IT Security Certifications: The Breakdown

Breaking into IT Security is no simple task. It requires both experience and certification. And there's plenty of debate about the best paths to gaining both security experience and certification.

There are several critical factors that will influence your options and choices as you consider your IT security career. A good place to start is by asking yourself a few questions that can help you better define your next steps:

1. How much IT experience do you currently have? And how much IT security experience do you currently have? (You're not building a resume here, so no need for exaggeration.)

2. What is your end goal within the IT security field? What role or title are you working toward?

3. What technologies (or vendors) do you have the most experience working with? Do you want to stick with those technologies (vendors), or pursue others?

With these guiding questions answered, now you can check out the list of certifications below to better identify which is a good fit for where you are in your career and for where your career is going!

CompTIA Security+ CompTIA Security+ certification covers network security, compliance and operation security, threats and vulnerabilities, as well as application, data and host security. Also included are access control, identity management, and cryptography. You can see the entire Security+ curriculum right here.

Recommended experience: CompTIA Network+ and two years of experience in IT administration with a security focus.

The CompTIA Security+ certification is valid for three years. 50 continuing education units (CEUs) are required for recertification (CBT Nuggets is a CompTIA partner and many courses qualify for CEU).

Pros

• Inexpensive (less than $500)

• Government approved; DoD 8570.01-M and 8140 technical and management directives

• Vendor neutral provides concepts free of vendor-specific product references

• Entry level

Cons

• Considered too basic, and therefore some employers may undervalue the certification

• Vendor neutral lacks specific product knowledge or understanding

• Assumes a certain degree of foundational networking knowledge, which may require additional training/experience

Despite these cons, we recently recommended CompTIA Security+ as one of the four best ways to begin your security career, and even recommended that you should start with Security+, even before Network+.

GIAC GSEC The Global Information Assurance Certification Security Essentials (GSEC) certification is designed for security professionals who want to demonstrate they are qualified for IT systems hands-on roles with respect to security tasks. Candidates are required to demonstrate an understanding of information security beyond simple terminology and concepts.

GSEC is valid for four years and can be renewed with 36 Continuing Professional Experience (CPE) credits.

Pros

• No prerequisites

• Exam is open book

• Highly regarded in the security field

• Government approved

• Hands-on application of security tasks

Cons

• Expensive (more than $1,000)

• 5-hour exam (you could watch the original Lord of the Rings trilogy in five hours! Just kidding. Five hours won't even get you halfway through the extended versions of all three films.)

• Despite having no prerequisites, many consider this to be an intermediate-level certification

Note that this certification is called "security essentials," which actually means "networking essentials", too. We recommend that you brush up on the stuff from CCNA or Network+, like IPv4 subnetting, TCP, UDP, ports, and everything else.

As a security specialist, you need to have intimate and very specific knowledge about the interworkings of your network to protect it.

EC-Council Certified Ethical Hacker The EC-Council is fond of saying, "to beat a hacker, you have to think like a hacker."

The Certified Ethical Hacker is an intermediate-level certification designed to help you develop the skills and knowledge you need to prevent most modern attacks, and secure your systems and networks. The CEH ensures that you have a strong understanding of hacking practices including footprinting and reconnaissance, scanning networks, worms and viruses, DoS attacks, social engineering, SQL injection, honeypots, and more.

The CEH is valid for two years and can be renewed by earning another EC-Council certification, or by pursuing continuing education (ECE) credits.

Pros:

• Emphasis on tools and techniques used (hands-on, practical approach)

• Great resume builder

• Strong reputation (depending on who you ask, the CEH is arguably the best certification to earn!)

Cons:

• Expensive (more than $500)

• 4-hour exam

• Weak reputation (depending on who you ask, the CEH is arguably one of the worst certifications to have)

• To sit for the exam, you must submit verification of two years of work in infosec, complete with employer verification

CEHv9 is not a hands-on exam. However, it's best to get hands-on practice as you study the concepts. That's why the first thing Keith Barker has you do in his CEHv9 is build a home lab, and then you can start hacking with Linux penetration tools.

Certified Information Security Manager (CISM)

The Certified Information Security Manager (CISM) certification is designed primarily for managers, not practitioners. If you prefer to get your hands a little dirty as you go about the work of securing your systems and network, other security certifications might be a better fit. If you prefer to maintain a higher-level view of security issues and how they relate to the business objectives of your organization, the CISM might be just right.

The CISM is valid for three years and requires ongoing continuing education (CPE) hours that are regularly reported.

Pros:

• Strong reputation (arguably, one of the best in the industry)

• Creates a pathway to management opportunities

• Globally recognized

Cons:

• Expensive (costs vary, but can land anywhere between $440-$750)

• Requires proof of five years of work experience in the field of information security

• 4-hour exam, allegedly very difficult

• Complex process for registering for exam and receiving certification

• Fees to maintain certification after you earn it

Certified Information Systems Security Professional (CISSP) The Certified Information Systems Security Professional (CISSP) is an advanced-level certification for the proven infosec professional.

The certification is designed to ensure learners have the knowledge and technical skills needed to develop, guide, and manage security standards, policies, and procedures. This is the most advanced certification we've discussed so far, and for many learners, it may require up to a year of preparation for the exam.

The CISSP is valid for three years and requires ongoing Continuing Professional Education Credits (CPEs) and annual fees.

Pros:

• Strong reputation (arguably, one of the best in the industry)

• Globally recognized

• Vendor neutral

Cons:

• Expensive (more than $500, not including any areas of concentration)

• Requires proof of five years of work experience in the field of information security

• 6-hour exam (you could watch all of the Star Wars movies in that time! Just kidding. Six hours doesn't even get you halfway through Star Wars! You'd need more than double that time!)

• No hands-on experience required

CISSP basically makes you a cyber crime investigator. It's intensive, but definitely worth it.

OSCP The Offensive Security Certified Professional (OSCP) certification is designed to prove learners have a strong and practical understanding of the penetration testing process and lifecycle. The OSCP is perhaps the most arduous exam we've discussed yet. It is extremely hands-on, giving learners connectivity instructions to an isolated network for which they must submit a comprehensive penetration test report at the conclusion of their exam. This certification is not for the faint of heart!

Pros:

• Strong reputation

• Extremely hands-on exam experience

• Gives the term "offensive" a good reputation finally!

Cons:

• Expensive (costs vary, but generally more than $500*) *costs include training course, 30-day access to labs, and certification exam registration, but can options can be mixed and matched.

• Must complete the OSCP-hosted Penetration Testing with Kali Linux training course to be eligible for the exam

• 24-hour exam (you could watch all of the James Bond movies in that time! Just kidding. Twenty-four hours doesn't even get you half-way through all 23 James Bond movies ever made! You'd need more than double that time!)

As infosec continues to grow, so does the need for qualified, well-trained professionals. This is your chance to dive into the ever-expanding information security field and watch your career opportunities grow. Are you pursuing another infosec certification that we didn't list here? Tell us about it!