Making a career in IT security requires both experience and certification. Organizations are increasingly aware of the need to have top-notch infosec people and when hiring, they use security certifications as one way to screen candidates.
Of course, everyone must start somewhere, and you can bootstrap yourself into IT security as we wrote about recently. But once you set out on the InfoSec track, there are loads of certification alternatives; some difficult, some expensive, and some with great industry reputations.
We take a look at some of the most relevant IT security certifications from the perspective of how difficult they are to earn.
Difficulty is subjective, and it’s sometimes even harder to rank a certification’s difficulty because testing organizations don’t release pass rates. There is plenty of chatter and opinions about the relative difficulty or ease of obtaining IT security certifications.
1. Systems Security Certified Practitioner (SSCP)
The SSCP certification from (ISC)2 is a good entry-level security certification. You’re required to have a minimum of one year of experience in one of seven designated security areas. Then you must pass a 3-hour, 125-question, multiple choice exam, with a score of 70 percent or better. The exam is inexpensive, costing $250 and you must pay a $65 annual maintenance fee. You also must recertify every three years by earning 60 Continuing Professional Education (CPE) credits.
SSCP is seen as a relatively easy, vendor-neutral badge to obtain, and is not as highly regarded as others in our list. However, SSCP certification is one of the US Department of Defense (DOD)-approved baseline certifications for both Level I and Level II Information Assurance Technical (IAT) certifications.
2. CompTIA Security+
Our second certification is vendor-neutral and also an ideal entry-level certification. CompTIA Security+ certification covers network security, compliance and operation security, threats, and vulnerabilities, as well as application, data, and host security. Our recommended experience for this cert is two years as an IT admin, with a security focus. You’ll then need to pass a 90-minute, 90-question exam with a score of 750 or better out of 900.
The Security+ certification is also among the least expensive in this list, costing a still spendy $320 to take the exam. But, CompTIA Security+ is valid for three years. You must earn 50 continuing education units (CEU) within 3 years to maintain your certification. CBT Nuggets is a CompTIA partner and many of our courses qualify for CEUs.
CompTIA Security+ is one of the DOD’s approved baselines for Level II IAT security technicians. However, many consider it to be too basic and lacking product-specific knowledge, therefore it may be undervalued by some employers.
Despite these shortcomings, we recently recommended CompTIA Security+ as one of the four best ways to begin your security career and even recommended that you should start with Security+, even before CompTIA Network+.
3. CCNA Security
Unlike the first two certifications, CCNA Security is vendor-specific and focused on security of Cisco networks. CCNA Security is also approved for both DOD Level I and Level II IAT baselines and carries more weight with private employers than both the SSCP and Security+ certs, CCNA Security tends to be a better “door opener” than either the SSCP or Security+.
To become CCNA Security certified, you must first have a Cisco CCENT, CCNA Routing and Switching, or CCIE certification and then pass a 90-minute, 60-70 question CCNA Security (210-260) exam.
4. White Hat Hacking
White hat hacking is focused on the prevention of most common attacks and securing systems and networks.
White hat hacking is designed to ensure a strong understanding of hacking practices including footprinting and reconnaissance, scanning networks, SQL injection, worms and viruses, DoS attacks, social engineering, and honeypots.
With the increasing number and awareness of cyber-attacks, white hat hacking resonates with many employers.
5. CompTIA Advanced Security Practitioner (CASP)
CompTIA Advanced Security Practitioner (CASP) is intended as an expert-level security certification. Although just a couple of years old, it is approved as a DOD-baseline for Level III IAT security technicians.
If you’re looking to work in a DOD/government environment, then CASP is an easier option than the Certified Information Systems Security Professional (CISSP) that comes later in our list. However, CISSP has far better name recognition — even within the government — so even if you choose CASP now, you may need to get CISSP-certified later.
Candidates for CASP are expected to have 10 or more years of IT admin experience, including five years of hands-on technical security roles. The current CASP certification exam is a 165-minute, 90-question, multiple-choice test. Candidates are passed or failed, with no grades being published.
6. GIAC GSEC
The Global Information Assurance Certification Security Essentials (GSEC) is an intermediate-level InfoSec certification that is DOD-approved for Level II IAT security technicians. Candidates are required to demonstrate an understanding of information security beyond simple terminology and concepts.
The GSEC exam is a 5-hour, 180-question, open-book exam. The exam is proctored and candidates pass with a grade of 74 percent or better. Although the exam is open book, the GSEC exam tests the candidate’s understanding and problem-solving skills with scenario-based questions. You need to really know your stuff.
Although a highly regarded certification, GSEC also is expensive. The exam costs $1,249.
The GSEC is valid for four years and can be renewed with 36 Continuing Professional Experience (CPE) credits.
Note: Although this certification is called “security essentials,” it actually also implies “networking essentials.” We recommend that you brush up on material from CCNA, CompTIA Network+, and IPv4 subnetting.
7. Certified Information Systems Security Professional (CISSP)
The Certified Information Systems Security Professional (CISSP) from (ISC)2 is arguably the current gold standard of InfoSec certifications.
It’s an advanced-level certification for IT security professionals and is recognized and valued by both industry and government employers worldwide. Like CASP, CISSP is approved as a DOD baseline for Level III IAT security technicians. That’s where the comparison ends.
CISSP certification is designed for security professionals who develop information security policies and procedures. This is the most advanced certification we’ve discussed so far, and for many candidates, it may require up to a year to prepare for the exam.
The certification exam is a 6-hour, 250-question monster. And in order to take the exam, you must prove that you have worked at least five years as a security professional, and you must subscribe to the (ISC)2 Code of Ethics.
Once you’re a CISSP, you must recertify every three years through at least 120 hours of continuing professional education, and you must pay a yearly $85 fee to maintain your certification.
CISSP basically makes you a cyber-crime investigator. It’s intensive but definitely worth it.
8. Offensive Security Certified Professional (OSCP)
The final entry on our list of the most difficult IT security certifications is the Offensive Security Certified Professional (OSCP). As the name suggests, this cert is designed for security practitioners who are involved in the penetration testing process and lifecycle.
Why is this certification difficult? Well, to even be eligible for the exam, candidates must first complete the OSCP-hosted “Penetration Testing with Kali Linux” training course. If you’re interested, Keith Barker covers that some of the ground in his CBT Nuggets course Penetration Testing with Linux Tools.
The OSCP certification exam itself is a full 24-hour marathon. It’s perhaps the most arduous exam we’ve encountered. It is extremely hands on, with candidates being given connectivity instructions to an isolated network, for which they must submit a comprehensive penetration test report at the conclusion of their exam. This certification is a true test of the candidate’s penetration testing process expertise.
There’s no question that the concern for the security of information and networks continues to drive the need for qualified — and certified — InfoSec professionals. We’ve listed eight well-known practitioner certifications that are hard to earn.
There’s no such thing as a one-size-fits-all certification plan. As you enter and progress in the expanding field of information security, you need to tailor your certification path according to your personal situation and goals, and get the right experience.
Do you have another cert that should be on our list? Do you agree with our selection and ranking of security certifications? Tell us about it.