-4 (depending on if you have your degree) for the CISSP.
Pros: The SSCP is administered in a very professional fashion, just like the CISSP, and it thus carries some degree of the respect that goes along with that credential. Itís also from ISC2 just like the CISSP, so that helps it as well.
Cons: Unfortunately, the certification that hurts the SSCP the most is in fact its older brother ó the CISSP. If you check the job boards, precious few jobs ask for the SSCP. The reasoning there is that the experience requirement for the CISSP is much of what makes it so respectable. To take that away and ask half the number of questions diminishes the SSCP to a significant degree.
Comments: If you canít show the 3-4 years experience required for the CISSP, and someone else is paying, Iíd say go for the SSCP. If nothing else, it will help prepare you for the CISSP that will surely be in your future. That being said, if you want to get a truly valuable credential that doesnít require the experience, opt for the GSEC (covered below).
CISSP (Certified Information Systems Security Professional)
Requirements: Single Exam, 250 Questions
Cost: $500 USD
Who: The CISSP is for serious, dedicated information security professionals who intend to stay in the field and grow. It says to employers that you are serious about your career and are familiar with the core basics of 10 seperate areas within the field.
Pros: The CISSP is without a doubt the king of certifications right now. Itís the first infosec cert to recieve ISO recognition ó a great acheivment not only for the certification itself, but also for the field as a whole. It commands a great deal of respect in many IT circles, and this can be clearly seen via job search results. It can help your chances greatly of getting high-paying jobs, and is an excellent addition to any resume. If you are only going to get one infosec cert, it should be the CISSP.
Cons: While the CISSP is undoubtedly the king of information security certifications, it suffers from being thought of as something it isnít. Many view it as proof that someone is an expert in the field, and that couldnít be farther from the truth. ISC2 has explicitly stated in the past that the test is designed to test a broad base of general knowledge, not to certify someone as a master of their field. Despite the rumors of impossibility, the exam also supports over a 70% first-time pass rate.
Comments: The CISSP is a great exam because it is not easy to take (experience in the field is required ), and once you are able to take it, itís administered in a professional, controlled environment. What people fail to realize is that itís for high-level security professionals such as managers. Obviously, anyone can go for it, but itís not designed to test technical skills or the ability to actually perform in the trenches of an infosec environment. Itís a broad overview, basically ó a test designed to ensure that you are familiar with some concepts. Itís when people lose sight of this that the confusion starts. As for the difficulty factor, I started studying for mine on a Monday and passed the exam on that Saturday ó thatís with zero previous exposure to the CISSP study material. A buddy of mine just got his as well, and his study consisted of around 2 weeks of passively glancing at the material while leveling his WoW character. Again, thatís not to say itís not an excellent cert, itís just that the difficulty should not be overestimated.
GSEC (General Security Essentials Certification)
Requirements: Research Paper, Two 100-Question Exams
Cost: $800 USD (Cost of exam without training)
Who: The GSEC is for highly-technical, serious information security professionals who actively work with infosec technology on a day to day basis. Those who are looking to show considerable technical knowledge over a large number of infosec subjects would be well-served by attaining this credential.
Pros: The SANS organization is universally recognized as a top-notch infosec organization. Any certification from them commands a decent degree of respect.
Cons: The CISSP currently owns the majority of the spotlight in this arena. Few employers are aware of the GSEC, and even if they are they view the CISSP as just as valuable.
Comments: The GSEC does not show expertise in a given subject; it shows that the cert-holder is technically-oriented and has a wide base of infosec knowledge. No certs at this level demonstrate true mastery. One particular thing to note with this exam vs. the CISSP is that the actual exam portions are taken from home and open-book, meaning you can use anything you want during the exams. Critics rave that this makes the exam less respectable than the CISSP since the CISSP is taken under supervision and no study materials may be used. I argue that precisely the opposite is true. Infosec professionals are not databases. We donít pride ourselves in not having to consult external resources when solving problems; in fact, we do it constantly. To imply that an exam that tests your ability to solve problems in precisely this fashion is somehow less respectable is, in my view, a grave mistake. The GSEC exam structure represents the real world ó youíre faced with a difficult problem, you find the answer and solve it. You donít see consultants losing contracts because they had to Google for solutions that saved their clients money. Ultimately this debate comes down to an old argument: hands-on vs. academic. When evaluating someone thatís supposed to have the actual know-how to solve infosec problems in the real world, thereís no doubt in my mind that the average manager is going to prefer the former.
GCFW, GCIA, GCUX, GCIH
Requirements: Research Paper, One Or More Exams
Cost: $800 USD (Cost of exam without training)
Who: These various SANS certs are the mid-level offerings from the organization. They are more indepth and difficult than the GSEC, and they focus on one area specifically. GCFW is for firewalls and VPNs. GCIA is for IDS/IPS, GCUX is for Unix security, and GCIH is for incident handling. These are just a few of those that are offered, and these are geared towards veteran infosec professionals who have already specialized into an area. If you fit this bill, Iíd say that pursuing one of these certifications would be ideal.
Pros: The SANS organization is universally recognized as a top-notch infosec organization. Any certification from them commands a decent degree of respect, and these specialized certs say to an employer or client that you are truly profficient at what you do.
Cons: There are very few holders of these more advanced certifications, and as such many employers may ask questions like, ďIs that like a CISSP? Is that the same as a GSEC?Ē The good news is that it should be fairly easy to explain the situation to them.
Comments: These certifications do show some degree of mastery of a subject. It doesnít mean that everyone with one is great, or that those who donít have it arenít. It does mean, however, that the odds of someone with one of these certifications being a good fit for a job in that area are extremely high. Think of these as more difficult, more focused GSECs.
CISA (Certified Information Systems Auditor)
Difficulty: 5-6 ?
Requirements: Single Exam
Who: The CISA credential is ideal for anyone already doing, or looking at getting into information security auditing.
Pros: The credential is highly recognized and sports even more hits than the CISSP in monster.com and other job searches. Itís highly sought after due to the onslaught of regulation hitting the infosec industry as a whole.
Cons: Again, many jobs that request CISA also will take a CISSP. Certain jobs ask for CISA specifically, but most are just looking for this ďclassĒ of cert, and will accept a CISSP in its place.
Comments: This area (auditing) is growing like mad. Due to SOX and other new legislation, this will do nothing but continue to accelerate. Adding a CISA to your resume is definitely a good move.
CEH (Certified Ethical Hacker)
Requirements: Single Exam, +-100 Questions
Cost: $250 USD (discounts available online)
Who: This certification is for those who want to prove that they have the skills do perform some of the more offense oriented infosec activities, i.e. break into systems.
Pros: Itís an easy certification to get and you get to brush up on a few interesting tools while studying for it.
Cons: The cons for the CEH exam are legion. First of all, itís designed to show competence in perhaps the most advanced branch of information security ó pentesting. To even imply that learning some command options on a set of tools will make someone a pentester is scandalous. Furthermore, and more to the point, the certification is not really respected to any significant degree. Anyone whoís looking for a pentester and has an idea of what one is, is actually likely to think less of someone who mentions that they have this cert. In other words, anyone who claims to have skills based on the fact that they hold this credential, probably doesnít.
GSE (GIAC Security Expert)
Requirements: You must currently have five (5) GIAC certs (one of which must be with honors), and then pass the GSE exam.
Who: The GSE is something to be pursued by those who have literally mastered a number of areas within information security, and have superior talent.
Pros: If you encounter anyone who knows what all the exam involves, youíll earn some instant respect.
Cons: You arenít likely to find any of those people.
Comments: The GSE credential is the final destination for anyone pursuing certification with information security. Itís a goal in and of itself to me since I donít see someone with the skills to attain it hurting for a job or having trouble getting raises.
Let me try and break it down the way I see it. If you are just getting into security and you donít have much experience with networking and such, get a job where you can work with computers and start pursuing your CCNA. Study, practice, learn everything you can pertaining to operating systems, networking, and security. Once you feel your skills are fairly strong in the security realm, start studying for and take the Security+ exam.
If you have been in networking and/or security for a while now (4 years or so), and you feel your skills are pretty strong, you should be looking at the CISSP. Ignore people who say itís too easy or that it doesnít mean much ó it doesnít matter. The fact of the matter is that itís more beneficial to have a CISSP right now than any other cert in its class.
After getting your CISSP, and if youíre a technical person, I suggest you look at the GSEC. Itís the perfect compliment to the CISSP. The CISSP covers the 10 domains from a manager/birds-eye view, and the GSEC gets down to some technical detail within the same areas of study ó policy, encryption, etc.
Another option once you have your CISSP is to go for the CISA instead. If youíre more of a manager anyway, and/or looking to head that way, then it may not be necessary to show technical prowess. If thatís the case then opt for the CISA instead of the GSEC. The certification is absolutely on fire right now, and the odds are good that with a solid resume and a CISSP/CISA combination you could command around $90K/U.S. fairly easily.
If you have been in infosec for a long time, i.e. 5-10 years or more, and you are a geek at the core, start knocking down SANS certs being aware of the fact that you need honors for one of the 5 that are required for the GSE. To me, the GSE is a major accomplishment in its own right, and I donít really see it being a money-maker. In my view, anyone who can get a GSE already pulls a healthy check anyway.
When trying to measure how popular a credential is, remember to look to the source. Mine the resume sites for hits on the certs youíre looking to get. If you donít get a ton of hits for the one youíre considering, think about going with a different one. Remember, certifications are for other peopleís perception of you, and as such, the weight that those ďother peopleĒ give a given credential is what matters most.
I hope this short summary of my thoughts on these credentials has been helpful. Feel free to contact me if I have made any errors, if there is something you think I should add, or if you just want to comment on anything said.: