Choosing the Right Security Certifications for You

Date: Feb 16, 2011

The IT certification arena falls into two primary categories: vendor-neutral and vendor-specific. The question most people ask is how to choose the right certifications, or combination of certs, that work best for their careers. This article compares some of the most popular security certifications available, and recommends those that are best for different candidates.

The IT certification arena consists mainly of vendor-neutral and vendor-specific certifications. If your employer or primary customers use a certain vendor’s products, your choice is fairly easy: earn certifications that apply to that technology. For example, if your company supports Red Hat installations, pursue Red Hat Certified credentials. If you’re part of a predominantly IBM shop, go for the IBM certs. Deciding what to pursue on the vendor-neutral side is a bit more complicated, as is which combination of vendor-specific and vendor-neutral certs to obtain. To solve this dilemma, you need to understand where individual certs and cert programs fit in the overall scheme of coverage, and compare similar programs to decide which ones to pursue.

The Programs

Let’s start by looking at several vendor-specific and vendor-neutral certification programs, and then put them into perspective by job roles.

Some of the most popular vendor-specific security certs and programs include:

Check Point offers a multi-level certification program to indicate knowledge of and skills using the company’s network protection products.
Cisco offers many security certifications ranging from the entry-level Cisco Certified Network Associate (CCNA) Security, the intermediate Cisco Certified Network Professional (CCNP) Security, and the highly sought-after and advanced Cisco Certified Internetwork Expert (CCIE).
Microsoft no longer offers specific security certifications, but many of its certs include security components. In addition, many security certifications include knowledge of certain Microsoft products as a requirement. Popular Microsoft certifications include the Microsoft Certified Technology Specialist (MCTS) and the Microsoft Certified IT Professional (MCITP).
Red Hat has an impressive certification program, with its shining stars being the Red Hat Certified System Administrator (RHCSA), followed by the Red Hat Certified Engineer (RHCE), and finally the Red Hat Certified Security Specialist (RHCSS).

Other companies that maintain vendor-specific certification programs with a security angle include Guidance Software (EnCase forensics), Fortinet, IBM, Oracle, RSA, SAINT, Sourcefire (Snort), Symantec, and Websense. Brainbench offers a wide variety of both vendor-specific and vendor-neutral certifications.

On the vendor-specific side of security, some of the best-known and most widely followed IT security certification programs include:

CompTIA’s well-rounded certification program includes the Security+, which stands out as one of the premier entry-level security certifications with over 45,000 certified individuals. It serves as a requirement or acceptable substitute in several other cert programs, such as those offered by EC-Council and mile2, among others.
The EC-Council offers several certifications, on topics such as network security, security analyst, and even Voice over Internet Protocol. The organization is probably best known, however, for its Certified Ethical Hacker (CEH) and Licensed Penetration Tester (LPT) certs. EC-Council certs require background checks, ethics, and professionalism, in addition to training and exams.
The venerable ISACA is an international professional association that focuses on IT governance. It offers the Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC) certs. All ISACA certs have hefty experience requirements, so only seasoned IT professionals qualify to earn ISACA certifications.
The (ISC)² offers the well-known Systems Security Certified Practitioner (SSCP) and Certified Information Systems Security Professional (CISSP) certs, in addition to three CISSP concentrations (Architecture, Engineering, and Management) and a few others. The SSCP covers 7 of the 10 (ISC)² Common Body of Knowledge (CBK) domains; the CISSP covers all domains. The CBK represents nearly every aspect of IT security, making both certs quite comprehensive.
The SANS Global Information Assurance Certification (GIAC) program offers certifications geared toward security professionals responsible for designing, implementing, and maintaining a high-tech security infrastructure, which may include incident handling and emergency response team management. The GIAC Information Security Fundamentals (GISF) is the springboard to upper-level certs focused on firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer, and systems and network auditor certifications. The GIAC Security Essentials Certification (GSEC) is also considered a leading foundational cert in the security industry.

Other certification organizations that offer vendor-neutral certs of note include Brainbench, CWNP (wireless networking credentials), CyberSecurity Institute, IACIS, Iowa-based training company mile2, and Security University (SU). ASIS International offers a small but esteemed program, which includes the most senior and prestigious IT security professional certification mentioned in this article, the Certified Protection Professional (CPP). You can also earn the Professional Certified Investigator (PCI) and Physical Security Professional (PSP) through ASIS, if you’ve got at least five years’ experience and meet other rigorous requirements.

(c)Matching Certifications to Job Roles

Matching Certifications to Job Roles

This part of the article recommends security certification paths, or “ladders,” for job roles like general security, networking, forensics, and so on. Remember, these are just recommendations—guidelines to help you see logical progressions from entry-level to advanced certs.

For any job role, you can start with the Security+, SSCP, or GSEC as the foundational certification. All three certs are widely known and respected, although the Security+ may edge out the others as far as instant recognition by employers and certification seekers alike.

If you plan to stick with general security, focus on the CISSP or any of the intermediate-level GIAC certifications. Eventually round out your portfolio with one or more advanced-level certs, such as a CISSP concentration (Architecture, Engineering, or Management), the CISM, the CPP, or the GIAC Security Expert (GSE).

For networking security, start with the Security+, SSCP, GSEC, or the Brainbench Network Security (BNS). From there, specialize in a vendor-specific technology, such as the Cisco CCNP Security and eventually the CCIE, or the Check Point certs (Certified Security Administrator, Certified Security Expert, Certified Managed Security Expert). To maintain a more general networking portfolio, obtain the Brainbench Information Security Administrator (BISA), the CWNP’s Certified Wireless Security Professional (CWSP), or any of the intermediate-level GIAC certifications:

GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified Enterprise Defender (GCED)

If you plan to go into security auditing and compliance, (ISC)² offers the Certified Authorization Professional (CAP), which works well as an intermediate-level cert. Consider the CISA or CISM (from ISACA), or the GIAC Systems and Network Auditor (GSNA) from SANS as your senior-level goals.

For those of you more interested in counter-hacking and penetration testing, focus on EC-Council and/or SANS certs. EC-Council offers the Certified Ethical Hacker, or CEH, along with a Certified Pen Testing Consultant credential. On the SANS side, pick from the GIAC Certified Penetration Tester (GPEN) or the GIAC Web Application Penetration Tester (GWAPT). All of these are terrific intermediate-level certs. Move up to the EC-Council Licensed Penetration Tester or Certified Pen Testing Engineer by mile2.

Finally, individuals seeking computer and network forensics certification may focus on one or more of these intermediate-level certs:

Computer Forensic Computer Examiner (CFCE), by IACIS
Computer Hacking Forensic Investigator (CHFI), by EC-Council
CyberSecurity Forensic Analyst (CSFA), by the CyberSecurity Institute
GIAC Certified Forensics Analyst (GCFA)
EnCase Certified Examiner (EnCE)

The High Tech Crime Network offers advanced Certified Computer Crime Investigator (CCCI) and Certified Computer Forensic Technician (CCFT) certifications, as does ASIS with its Professional Certified Investigator credential.