8 Most Difficult IT Security Certifications

Once you set out on the infosec track, you have many certification options. Some are relatively easy, and others are notoriously difficult.

We recognize that exam difficulty is a sliding scale. It all depends on how much you know, how much you study, and the amount of hands-on experience you bring to the exam. Some people breeze right through advanced security certs, while others may find them quite challenging.

It's even harder to rank a certification's difficulty because testing organizations don't necessarily release pass rates. 

However, there's plenty of chatter about the relative difficulty or ease of obtaining IT security certifications. Based on those opinions and input from industry experts, here's our updated list of the eight most difficult IT security certifications.

8. AWS Certified Security – Specialty

Our list has been updated to include the AWS Certified Security – Specialty certification. For cloud security professionals, this is a well-rounded credential because it focuses on security aspects within the Amazon Web Services cloud environment, like the shared responsibility model, data protection, and secure internet protocols. It also includes identity and access management, incident response, and infrastructure security.

The exam, which lasts 170 minutes, has 65 multiple-choice and multiple-response questions. Participants should have a minimum of five years' experience designing and implementing IT security solutions and two years' experience securing Amazon Web Services applications and services.

There are no prerequisites, but most people who attempt this exam usually already have AWS Certified Solutions Architect – Associate and/or AWS Certified Solutions Architect – Professional certifications.

These exams ensure fundamental knowledge and help you gain a better understanding of AWS concepts leading up to the AWS Certified Security – Specialty cert. The latest exam update covers all the most common FAQs, and you can find that link here.

Given the experience requirements and recommended foundation certifications that most candidates already have when attempting this cert, it makes it quite tough to attain. However, once certified, you will add value to any organization that relies on AWS services to operate, and your experience in securing these vital systems will be in demand for many years to come.

7. CompTIA Advanced Security Practitioner (CASP+)

The CASP+ certification is intended for advanced-level cybersecurity professionals and covers enterprise security, risk management, and other complex topics. It is a recognized alternative to the CISSP for certain Department of Defense roles, specifically for Level II and Level III IAT roles.

The exam has a maximum of 90 questions and a test duration of 165 minutes. It covers four domains: Security Architecture (29%), Security Operations (30%), Security Engineering and Cryptography (26%), and Governance, Risk, and Compliance (15%).

The exam material covers a wide range of topics, from risk management and enterprise security architecture and operations to integrating enterprise security solutions and research and collaboration, making it a comprehensive exam with a lot of high-level information for candidates to work through.

Check out CompTIA’s exam objective download page to get a full PDF download of the CASP+ exam objectives, as well as other certifications. (You will have to supply your name and an email address to access the download)

6. GIAC Certified Incident Handler (GCIH)

The GCIH certification emphasizes incident handling and response skills, which are crucial in the current cybersecurity landscape due to the increasing frequency and sophistication of cyber threats. It is an intermediate-level certification that tests the candidate's understanding and problem-solving skills with scenario-based questions.

It covers incident handling, computer crime investigation methodologies, and computer and networking exploits. You’ll learn about hacker tools such as Nmap, Metasploit, and Netcat to understand the basics of common hacks and how they are carried out. This knowledge serves as a foundation for incident response in cybersecurity and teaches you how to handle incidents as they unfold.

It is an excellent certification for anyone who works on the frontline of cybersecurity and is beneficial to anyone who handles incidents or is exposed to them during the course of their work, such as system admins, security experts, security architects, or anyone who is part of a first response team in cybersecurity.

The exam consists of 106 questions and takes four hours to complete, with a minimum passing score of 70%. Read the full exam requirements here for the most current information.

5. Certified Information Security Manager (CISM)

The CISM certification focuses on the management and governance aspects of information security. Passing the CISM requires five years of relevant experience in information security, with a minimum of three years in information security management in at least three of the four CISM domains. This ensures a high level of practical understanding of this complex subject. 

The exam’s four domains are Information Security Governance (17%), Information Security Risk Management (20%), Information Security Program (33%), and Incident Management (30%). You are given four hours to complete 150 multiple-choice questions. The exam uses a common scale scoring system out of 800, and you must achieve at least 450 to pass.

If successful, the certification shows that you have the skills and knowledge needed to assess risk and implement governance solutions in cybersecurity and proactive incident response. As this certification is aimed at managerial positions, it does not cover the same depth of content as a pure cybersecurity certification or a cyber security auditor certification like the CISA.  

The CISM is a valuable certification that is tough to prepare for, which lands it on our toughest IT certs list.

4. Certified Information Systems Security Professional (CISSP)

As far as infosec certifications are concerned, the Certified Information Systems Security Professional (CISSP) from ISC2 is arguably the gold standard.

IT security professionals worldwide value this advanced-level certification, which is recognized and valued by both industry and government employers. Like CASP, CISSP is approved as a DOD baseline for Level III IAT security technicians. That's where the comparison ends.

CISSP certification is designed for security professionals who develop information security policies and procedures. The CISSP is the most advanced certification we've discussed so far, and for many candidates, it may require up to a year to prepare for the exam.

The certification exam is a 3-hour, computerized adaptive testing format that varies from 100 to 150 questions. To pass, you will need to achieve 700 out of 1000 points. To take the exam, you must prove that you have worked for at least five years as a security professional. That's important. They have fairly strict requirements for counting security experience. There's a little wiggle room in the five-year experience requirement with a four-year degree, but it has to be the right type of experience.

Without the requisite experience, you can pass the exam, but you'll remain an ISC2 Associate until you reach the minimum number of years. And not all experience is counted.

You must also be endorsed by an ISC2 sponsor. If you don't have a sponsor, you'll need to perform a couple of extra steps to be endorsed by ISC2.

The process of becoming a CISSP is not straightforward. To maintain your CISSP certification, you must complete 120 hours of continuing professional education every three years, and pay $135 a year.

It's intensive, but definitely worth it.

3. CCIE Security

The Cisco Certified Internetwork Expert (CCIE) Security certification is highly regarded for its rigorous process, which includes a challenging 8-hour lab exam. Around 4,000 CCIE Security certified professionals worldwide hold this certification, making it highly prestigious and recognized for its difficulty. 

To obtain this certification, candidates must pass the qualifying 2-hour exam, Implementing and Operating Cisco Security Core Technologies (SCOR 350-701), and then pass the 8-hour lab exam. 

2. Offensive Security Certified Professional (OSCP)

The OSCP is known for its intensive practical exam, where candidates must demonstrate their penetration testing skills in a virtual environment. The exam duration is 23 hours and 45 minutes, plus an additional 15 minutes for proctoring. To be eligible for the exam, candidates must first complete the Penetration Testing with Kali Linux (PEN-200) training course. To pass the exam, you need to achieve 70 points out of 100.

This OffSec certification is a true test of the candidate's penetration testing process expertise. It's close to the most arduous exam we've encountered, except for this next one.

1. GIAC Security Expert (GSE)

The GIAC Security Expert (GSE) remains one of the toughest and most prestigious certifications in the field. As of early 2023, there were fewer than 300 GIAC Security Experts worldwide. The exact number fluctuates as new candidates earn the certification, and others may not maintain it due to the rigorous renewal process. 

To earn the GSE, candidates must pass a multiple-choice exam, submit a research paper, and complete a two-day hands-on lab. The GIAC website has a full pricing guide for the exams, including renewal and practice test pricing.

An interesting aside: The first hands-on GSE exam pitted GSE #1, John Jenkinson, and GSE #2, Lenny Zeltser, against one another in a red team, blue team exercise for five days. They called it after four and a half days. 

Wrapping Up

There's no question that concern for the security of information and networks continues to drive the need for qualified—and certified—infosec professionals. We've listed eight well-known practitioner certifications that are hard to earn.

There's no such thing as a one-size-fits-all certification plan. As you enter and progress in the expanding field of information security, you need to tailor your certification path according to your personal goals and get the right experience.

Studying for an IT security certification? Check out all the training courses CBT Nuggets has to offer.