Everything about the IT security certifications you always wanted to know, but you are too afraid to ask pt.2

This sequel of the previous article is going to help you to set up your career path wisely and not just collect the certs to create a fancy alphabet soup for your e-mail signature! If you desperately want to be a certified security professional but you do not 100% understand them, you are at the right place, we will give the information for you!

Before we go through these certifications one by one, let me ask you a question: How do you know which is the right certificate for you? The answer is not as tricky as you think, it depends on your own goals and capabilities. What is your background? What is your goal?  Would you like to be a pen tester or consultant, maybe an auditor or an architect, a higher-level manager or a CISO?  

Then you must analyze your current level of knowledge and based upon that do you want to specialize in a specific technology or would like to be a security generalist? Also, you must know what your budget is. For e.g. the GIAC certifications can cost up to 1000$ / attempt meanwhile here in Europe almost no one knows them. Now let’s see the certifications one by one.

Security+

PRO: Entry-level certification based upon the DOD list (please see above), however, it’s one of the most recognized among the entry-level exams. Vendor-neutral security certification that covers a wide range of information security. Does not require any experience in security.

CONTRA: The downside is relatively expensive (the current price is 370$) and to renew it, you must collect education points or if you pass any other additional CompTIA certification your previous ones are automatically renewed.

FOR WHOM: Since it is an entry-level certification it is recommended for those who are relatively new to security or for those who worked as system administrators or developers earlier. It can be useful even for solution architects because it gives a good hindsight overall on security.

CEH (Certified Ethical Hacker)

PRO: This one is a well-known certificate it appears in many job advertisements. It gives you a good level of understanding of how an attack works, and what are the steps during a cyber-attack. Explains a lot of details on specific scenarios e.g. how does a Man-in-the-Middle attack works.

CONTRA: Many criticisms against the CEH despite the name it does not make you able to do pen testing the CEH is a 125-question multiple choice test.

FOR WHOM:  As an entry-mid level exam it is recommended to those professionals who have a good understanding of IT overall. Without solid foundation knowledge in network, system engineering, and applications is not easy to digest the content.

CISA (Certified Information Systems Auditor)

PRO:  CISA is the gold standard for IT auditors. Word-widely respected and known mid-senior level exam. Here in Hungary, it was maybe the first and so far, the most recognized IT security certification. Also, the provider company ISACA has a solid base here in the country.  If you would like to work as an IT security specialist in any government-related institute (which falls under the umbrella of 2013/L. law) you must have provided you are CISA certified.

CONTRA: Many criticisms are against the CISA, this certificate is the least technical among the advanced-level certificates and most process-focused. Also, people like to mention the CISA is too heavily influenced by the COBIT framework, and according to the certification mindset, everything else which is not in the COBIT is wrong…

FOR WHOM: CISA is ideal for system auditors and for those professionals who are mainly focusing on the GRC within information security.

CISM (Certified Information Security Manager) 

PRO: My humble opinion this is the easiest among the mid-senior level certifications (compared to CISA and CISSP). It is also focused on COBIT framework, but from a different perspective. Since the name indicates it is for managers. This certification focuses on how to prepare decisions when you must balance between cost effectiveness and security. Good overall knowledge on how security works on the organizational level.

CONTRA: Absolutely management-focused mindset, definitely not for “techies”.

FOR WHOM: If you are aiming for higher level management roles this is ideal for you in contrary the CISM is highly process-driven and focusing enough on the technical details.

OSCP (Offensive Security Certified Practitioner) 

PRO: This one is a real hardcore technical exam; the task is a 24 hour long real-time penetration testing on the exam in capture the flag style to archive the OSCP title.  If you are OSCP certified no one will question your knowledge on penetration testing.

CONTRA: This exam (with the practice lab access) costs up to 1600$ which makes it one of the most expensive ones on our list.

FOR WHOM: This certification is not for consultants or security managers but more like technical team members who are doing the penetration testing/red teaming otherwise it comes in handy for blue team members as well.

CISSP (Certified Information Systems Security Professional)

PRO: The most beneficial certification of all. The CISSP is the gold standard for IT security certifications. This is the most known and one of the most respected. If you google for “security certifications” the first finding will be the CISSP. According to the surveys, the CISSP salaries are the highest.

CONTRA: Requires 5 years of full-time experience in at least 2 of the CBK (Common Body of Knowledge) domains, or 4 years of experience + a college degree in the field, or 4 years of experience + hold a security certification (e.g., SSCP, Security +, GSEC, etc.). Critics against CISSP are also the core element of it at the same time: the knowledge is 5 miles long, but only 1 inch deep… You will know everything about security end to end, but you will not be able to be an SME in any domain without additional research and studies.

FOR WHOM: Advanced level certification for those who work in higher positions like consultants, architects or senior analysts. It can be useful for security managers as well.

For the final let me share with you some honorable mentions provided by (ISC)². These certificates are less known (at least here in Hungary) however they are well-designed and all of them are recognized in the USA.

SSCP (System Security Certified Practitioner)

• Considered as the “little brother of CISSP” hence the domains are at least 60% overlapping.
• Requires 1 year of full-time experience in info security.
• More hands-on than CISSP
• Best price/value ratio 250$ and it considered as a mid-level cert according to DOD

CSSLP (Certified Secure Software Lifecycle Professional)

• Recommended for those professionals who are working with developers.
• Requires 3 years of experience in software development and or info security (or have a CISSP)

CCSP (Certified Cloud Security Professional)

• Essential (vendor-neutral) knowledge of cloud security
• Requires 4 years of experience with cloud (or have a CISSP)

Next time we will glance at our qualified colleagues to see how they use their expertise in relation with the customer requirements.

Share our article with your professional contacts!