Are you looking to set yourself apart as a cybersecurity professional?
The following is a
list of four top cybersecurity certifications – a list that I assembled after
reviewing job postings and salary survey reports, as well as based on my
general sense of how well various certifications are perceived within the
information security industry. Please note that my list addresses only general
information security certifications – and does not include various valuable
add-on credentials that can be earned after obtaining general certifications,
nor does my list address any certifications that are specific to specific
products or services.
CISSP
The Certified Information Systems Security Professional (CISSP) certification
covers a broad range of security-related domains, delving into details in some
areas more than in others. The CISSP is intended to be pursued by people with
several years of experience in the information security field; hence, folks
possessing CISSP credentials often earn higher salaries than do both their
uncertified peers and counterparts holding other certifications. The CISSP
provides employers with the comfort of knowing that workers understand
important aspects of more than just one or two areas of information security;
as components of information security are often highly interconnected, such
knowledge is valuable, and becomes absolutely necessary as one ascends the
information-security management ladder.
The CISSP
credential is issued by the universally trusted (ISC)2 organization, is both
vendor neutral and more evergreen than many other certifications, and requires
candidates to possess several years of professional experience before earning
certification. From a practical perspective, study materials and training
courses for CISSP exam are widely available, and tests are administered in more
places and on more dates than are most other, if not all other, cybersecurity
certifications. There are multiple add-ons to the CISSP for those interested in
proving their mastery of information security architecture, management, and
engineering.
One important note
– the CISSP does not test “hands-on skills” – people looking to demonstrate
knowledge of entry-level IT auditing, penetration testing, security
administration, etc., might want to consider pursuing either a more technically
focused, general certification such as CompTIA Security+ (discussed below), or
specific product and skill certifications.
(For full
disclosure – I hold the CISSP certification, as well as two add-on credentials
– CISSP-ISSAP and CISSP-ISSMP, and I wrote (ISC)2’s official study guide for
the CISSP-ISSMP exam.)
CISM
The Certified Information Security Manager (CISM) credential
from the Information Systems Audit and Control Association (ISACA) has exploded
in popularity since its inception 15 years ago. As is likely evident from its
source of origin, the CISM credential is, generally speaking, a bit more
focused than is the CISSP on policies, procedures, and technologies for
information security systems management and control, as typically occurs within
large enterprises or organizations. As with the CISSP, to earn a CISM, a
candidate must have several years of professional information-security
experience. Despite the differences between the CISSP and CISM – with the
former delving deeper into technical topics and the latter doing similarly for
management-related topics – there is also significant overlap between the two.
CompTIA Security+
CompTIA Security+ is a vendor-neutral general
cybersecurity certification that can be valuable especially for people early in
their careers and is offered by the well-respected, technology-education
non-profit, CompTIA. While there is no minimum number of years of professional experience
required in order to earn a CompTIA Security+ designation, and anyone who can
pass the exam can become certified, most folks will likely stand better chances
of passing the exam after working for a year or two, and gaining experience
with “security in the real world.”
While, like the
CISSP and CISM, CompTIA Security+ covers a broad array of topics, the CompTIA
offering goes into more technical detail that either the CISSP or the CISM in
several areas, more directly addressing the knowledge needed to perform roles
related to entry-level IT auditing, penetration testing, systems
administration, network administration, and security administration; hence,
CompTIA Security+ is a good early-career certification for many folks.
One important
note: People who passed the CompTIA Security+ exam in 2010 or before are not
required to satisfy any continuing education or additional testing requirements
in order to maintain their credentials, while folks who earned the designation
since 2011 must. Hence, some of the criticism that one might find online of
CompTIA Security+ in its early iteration no longer applies, and, there are
information security professionals who attribute more value to today’s CompTIA
Security+ certifications than they do to older Security+ certifications.
CompTIA offers additional
higher-level certifications for those wishing to demonstrate mastery of
specific technologies and skills such as cloud security, Linux security, and
penetration testing. As CompTIA’s offers plenty of materials from which folks
can prepare for the Security+ exam – including both an official study guide as
well as the comprehensive, self-paced eLearning platform, CertMaster Learn for CompTIA Security+, which
utilizes videos, text, and various tests and assessments to help candidates
prepare for the exam.
GSEC
The Global Information Assurance Certification Security Essentials
Certification (GSEC) is the entry-level security certification
covering materials in courses run by the respected for-profit
information-security training company, SANS Institute (officially the
organization’s name is Escal Institute of Advanced Technologies, but in decades
in the information-security field, I have never heard it referred to by that
name).
Like Security+,
GSEC contains a lot more “hands-on” practical material than the CISM or CISSP
certifications, making it more valuable than those alternatives in some
scenarios and less desirable in others. Despite being marketed as entry level,
the GSEC exam is, generally speaking, regarded as more difficult and
comprehensive than that of Security+. Also, in the case of GSEC, all credential
holders must show continued professional experience or educational growth in
the field of information security in order to maintain their credentials.
One important
caveat, however, is that, at least as of recently, the GSEC exam costs more
than 5 times as much to take as does the Security+ test; with the greater level
of difficulty and much greater cost, one might consider GSEC to be geared
towards people somewhat more experienced than those who would benefit most from
earning a Security+ designation
No comments:
Post a Comment