What Information Security certifications should I get?

So I'm fairly new to the forums here, but it seems like about every tenth post or so is about someone wanting to either break into security or develop their security skills further. Since I'm a helpful Homer, I always would write back to give some points. Sorry to say, though, that I'm getting tired of writing the same thing every time, so I decided to make one big post that I could just refer people to. I know there are stickied similar posts like this floating around, but I thought it'd be easier to link you, curious reader, to my own words. I won't wax lyrical about every single cert out there, mostly because they are being constantly developed and may have changed since I wrote this initial post. Rather, I'll list them, let you do the research to better compare and contrast, and update this list as necessary.

Please be aware that certs do not make the man. Real skills are required. While there is always debate on the value of certs, I tell people to primarily use certs as ways of supplementing their knowledge and secondarily getting a "leg up" on potential jobs where other candidates may not be certified.

I'm addressing what I consider to be the "name brands" of certs here. Especially nowadays there are lots of companies offering lots of certs, but these will be the ones people have the most general knowledge of and are created by the most well-known companies. Feel free to add comments below. I'll add useful comments to this first post.

As a last item, since everybody and their uncle wants to go into infosec management and make the big bucks, I focused the list below on that path. Feel free to ask below for other paths (forensics, for example) and I (or others) will happily keep you from exercising your own free will by giving you the cert roadmap you're looking for without all the extra stuff you don't need.

Entry certifications. If you're just starting out, these are a good way to get your feet wet, learn some introductory material, and see 1) if you want to continue down this treacherous journey and 2) where you may want to focus your attention in the future. Security is a huge field spanning literally every IT realm and crossing over into the business realm if you want to pursue a management path. There are lots of forks in the road. Choose wisely.

CompTIA Network+ - this isn't technically a security cert, but security inevitably touches upon the network. If you don't have much in the way of networking know-how, I'd suggest starting here. There are no prerequisites.

CompTIA Security+ - pretty much the de factor intro cert. Covers the gamut at a good level. There are no prerequisites.

CompTIA Advanced Security Practitioner (CASP) - if you've just passed Security+ or don't need it due to your current level of knowledge, this is my recommended next step. The 201 to Security+'s 101. There are no prerequisites.

(ISC)² Systems Security Certified Practitioner (SSCP) - A sort-of alternative to the CASP. One year of experience is required in a specific security domain listed on the certification's website.

SANS/GIAC has training/cert options that slot in here. GIAC Security Essentials (GSEC) & GIAC Information Security Fundamentals (GISF) come to mind. These are very expensive, best left to deep corporate pockets, and IMO have no value-add over the cheaper options listed above.

EC-Council has training/cert options that slot in here. The world-at-large is split on the value of these certs as the company underlying them isn't as well-rounded and professional as, say, (ISC)² or ISACA. I won't give my opinion on the subject, but you can search around these forums for plenty of opinions. CEH is their most popular exam and would be suitable to study after Security+.

Mid- to High-level certs. Once you're comfortable with your beginner-level knowledge, start looking into these guys.

Vendor-specific certs. If you're going to be running technical security controls like McAfee ePO, ArcSight, Splunk, etc. then get work to pay for these certs & associated training. A no-brainer if this is your everyday workload.

SANS/GIAC has training/cert options that slot in here. As mentioned above, these are expensive and better for corporate worker bees, but they do have lots of hands-on value. Since there are tons of options (and a very dynamic list), I'd recommend browsing the SANS and GIAC websites for the focus area of your choice. Categories include penetration testing, incident handling, forensics, management, audit, etc.

(ISC)² Certified Information Systems Security Professional (CISSP) - In my region this is listed as a desired cert on just about every security job. If you have one end-goal for future job marketability, this should be it. Five+ years of experience is required in specific security domains listed on the certification's website.

ISACA Certified Information Security Manager (CISM) - You'll see this listed on just about any infosec-manager job posting, mostly because the posters like the name. I consider it complementary to the CISSP. Five+ years of general infosec experience, with three+ years of infosec management experience, is required in specific security domains listed on the certification's website.

ISACA Certified in Risk and Information Systems Control (CRISC) - while this is technically a risk-focused exam, my belief is that it has lots of value for infosec managers since everything they do (whether they know it or not) is risk-based. A good follow-up to the CISM. Three+ years of experience is required in specific security domains listed on the certification's website.

ISACA Certified Information Systems Auditor (CISA) - This is geared towards auditors, but it very easily slots under the Management section. A good follow-up to the CISM. I recommend doing this immediately before or after the more technically audit-focused GIAC Systems and Network Auditor (GSNA). The CISA requires five+ years of professional information systems auditing, control, or security work experience is required in specific security domains listed on the certification's website.

My suggested management path - Start your Master of Business Administration (MBA) > Network+ > Security+ > CASP > CISSP > Graduate with your MBA > CISM > CRISC > CISA. By the time you get through working through those (and have the required years of experience) you'll have a dozen new options to choose from!

Find more posts tagged with

Comments

Mike7

Awesome! Just what I am looking for.
Can moderator make the post a sticky?

ksijur

sticky please!

techfiend

Thanks for this, especially the last paragraph, it helps me align my future goals. I'm kind of surprised about CASP instead of CEH between Sec+ and CISSP but I guess it's more general knowledge, I don't often see CASP mentioned on job listings.

I think the most difficult part about your suggested path for me would getting the experience and it's out of my control. I've read infosec demand is greater than the supply but I don't see it that way. Nearly every security position I come across is looking for a lot of highly specialized skills. Maybe I'm just in the wrong place.

636-555-3226

Totally agree about the CASP. I don't think I've ever seen this on a job listing. CASP for me falls into the realm of a beginning user using certification as a way of supplementing their knowledge. CEH would be a comparable cert IMO. Will either get you a job? Probably not. Will either teach you a lot of stuff you don't already know and serve as a good deeper-dive after Security+? Yes.

numberfive

636-555-3226 wrote: »

My suggested management path - Start your Master of Business Administration (MBA) > Network+ > Security+ > CASP > CISSP > Graduate with your MBA > CISM > CRISC > CISA. By the time you get through working through those (and have the required years of experience) you'll have a dozen new options to choose from!

I would go like that (apart from MBA, which is up to you):
Security+ > CISA> CISSP > CISM \ CRISC

Network+ and CASP are a waste of resources, imo
And CISA is somewhat simpler than CISM\CRISC\CISSP while it will also give you experience waiver for other certs.[FONT=Arial, Helvetica, sans-serif] [/FONT]

You don't need to have them all, you just need to show steady advancement in your development.

LionelTeo

My recommendation are somewhat similar. I include GISP as it is a really easy way to cheese out a GIAC certs cheese passed HR requirement. I totally forgot about CASP/SSCP, will look into update my site on it; thanks.

-> (SEC+ - GSEC) - * - GISP - CISSP - CISA/CRISC - CISM

*CEH and GCIH are good certs that can reinforce some technical knowledge that would be useful in compliance work. Great to pursue if you do not have the 4 years experience for CISSP yet.

TechGuru80

It should be noted that every path is different and this is not the one size fits all path. Many factors come into play...undergrad degree, soft skills, experience, etc.

Not to mention you might end up in various roles that hold different certs higher because they are more relevant than others.

Last, the MBA is not the holy grail degree as the value has decreased over the years because so many people have it yet are worthless. You definitely should have business knowledge and a business degree either undergrad or masters definitely doesn't hurt. Your overall value comes from the total package and you have to always look at this closely.

OctalDump

The other things for a visual overview are the CompTIA roadmap and the GIAC roadmap. Both put the certifications into a broader context.

The CompTIA roadmap takes a variety of certifications, CompTIA and others, and tries to put them into "levels". It's not 100%, but gives you an idea about how hard things are, how they might fit together in a career path. It doesn't include all the certifications, but enough to be useful.

The GIAC roadmap is only GIAC certifications, but they offer so many that it almost doesn't matter. This roadmap is better for getting an understanding of the potential specialisms within Info Sec, as well as how GIAC certs relate to each other.

There's also this wikipedia page on Computer Security Certifications, which gives a nice long list of various certifications. Not comprehensive, but long.

And some links to other certifying bodies pages for completeness:
ISC2
ISACA
EC Council
Mile2
Offensive Security

dustervoice

Endorsed for sticky!

blackkite

this is just what i need. And I will use this as a guide as we have different circumstances. Thanks for this TS!

Psydrox

Very nice thread, very helpful too! I sent you a private message OP, did you get it? Because for some reason I am sending the private messages but I can go to the "sent" tab and see nothing in it

qcktap23

If you've heard of DoD 8570 then you know why CASP should be on your radar IMO.

Dr. Fluxx

The OSCP should be at the higher end.
Its one of the most difficult and practical (hands on) certs out there.

Elegyx

qcktap23 wrote: »

If you've heard of DoD 8570 then you know why CASP should be on your radar IMO.

Agreed. It shows up more than any other cert if you're referring to "the table."

asurania

I am doing two certificate
OSCP = technical skills for IT Security (what the hiring manager would want)
CISSP = pass the HR filter, to get resume to hiring manager (what HR would want)

trojin

Most proposed options finished in CISA or CISM certs.
What are more technical certs at this level apart from OSCP?

How about Intellectual Property and Information Technology Law (LL.M.) instead of MBA?