SecurITyCerts dot Org
Navigating Security Certifications
Security Certifications:
The Top Three Infosec Certifications
There are a lot of security certifications available, ranging from entry level to advanced and from very general to focused on specific areas of security. Some security certifications include a focus on hands on skills whereas others entirely dismiss them. Picking the top three is bound to be controversial, and certainly (polite) feedback on my choices of the top three security certifications is invited.
May 14 to May 19 in Toronto
August 6 to 13 in Boston
● Join Ted Demopoulos and Eric Conrad for a Webcast CISSP Certification Bootcamp, July 30 to Sept 12.
● What Should Keep You Up at Night: The Big Picture and Emerging Threats, my presentation from The New York State CyberSecurity Conference, June 7, 2011, is now available.
Although security certifications can force one to learn valuable skills
and acquire useful knowledge, I see this as a byproduct of the
certification process. Yes, I’ll gladly agree that these skills and
knowledge are important, very often much more so than the actual "cert"
itself, but I didn't consider the actual body of knowledge that certs
required learning as one of the criteria to pick the top three. I
reasoned that if the body of knowledge were totally useless for any of
the certifications, then the criteria I used wouldn't be satisfied. Call
me an optimist!
I used the following criteria to pick the top three information security
certifications:
- Well known – A certification needed to be well known to be considered. That leaves out newer security certifications, as security certifications that have been around longer tend to be naturally better known.
- Popular – I also considered the popularity of the various security certifications; the number of people who are certified. This also favors the older and more established security certifications.
- General Purpose – Only general purpose, vendor neutral security certifications, those perhaps useful to the most people in the information security world, were considered. This automatically removed many security certifications from consideration, such as the Certified Ethical Hacker (CEH) and Certified Information Systems Auditor (CISA) certifications.
Note that this is not an ordered list of certifications: I make no attempt to claim one is better than the other. In fact which certification, if any, is most valuable will vary from individual to individual.
Certified Information Systems Security Professional (CISSP)
The CISSP certification is the granddaddy, the oldest security certification, and the best known. There are over 60,000 CISSPs as of late 2008.
The CISSP exam covers a wide array of topics, many not traditionally associated with information security. There is no attempt to be remotely cutting edge nor is there any hands on type information. The test is a bear, and no one enjoys taking it!
CISSP - Click Here For More Info
Also see: CISSP
Training or Self Study?
9 Tips for Taking
The CISSP Exam
My Experience taking the CISSP
Exam
GIAC GSEC
The SANS GIAC GSEC certification is a very popular certification comparable in difficulty to the CISSP. Unlike the CISSP, it emphasizes skills that are immediately useful in the workplace, including hands on skills.
GIAC GSEC -- Click Here For More Info
Also see: Taking the GIAC GSEC, Paul Meynen
The GIAC GSEC, Instructors
Take it Too
Security+
The Security+ certification is an entry level security certification. Numerically it's extremely popular, with 50,000 certified professionals as of late 2008, however as it's entry level and much easier than CISSP or GSEC, not nearly as well regarded.
Security+ Certification -- Click Here For More Info
Disclaimer:
I have all three security
certifications. It's rare that anyone considering hiring me cares, but
that's in large part because I've been in the security field a long
time. All three certs have value.
I occasionally teach classes to help people prepare for all three
certifications, and I may sometimes be happily on the payroll of one or
more of the companies mentioned above. For the full story, visit your
favorite search engine.
I'm a consultant, I'm for hire, so yes, I am not entirely impartial and
don't pretend to be. However I try to present the information in a clear
and concise way, the good, the bad, and the annoying too.
Ted Demopoulos, IDNNFIMNILE (I Don't Need No Friggin’ Initials My Name
Is Long Enough)
Ted Demopoulos, Caesars Palace