A degree will only take you so far up the job ladder. At some point in your career, an IT security certification from a reputable third-party organization may be necessary (e.g. you’re changing jobs, the job market is tight, you need experience, etc.).
Since the acronyms alone are enough to drive you nuts, we’ve created this short and simple guide to getting accredited. If you already know the basics, you might want to skip ahead to our breakdown of major certification organizations.
Security Certifications: What You Need to Know
Cyber security certifications come in all shapes and subjects – from forensics to intrusion to ethical hacking. They are typically administered by independent accrediting organizations like CompTIA, EC Council, GIAC, ISACA and (ISC)2.
Accrediting organizations often divide their programs into three categories: entry level, intermediate and expert.
- Entry-level certifications are meant to ground you in the basics – foundation principles, best practices, important tools, latest technologies, etc.
- Intermediate and expert-level certifications presume that you have extensive job experience and a detailed grasp of the subject matter.
Regardless of the topic or level:
- IT security certifications can be used across jobs and organizations.
- The credentialing process usually consists of training and a final exam.
- Certifications must be renewed periodically (every 3/4 years).
- To be reaccredited, you’ll need continuing education credits and the ability to pass the current exam.
Costs & Commitment
When you decide to get your cyber security certification is up to you. If you have the skills, there’s nothing to stop you from starting when you’re an undergraduate. A recognizable credential will burnish your résumé and catch the eye of hiring managers.
We won’t blow smoke up your proverbial. Certification can be expensive and time-consuming. An entry-level credential can take three to nine months to complete and set you back $300-$600 for the exam.
However, you may not have to pay for it. Universities and employers frequently help foot the bill. In a 2014 SANS survey of cybersecurity trends:
- 65% of respondents reported their employers completely paid for certification training
- 15% of employers shared the costs
The U.S. Department of Veterans Affairs has also approved reimbursement under the G.I. Bill for some certifications. Talk to your accrediting body about funding options.
Is it worth it? If you get the right one, yes. Certification can lead to promotion, better job prospects and/or a raise. Some respondents in the SANS survey reported salary increases of up to 5% after accreditation.
Which Certification to Choose
When it comes to entry-level training, you might start by considering certifications such as:
- CompTIA Security+
- GSEC: GIAC Security Essentials Certification
- SSCP: Systems Security Certified Practitioner
Take the time to compare CompTIA Security+ and GSEC. GSEC has a solid reputation within the industry and is approved for DoD 8570 Baseline Information Assurance. Alternatively, Security+ is one of the most well-known beginners’ certifications. Ed Tittel of Tom’s IT Pro named it to his list of Best Information Security Certifications for 2015.
Popular industry certifications include:
- CISSP: Certified Information Systems Security Professional is a high-level credential focused on security policy and management. This is the most frequently mentioned certification in the business. It was also one of the top-paying IT security certifications in 2014.
- CISA: Certified Information Systems Auditor is designed for professionals who audit, control, monitor and assess information technology and business systems.
- CISM: Certified Information Security Manager is geared towards people in managerial positions (e.g. CIO of IT security).
- GCIH: GIAC Certified Incident Handler is for incident handlers responsible for detecting, responding to and resolving computer security incidents.
- CEH: Certified Ethical Hacker is often discussed among white hat hackers and penetration testers.
- OSCP: Offensive Security Certified Professional is designed for penetration testers and includes a rigorous 24 hour certification exam.
In March 2014, Burning Glass did a survey of cyber security job postings and found that CISSP, CISA, Security+, CISM and GSEC were the top 5 requested certifications.
A lot of organizations encourage you to start with their entry program and work towards more advanced credentials, but it’s not always necessary to go through every level. Check the fine print on prerequisites.
Department of Defense Directive 8570
In 2004, the Department of Defense realized it had a problem on its hands. There was no formal training process in place for its information security personnel. It had little way of knowing whether its IT technicians, administrators, managers and directors were qualified to handle their tasks.
In response, the DoD issued Department of Defense Directive 8570 (announced in August 2004 and implemented in December 2005). This directive was intended to ensure that its cyber taskforce was battlefield-ready.
- Mandated baseline professional certifications for all of its Information Assurance (IA) positions
- Required that IA certification be accredited by ANSI or an equivalent authorized body under ISO/IEC Standard 17024
- Applied to anyone with access to DoD systems, including military personnel, civilian contractors and foreign employees
IA jobs were broken down into five main categories:
- Information Assurance Technician (IAT)
- Information Assurance Manager (IAM)
- Computer Network Defense (CND)
- Information Assurance System Architecture & Engineering (IASAE)
- Computing Environment (CE)
These categories were then split into levels of expertise and proficiency. Requirements for baseline certification would depend on the level you were at.
For example, an IAT might need Security+ at Level 2 and an IAM would need CISSP at Level 3 (view a chart of DoD 8570 certification requirements at (ISC)²).
Department of Defense Directive 8140
As cyberspace has expanded into wireless, mobile and the cloud, DoD 8570 categories have become somewhat outdated. Department of Defense Directive 8140, aka the Information Assurance Workforce Improvement Program, is intended to address this issue.
Instead of job titles, DoD 8140 created seven categories under the National Initiative for Cybersecurity Education (NICE) framework. These include:
- Security Provision
- Maintain and Operate
- Protect & Defend
- Operate & Collect
- Oversight & Development
Each category is broken into a wide variety of tasks and jobs. For example, Analyze includes Cyber Threat Analysis, Exploitation Analysis, All-Source Analysis and Targets.
More Security Certification Resources
NICCS maintains an up-to-date listing of all cyber security and cyber security-related education and training courses offered in the U.S. The catalog currently contains more than 1,300 courses. You can search by proficiency level, delivery method, specialty area and keyword.
It’s a few years old, but Josh More’s insider’s view on the pros and cons of certification makes for interesting reading. He has even developed a mathematical method for assessing the overall learning value of a qualification.
Tom’s IT Pro has scores of articles and blog posts on security certification. We’re particular fans of Ed Tittel’s advice column, where he gives career guidance to security professionals around the world.
Cybrary.it, founded by Ralph Sita, Jr. and Ryan Corey, is an online cyber security community offering dozens of free training courses. For example, students interested in earning CompTIA Certification can prepare by enrolling in Cybrary’s free CompTIA A+ Certification Training course. Browse courses by skill level or topic, connect with others in the online forum, and browse listings of cyber security jobs.
Security Certification Organizations
You’ll find a breakdown of 13 cyber security certification bodies and notes on some of their most popular accreditations below. These organizations are also listed on the website of the National Initiative for Cybersecurity Education (NICE). The big ones – CompTIA, EC Council, GIAC, ISACA and (ISC)2 – are members of the Cybersecurity Credentials Collaborative (C3), an effort to promote the benefits of certifications in the skills development of information security professionals around the world.
But this is far from an exhaustive list. The Department of Defense, for instance, has developed a separate SPēD Certification program run through the Center for Development of Security Excellence.
If you’re confused about which certification is right for your experience level and interests, reach out to your network. Your professors, employer and/or senior-level colleagues will have a strong sense of which qualifications are worth the investment.
Run as a division of the Software Engineering Institute (SEI), the CERT Program partners with the DHS, industry, law enforcement and academia to counter large-scale, sophisticated cyber threats.
SEI offers two security-focused certifications:
CERT-CSIH is geared towards professionals involved in a computer security incident response team. Training includes methods and best practices related to incident management and incident handling.
Although it’s far from vendor-neutral, we wanted to make sure Cisco was included in our list of certification bodies. In part that’s because the Department of Defense (DoD) has approved Cisco’s CCNA Security certification for DoD Information Assurance Technician Levels I and II.
Cisco has tiered its security accreditations into four levels of experience:
CCENT covers network fundamentals and basic network security. It certifies you’re able to install, operate and troubleshoot a small enterprise branch network.
The popular CCNA Security is an associate-level qualification. This is all about securing and defending Cisco networks. You’ll prove your knowledge of core security technologies, installation/troubleshooting/monitoring of network devices and Cisco security structures.
After that, you can choose to progress to CCNP Security (aligned specifically to the job role of the Cisco Network Security Engineer) and the expert-level CCIE Security.
CCIE Security does not have any formal prerequisites. Instead, like many top-tier certifications, you’ll have to pass a written qualification exam and a corresponding hands-on lab exam. Cisco recommends you accrue three to five years of in-depth job experience before attempting certification.
Founded in 1999, CWNP has developed a series of vendor-neutral training programs and exams, including four levels of professional career certification for Enterprise Wi-Fi.
The most relevant security qualifications are:
CWSP is a mid-tier certification designed to help you secure enterprise Wi-Fi networks from hackers, regardless of the Wi-Fi gear you might be using. You must hold a valid CWNA credential to earn a CWSP.
CWNE is the expert-level qualification. It goes much broader than security, giving you the skills to do pretty much anything with wireless network systems.
The program expects job experience in advanced design, protocol analysis, intrusion detection and prevention, performance and QoS analysis and spectrum analysis and management.
CompTIA provides a number of vendor-neutral IT certifications, including 16 certification exams in the cloud, networking, servers, Linux, security and more.
Notable security accreditations include:
As we mentioned in our introduction, CompTIA Security+ is a strong baseline certification for securing a network and managing risk. It is also approved to meet the requirements of IAT and IAM levels in the DoD 8570 directive (see above).
CASP is intended to give IT professionals advanced-level security skills and knowledge. It applies to IT specialists, risk managers and analysts, security architects/ISSO, penetration testers and ethical hackers.
CASP exam takers should have ten years of experience in IT administration, including five years of technical security experience.
Although there is no prerequisite, CASP is designed to build on the principles of CompTIA Security+. Like Security+, it has been approved by the DoD to meet IAT and IAM certification requirements.
Established in 1988, DRI International is a non-profit organization providing global education and certification in business continuity and disaster recovery planning. It has more than 12,000 active certified professionals worldwide.
The most popular DRII certification is the intermediate-level: CBCP: Certified Business Continuity Professional.
This follows on from the associate-level ABCP and precedes the expert-level MBCP. DRII also offers tiered certifications in Certified Specialties (Auditor, Public Sector and Healthcare), Certified Vendor and Certified Risk Management.
Be aware that the DRII process is quite thorough. The CBCP involves a qualifying exam, references and an application essay. To take the exam, you must have more than two years of recent experience in the business continuity/disaster recovery industry.
EC-Council has developed an extensive range of offerings in IT security, including training in information, network, computer and Internet security. Courses are offered online, via iClass or led by live instructors.
EC-Council’s flagship course is: CEH: Certified Ethical Hacker.
In this intermediate-level program, candidates learn to scan, test, hack and secure their own systems. The content-heavy course lasts five days and is followed by a 4-hour multiple-choice exam.
Here’s the thing – there are seasoned security practitioners who intensely dislike EC-Council and will be biased against anyone with one of their certifications.
On the other hand, although many hackers favor IACRB’s CPT or Mile2’s CPTE, CEH consistently appears in lists of top (and top-paying) hacking certifications.
So do your research, talk to colleagues and decide for yourself.
If you’re interested in a GIAC credential, you might wish to investigate:
- GSEC: GIAC Security Essentials Certification
- GPEN: GIAC Certified Penetration Tester
- GCIH: GIAC Certified Incident Handler
As we mentioned in the introduction, GSEC is a solid beginner’s credential. Over the course of a proctored exam, candidates have to demonstrate a fundamental understanding of key security concepts and techniques (e.g. DNS, Honeypots, ICMP, Linux, TCP, etc.).
GPEN and GCIH are more advanced qualifications. GPEN is targeted towards security professionals who are tasked with finding vulnerabilities in target networks and systems. GCIH is for incident handlers and focuses on skills for detecting, responding to and resolving computer security incidents.
At the top of the GIAC heap is: GSE: GIAC Security Expert.
This is a first-tier accreditation roughly equivalent in status to CISSP. The exam determines whether candidates have mastered the skills required by top security consultants and individual practitioners.
There is no specific training required for any GIAC certification. You can rely on your practical experience or take relevant courses from a training partner like SANS. High-scoring exam takers gain access to useful online mailing lists. Once you have a certification in hand, you can also pursue GIAC Gold Status – a valuable self-promotion tool.
IACRB is a non-profit organization offering a variety of industry certifications for a wide range of job descriptions (e.g. Penetration Tester, Reverse Engineer, Data Recovery Professional, etc.).
Competitors to EC-Council’s CEH qualification include:
CPT is the initial certification; CEPT is the expert-level version. CPT deals with pen testing domains such as network protocol attacks, Windows/Unix/Linux exploits and wireless security. CEPT goes deeper into network attacks and recon, shellcodes, memory corruption and more.
Both CPT and CEPT consist of a multiple-choice exam, followed by a take-home practical. Candidates have to successfully complete three penetration challenges in order to become accredited.
Formed in 1969, ISACA is a global non-profit that provides practical guidance, benchmarks and effective tools for all enterprises that use information systems. It hosts a Knowledge Center where members can participate in communities, shared interest groups, discussions and document sharing. In addition, its Cybersecurity Nexus (CSX) is a central location for cybersecurity research, education, guidance and certifications. ISACA has been around for a long time and has a good reputation.
The organization offers certifications in CISA, CGEIT, CRISC and CISM: Certified Information Security Manager. Like CompTIA and CISSP, CISM was named to Ed Tittel’s list of Best Information Security Certifications for 2015.
As the title implies, CISM is designed for experienced management-level professionals who design, oversee and assess an enterprise’s information security. Job practice areas include governance, risk management and compliance, incident management and program development and management.
CISM is not a walk in the park. You must pass the exam, submit a written application, agree to the ISACA Code of Professional Ethics and have a minimum of five years of relevant work experience in order to gain accreditation.
(ISC)² offers a large number of information security certifications, including SSCP, CAP and CISSP. Members have access to an extensive range of resources, including a job board, e-Symposium, networking and a Chapter Program where peers can share knowledge, exchange resources, collaborate on projects and create new ways to earn CPE credits.
(ISC)²’s banner certification is the globally-recognized CISSP: Certified Information Systems Security Professional.
CISSP holders work as security managers, directors of security, network architects, security analysts – pretty much anyone in a senior management position. The program covers 10 domains, including access control, network and operations security, governance and risk management, legal issues and more.
You can also opt to take a concentration:
- CISSP-ISSAP: Information Systems Security Architecture Professional
- CISSP-ISSEP: Information Systems Security Engineering Professional
- CISSP-ISSMP: Information Systems Security Management Professional
As with CISM, you must have a minimum of five years of full-time experience in order to take the exam. You are also required to commit to the adherence of the (ISC)² Code of Ethics and have your application endorsed by an (ISC)² certified professional.
MI provides real-world training and job development programs for IT professionals involved in law enforcement and fraud.
Crime-related security certifications include:
- CCTA: Certified Counter-Intelligence Threat Analyst
- CEFI: Certified eCommerce Fraud Investigator
- CCIE: Certified Cyber Investigative Expert
- CCII: Certified Cyber Intelligence Investigator
- CCIP: Certified Cyber Intelligence Professional
- CORCI: Certified Organized Retail Crime Investigator
After online training, candidates are required to pass a final exam.
Mile2 offers a variety of training programs and certifications in cyber security, including a CISSP alternative called CISSO. Courseware has been approved by the Committee on National Security Systems (CNSS) National Training Standards.
Mile2 has set itself up in direct competition to the EC-Council’s CEH and IACRB’s CPT. Its hacking certifications include:
CPTE requires a minimum of one year of experience in networking technologies. Candidates complete 20 hours of real-world training and must pass a multiple-choice exam.
CPTC is advanced penetration testing certification, targeted towards IT managers, Chief Security Officers and security consultants. In a six-hour practical exam, candidates must complete a vulnerability assessment and full penetration test on two IPs. They then have 60 days to turn in a written penetration test report.
Offensive Security is a private company offering training courses, penetration testing services and certifications. The team members at Offensive Security are the funders, founders and developers of Kali Linux, the successor to BackTrack Linux, a free security auditing operating system and toolkit. View a full list of their community projects.
If you’re a Pen Tester looking for a top-notch certification, you should seriously consider OSCP: Offensive Security Certified Professional. It is one of a handful of certifications that requires practical penetration testing/ethical hacking skills. To pass the exam, you’ll be given 24 hours to compromise a vulnerable network. You must also submit an in-depth penetration test report of the network and PWK labs.
Offensive Security offers other information security certifications, including the more advanced OSCE: Offensive Security Certified Expert, but OSCP is the one we’ve heard infosec experts mention the most.