If you’re pursuing a career in IT security, certifications can only help you. Certification-critics often say a certification means nothing, and acumen and experience are the true differentiators, but as a holder of dozens of IT security certifications, I beg to differ. So do employers.
A particular certification is often the minimum hurdle to getting an one-on-one in-person job interview. If you don’t have the cert, you don’t get invited. Other times, having a particular certification can give you a leg up on competing job candidates who have similar skill sets and experience.
Every certification I’ve gained took focused, goal-oriented study -- which employers view favorably, as they do with college degrees. More important, I picked up many new skills and insights in IT security while studying for each certification test. I also gained new perspectives on even familiar information I thought I had already mastered. I became a better employee and thinker because of all the certifications I have studied for and obtained. You will too.
Security is more important to computing and the internet than ever before, and the following, well-respected security certs will not only help you stand out from the crowd but also make you a more valuable member of the IT security community.
CISSP
The International Information Systems Security Certifications Consortium’s (ISC2) Certified Information Systems Security Professional (CISSP) certification is the most coveted and accepted computer security certification around. This general computer security knowledge certification exam covers eight Common Body of Knowledge (CBK) domains, including access control, operations security, cryptography, and more.
The test consists of 250 multiple-choice questions that must be answered in six hours. Candidates must already have four to five years of professional experience in two or more of the CBK domains, and they must be endorsed by current CISSP certificate holder. Those who pass the certification must also sign and agree to follow a set of ethics, and each certification holder must periodically resubmit proof of continuing education, along with a fee, to keep the CISSP designation. Initial exam cost is $599.
I used to be an unofficial CISSP exam instructor and have taught hundreds of students on how to take and pass the exam. In my experience, candidates should buy at least two CISSP exam prep books and take at least 1,000 practice questions. Every student I ever had who followed this advice passed.
I haven’t always been a big fan of the test questions themselves. Back when I took and passed the exam, test questions weren’t always well edited or even technically correct. I was told these were most likely “beta” test questions that didn’t count toward scoring. Furthermore, no matter how much you studied or how many practice questions you answered, a large part of the exam would seem unfamiliar. Most CISSP test takers would walk out of the exam not knowing how they did, even if they did well.
Today, test takers find out immediately how they did, and I hear the test questions are better. Still, most CISSP test takers can’t tell how they did until the scoring is presented. Despite those criticisms, there isn’t a more respected security certification. I rarely get asked by a customer what certifications I have, but if I do, they are almost always waiting to hear me say CISSP because the person asking usually has their CISSP. It’s a good club to be in. Truth be told, you’ll be a lot better computer security person having studied for and taken the exam.
SANS
The SysAdmin, Networking, and Security Institute (SANS) is a great resource for security pros. Training, research, education, books, certifications -- SANS does a lot and does it well. If you’re interested in being a respected technical expert, SANS offers the certs for you. It even offers two master-level accredited degrees, under the brand of the SANS Technology Institute, if you want it all.
SANS has a host of certifications, ranging from very niche security topics -- malware analysis, firewalls, host security, security controls, and so on -- to its hugely respected Global Information Assurance Certification (GIAC) Security Expert designation. I don’t think I’ve ever taken a SANS course that didn’t teach me more in a few hours than in weeks spent in classes offered by other training vendors, and I’ve yet to meet a GIAC holder that didn’t impress me.
GIAC certifications are classified in five subject areas: security administration, forensics, management, auditing, and software security. Most exams are open book and have a time limit of two to five hours, and the candidate must complete the certification within four months of attempting the exam. Unfortunately, according to the GIAC exam guide, some tests could include “unscored” test questions just like the CISSP. But my guess is there will be fewer beta test questions and what they have is better proctored. SANS is starting to venture into hands-on testing that involves live VMs.
Some of SANS’s most popular GIAC exams are GIAC Information Security Professional, GIAC Certified Incident Handler, and GIAC Reverse Engineering Malware, but it offers courses that run the gamut, including Windows, web servers, penetration testing, Unix security, wireless networking, programming, leadership, and program management.
GIAC testing is meant to be taken after attending SANS training, which usually lasts a week. If a GIAC test is taken in conjunction with the official training, the GIAC test is $659. But you can challenge (not take the official training) any test for $1,149. All GIAC certification exams must be renewed every four years.
If you want to learn a lot about computer security, how hackers hack, and how malware is made, start your SANS courseware now.
CISSP and SANS certifications are top-tier, highly respected certifications. If you are serious about furthering your computer security career, these are the certification grails to pursue. Other computer security exams, covered below, are widely valued and esteemed, but they don’t carry the same universal cachet as CISSP and GIAC.
CEH
The EC-Council’s Certified Ethical Hacker (CEH) certification is well-respected way to learn how to be a white-hat hacker (or professional penetration tester). The CEH introduced me to some interesting hacking tools that I still use. The four-hour exam includes 125 multiple-choice questions. The Application Eligibility fee is $100.
EC-Council offers a number of other useful exams, including Computer Hacking Forensic Investigator, Licensed Penetration Tester, Certified Incident Handler, and Certified Disaster Recovery Professional. It even has an exam for a Chief Information Security Officer.
CompTIA Security+
CompTIA offers entry-level, comprehensive certification exams in PC repair (A+), networking (Network+), and security (Security+). Because a CompTIA exam is often the first test taken by many people new to the computer industry, it unfortunately has the reputation for being too basic a certification.
In my opinion, and by the standards of many employers, this is not true. The exams may not be as respected as other certification leaders, but they are comprehensive and you must study hard to pass. CompTIA Security+ certification covers network security, cryptography, identity management, compliance, operation security, threats, and host security, among other topics. You get 90 minutes to complete 90 questions. I took the Security+ exam a long time ago, but in my recollection, it was tougher than expected for an exam that covers the basics. It even includes some simulated environments where the test taker has to select the right options. Price is $311.
ISACA
ISACA, formerly known by its full name, Information Systems Audit and Control Association, offers a range of respected certifications focusing mainly on auditing, management, and compliance. Its major certifications include the following: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC).
While the titles might not blow you away with excitement, it’s precisely their professional staidness that sells the value of these certifications. These are targeted to have professional intent. If you are interested in computer systems auditing or computer security management, these are the certifications to get. ISACA exams are frequently earned by top moneymakers.
One of the first and hardest exams I ever took and passed in my life was a state-level Certified Public Accountant (CPA) exam, which has nothing to do with computer security, of course. But the type and structure of the ISACA exam questions remind me the CPA exam. I’ve earned both the CISA and CISM, and I have found both to be good tests of security knowledge. Application fees are only $50, but they require five years of relevant experience for you to be eligible to take the tests. Buying a preparation book and taking a few hundred practice test questions, on top of your experience, should be all you need to earn these certs.
Vendor-specific certifications
Many vendors, such as Microsoft and Cisco, offer security-specific exams that are worth pursuing. Years ago, Microsoft had several security-specialist exams, such as MCSE: Security. But security has become a general concern for all platforms and technologies, and Microsoft has started to bake security questions and testing into all its exams. That trend has somewhat reversed by the recent announcement of Microsoft’s forthcoming Securing Windows Server 2016 exam. The certification, which is currently under development, will go far beyond technically securing Windows Server 2016 alone. It will cover red/green forest design, Just-in-Time Admin, Just Enough Admin, and Microsoft’s latest security technologies such as Advance Threat Analytics (ATA). Microsoft security techs may also want to take Microsoft’s Security Fundamentals test for $127.
Cisco’s certifications have always had industry pedigree and been considered tough to pass. The Cisco Certified Internetwork Expert (CCIE) certification is considered the hardest exam to pass in the industry. According to Cisco, less than 3 percent of CCIE exam students will obtain the certification, even after paying thousands of dollars, creating home labs, and spending an average of 18 months studying for it.
Cisco’s Certified Network Associate (CCNA) Security certificate is easier to obtain and still very well respected. You must first hold another valid Cisco certification to take the CCNA Security exam. After you have your CCNA Security (or any passed CCIE certification), you can take the Cisco Certified Network Professional (CCNP) Security. But the CCIE-Security is the mac-daddy Cisco security exam. It consists of a two-hour written exam (which must be passed first), then an eight-hour lab portion. All Cisco certification exams are hard, but if you get your CCIE Security, you’ll be able to earn a very good living almost anywhere in the world.
Apple doesn’t appear to a have a security-specific exam, but its traditional MacOS exams, such as Apple El Capitan and Mac Integration Basics, include some security components.
Red Hat and other Linux security certs
Red Hat offers dozens of certification exams, and like other major vendors, it offers at least one security specialty exam: Red Hat Certificate of Expertise in Server Hardening. Besides normal Linux server-hardening information, successful candidates must be prepared to handle Common Vulnerabilities and Exposure (CVE) and Red Hat Security Advisory Reports. The price is $600.
The Linux Professional Institute (LPI) offers a vendor-neutral Linux security exam (LPIC-3 303) that covers a host of security topics. Candidates must have successfully passed four other lower-level LPI exams to qualify for the LPIC-3 303. LPI Level 3 exams, which LPIC-3 303 is, costs $188 to take. SANS also offers a GIAC Unix security certification that applies to Linux.
Which certifications to pursue first
I’m a big believer in taking what you know the best first. Use your first exam and certification to get back into good study habits, and once you pass the exam, let it help build your confidence. Or if you fail, identify your weaknesses and get back on the horse. I once taught a guy who failed the same test two dozen times over the course of a year. But he kept coming back and eventually eked out a passing score. I’ll hire a honey badger any day of the week.
If your experience qualifies you for taking the CISSP, that would be a great certification to start with. The breath of the exam (not the depth of material) is what makes the CISSP challenging. The majority of people who take the exam pass it, and once you’ve earned the certification you can be prepared to share your success with anyone who asks. If you want to acquire new technical skills, start with the SANS GIAC. It’s fairly expensive, but nothing is better. People already in auditing or management or those interested in doing so should consider the ISACA exams. Compliance folks should look to SANS and ISACA. Proof of expertise in a vendor’s suite of products can quickly be shared when you have that vendor’s own certification.