Many different information-security certifications are on the market today. Some focus on specific technologies or areas of information security, while others are more broad.
©Shutterstock/GorodenkoffWhile it would take a lot of space to explore each and every possible certification available today, the following are five of the more popular — and better recognized — vendor-neutral cybersecurity certifications that may be ideal for folks relatively early in their cybersecurity careers.
CISSP
The Certified Information Systems Security Professional (CISSP) certification, initially launched in 1994, covers a broad range of security-related domains, delving into the details of some areas more than others.This cybersecurity certification provides employers with the comfort of knowing that workers understand important aspects of more than just one or two areas of information security. As components of information security are often highly interconnected, broad knowledge is valuable, and becomes absolutely necessary as one ascends the information-security management ladder.
The CISSP is intended to be pursued by people with several years of experience in the information security field — in fact, while you can take the CISSP exam without experience, you won’t actually receive the credential until you work in the field for the required number of years.
As a result, folks possessing CISSP credentials, who always have several years of experience under their belts, often command higher salaries than do both their uncertified peers and counterparts holding other cybersecurity certifications.The CISSP credential, issued by the highly regarded (ISC)2 organization, is both vendor neutral and more evergreen than many other certifications. Study materials and training courses for the CISSP exam are widely available, and tests are administered in more locations and on more dates than most other, if not all other, cybersecurity certifications.
Multiple add-ons to the CISSP are available for those interested in proving their mastery of information security architecture (CISSP-ISSAP), management (CISSP-ISSMP), and engineering (CISSP-ISSEP).
(ISC)2 requires that holders of the CISSP credentials accept to abide by a specific Code of Ethics and that they perform significant continuing education activities in order to maintain their credentials, which must be renewed every three years.
The CISSP is not intended to test hands-on technical skills — and does not do so. People looking to demonstrate mastery of specific technologies or areas of technology — for example, penetration testing, security administration, auditing, and so on — may want to consider pursuing either a more technically focused, general certification or some specific product and skill certifications.
CISM
The well-regarded Certified Information Security Manager (CISM) credential from the Information Systems Audit and Control Association (ISACA) has exploded in popularity since its inception a little under two decades ago.Emanating from an organization focused on audit and controls, the CISM credential is, generally speaking, a bit more focused than is the CISSP on policies, procedures, and technologies for information security systems management and control, as typically occurs within large enterprises or organizations.
As with the CISSP, to earn a CISM, a candidate must have several years of professional information-security work experience. Despite the differences between the CISSP and CISM — with the former delving deeper into technical topics and the latter doing similarly for management-related topics — the two cybersecurity certifications also significantly overlap. Both are well respected.
CEH
The Certified Ethical Hacker (CEH), offered by the International Council of E-Commerce Consultants (EC-Council), is intended for people with at least two years of professional experience who are intent on establishing their credibility as ethical hackers (in other words, penetration testers).CEH is a practical exam that tests candidates’ skills related to hacking, from performing reconnaissance and penetrating networks to escalating privileges and stealing data.
This exam tests a variety of practical skills, including attack vehicles, such as various types of malware; attack techniques, such as SQL injection; cryptanalysis methods used to undermine encryption; methods of social engineering in order to undermine technical defenses via human error; and how hackers can evade detection by covering their tracks.EC-Council requires CEH credential holders to acquire a significant number of continuing education credits in order to maintain a CEH credential — something quite important for an exam that tests practical knowledge, especially when you consider how rapidly technologies change in today’s world.
Security+
Security+ is a vendor-neutral general cybersecurity certification that can be valuable, especially for people early in their careers. It is offered and administered by the well-respected, technology-education nonprofit, CompTIA.There is, technically speaking, no minimum number of years of professional experience required in order to earn a CompTIA Security+ designation. However, from a practical perspective, most people will likely find it easier to pass the exam after working in the field and gaining practical experience for a year or two.
The Security+ exam typically goes into more technical detail than either the CISSP or the CISM. It addresses the knowledge needed to perform roles such as those related to entry-level IT auditing, penetration testing, systems administration, network administration, and security administration; hence, CompTIA Security+ is a good early-career certification for many folks.
Anyone earning the Security+ designation since 2011 must earn continuing education credits in order to maintain the credential.
GSEC
The Global Information Assurance Certification Security Essentials Certification (GSEC) is the entry-level security cybersecurity certification covering materials in courses run by the SANS Institute, a well-respected information-security training company.Like Security+, GSEC contains a lot more hands-on practical material than the CISM or CISSP certifications, making this certification more valuable than the aforementioned alternatives in some scenarios and less desirable in others.
Despite being marketed as entry-level, the GSEC exam is, generally speaking, regarded as more difficult and comprehensive than the test required to earn a Security+ designation.
All GSEC credential holders must show continued professional experience or educational growth in the field of information security in order to maintain their credentials.
Verifiability
The issuers of all major information security credentials provide employers with the ability to verify that a person holds any credentials claimed. For security reasons, such verification may require knowledge of the user’s certification identification number, which credential holders typically do not publicize.If you earn a certification, be sure to keep your information in the issuer’s database up to date. You do not want to lose your certification because you did not receive a reminder to submit continuing education credits or to pay a maintenance fee.
Ethics
Many cybersecurity certifications require credential holders to adhere to a code of ethics that not only mandates that holders comply with all relevant laws and government regulations, but also mandates that people act appropriately even in manners that exceed the letter of the law.Be sure to understand such requirements. Losing a credential due to unethical behavior can obviously severely erode the trust that other people place in a person and can inflict all sorts of negative consequences on your career in information security.