Are you looking to set yourself apart as a cybersecurity professional?
The following is a list of four top cybersecurity certifications – a list that I assembled after reviewing job postings and salary survey reports, as well as based on my general sense of how well various certifications are perceived within the information security industry. Please note that my list addresses only general information security certifications – and does not include various valuable add-on credentials that can be earned after obtaining general certifications, nor does my list address any certifications that are specific to specific products or services.
The Certified Information Systems Security Professional (CISSP) certification covers a broad range of security-related domains, delving into details in some areas more than in others. The CISSP is intended to be pursued by people with several years of experience in the information security field; hence, folks possessing CISSP credentials often earn higher salaries than do both their uncertified peers and counterparts holding other certifications. The CISSP provides employers with the comfort of knowing that workers understand important aspects of more than just one or two areas of information security; as components of information security are often highly interconnected, such knowledge is valuable, and becomes absolutely necessary as one ascends the information-security management ladder.
The CISSP credential is issued by the universally trusted (ISC)2 organization, is both vendor neutral and more evergreen than many other certifications, and requires candidates to possess several years of professional experience before earning certification. From a practical perspective, study materials and training courses for CISSP exam are widely available, and tests are administered in more places and on more dates than are most other, if not all other, cybersecurity certifications. There are multiple add-ons to the CISSP for those interested in proving their mastery of information security architecture, management, and engineering.
One important note – the CISSP does not test “hands-on skills” – people looking to demonstrate knowledge of entry-level IT auditing, penetration testing, security administration, etc., might want to consider pursuing either a more technically focused, general certification such as CompTIA Security+ (discussed below), or specific product and skill certifications.
(For full disclosure – I hold the CISSP certification, as well as two add-on credentials – CISSP-ISSAP and CISSP-ISSMP, and I wrote (ISC)2’s official study guide for the CISSP-ISSMP exam.)
The Certified Information Security Manager (CISM) credential from the Information Systems Audit and Control Association (ISACA) has exploded in popularity since its inception 15 years ago. As is likely evident from its source of origin, the CISM credential is, generally speaking, a bit more focused than is the CISSP on policies, procedures, and technologies for information security systems management and control, as typically occurs within large enterprises or organizations. As with the CISSP, to earn a CISM, a candidate must have several years of professional information-security experience. Despite the differences between the CISSP and CISM – with the former delving deeper into technical topics and the latter doing similarly for management-related topics – there is also significant overlap between the two.
CompTIA Security+ is a vendor-neutral general cybersecurity certification that can be valuable especially for people early in their careers and is offered by the well-respected, technology-education non-profit, CompTIA. While there is no minimum number of years of professional experience required in order to earn a CompTIA Security+ designation, and anyone who can pass the exam can become certified, most folks will likely stand better chances of passing the exam after working for a year or two, and gaining experience with “security in the real world.”
While, like the CISSP and CISM, CompTIA Security+ covers a broad array of topics, the CompTIA offering goes into more technical detail that either the CISSP or the CISM in several areas, more directly addressing the knowledge needed to perform roles related to entry-level IT auditing, penetration testing, systems administration, network administration, and security administration; hence, CompTIA Security+ is a good early-career certification for many folks.
One important note: People who passed the CompTIA Security+ exam in 2010 or before are not required to satisfy any continuing education or additional testing requirements in order to maintain their credentials, while folks who earned the designation since 2011 must. Hence, some of the criticism that one might find online of CompTIA Security+ in its early iteration no longer applies, and, there are information security professionals who attribute more value to today’s CompTIA Security+ certifications than they do to older Security+ certifications.
CompTIA offers additional higher-level certifications for those wishing to demonstrate mastery of specific technologies and skills such as cloud security, Linux security, and penetration testing. As CompTIA’s offers plenty of materials from which folks can prepare for the Security+ exam – including both an official study guide as well as the comprehensive, self-paced eLearning platform, CertMaster Learn for CompTIA Security+, which utilizes videos, text, and various tests and assessments to help candidates prepare for the exam.
The Global Information Assurance Certification Security Essentials Certification (GSEC) is the entry-level security certification covering materials in courses run by the respected for-profit information-security training company, SANS Institute (officially the organization’s name is Escal Institute of Advanced Technologies, but in decades in the information-security field, I have never heard it referred to by that name).
Like Security+, GSEC contains a lot more “hands-on” practical material than the CISM or CISSP certifications, making it more valuable than those alternatives in some scenarios and less desirable in others. Despite being marketed as entry level, the GSEC exam is, generally speaking, regarded as more difficult and comprehensive than that of Security+. Also, in the case of GSEC, all credential holders must show continued professional experience or educational growth in the field of information security in order to maintain their credentials.
One important caveat, however, is that, at least as of recently, the GSEC exam costs more than 5 times as much to take as does the Security+ test; with the greater level of difficulty and much greater cost, one might consider GSEC to be geared towards people somewhat more experienced than those who would benefit most from earning a Security+ designation.
This article was sponsored by CompTIA. Click here for more information on the CompTIA Security+ certification.