cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Let's Skip The Mound: 5 Security Certifications That Might Benefit You

Level 11

There are several security certifications that one can choose from. While the list is long, we're primarily going to touch on five of them here. But for good measure and simply to prove our point, here's a more extensive mound of security certifications that sit before you.

CompTIA Security+

The CompTIA Security+ certification has been around for a long time and is a well-recognized and respected certification in the field. In fact, it meets the ISO 17024 standard and is approved by U.S. Department of Defense to fulfill Directive 8570.01-M requirements. That being said, this certification is more entry level than anything else. You can find the details on the CopmTIA web site. This certification is going to provide you with understanding in the following areas:

  • Threat management
  • Cryptography
  • Identity management
  • Security systems
  • Security risk identification and mitigation
  • Network access control
  • Security infrastructure

All of these areas are powerful in terms of what would be useful in a production environment. You'll probably want to have the Network+ certification first, or at least hold that level of knowledge before this material can fully sink in.

Would the CompTIA Security+ Certification Benefit Me?

If you're in a government job and need to meet certain standards, this certification may prove to be useful.  If you're a newbie to security, this certification will likely offer you a good introduction to security, but many hiring managers understand that this is an introductory certification. This is probably not the kind of certification that's going to dress your resume up enough to demand the big bucks, but it can't hurt to have it. Time learning is usually not time wasted.

GSEC: SANS GIAC Security Essentials

This is another entry-level security course, but it's designed a bit differently. This course is designed to demonstrate hands-on capability in security administration. The certification is good for four years before you need to renew it, and it is much more expensive compared to the Security+. Whereas the Security+ certification will cost you $320.00 USD, the SANS GIAC Security Essentials exam will run you just over $1200.00 USD.

You can find the details on the giac.org Web site.

Topics covered by this certification include:

  • Identifying and preventing common attacks
  • Identifying and preventing wireless attacks
  • Access controls
  • Authentication and password management
  • DNS Security
  • Cryptography fundamentals
  • ICMP Security
  • IPv6 Security
  • Public key infrastructure
  • Linux security
  • Network mapping

Would the GSEC: SANS GIAC Security Essentials Certification Benefit Me?

For a lot of people, hands-on is the way to go. In fact, the CCIE Certification Program offered by Cisco has been seen as one of the most credible certifications to hold. Much of that has to do with the fact that it's a hands-on certification, which has the benefit of credibility. If you've passed one of these exams, you must know how to do whatever you were tested on. So if you want to break in at the entry level with a bit more than a sheet of paper, this is the cert for you.

Certified Ethical Hacker (CEH)

The CEH certification is a common certification that is considered intermediate-level. It's not uncommon for organizations to request network security assessments. The CEH certification is a key certification that companies engaged in this type of offering look for.  This certification teaches you the same techniques that hackers use.  Armed with this knowledge you would then be better positioned to identify threats as they come across the network.

Some areas touched on in this certification include:

  • Reconnaissance
  • Scanning networks
  • Enumeration
  • Trojans, worms and viruses
  • Sniffers
  • Denial-of-Service attacks
  • Session hijacking
  • Hacking web servers, wireless networks, and web applications
  • SQL injection
  • Cryptography
  • Penetration testing
  • Evading IDS, firewalls, and honeypots

As you can see, the list is a bit more extensive than the Security+ certification. You'll need to have that general security knowledge before you take on a certification like this. This is another intermediate certification.

Would the CEH Benefit Me?

If you want to be an ethical hacker, this certification is a must. If you want to be a Cyber Security Analyst working in a Security Operations Center, this certification is also valuable because it lets you identify potentially malicious activity much easier than if you didn't have this underlying knowledge.  At the end of the day, I see a lot of people get this for the fun of it rather than to advance their career, but employers still recognize the certification. In specialized environments, they look for it.

Certified Information Systems Security Professional (CISSP)

The CISSP is an advanced-level certification. It's vendor neutral and is one of the certs that's been around the longest. It's been on the "Certifications Most-wanted" list within organizations for many years. Those that hold the CISSP are usually Senior Security Personnel and thus make a bit more cash. Some of the topics you'd be tested on include:

  • Risk management
  • Access control
  • Application security
  • Cryptography
  • Security architecture and design
  • Investigation and ethics

Would the CISSP Benefit Me?

If you have a minimum of 5 years experience in two of what the (ISC)2 called a Common Body of Knowledge domain, or 4 years experience and a college degree, this is your cert.  That's because these are the requirements to obtain this certification. But what are the domains you ask? They are Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.

Certified Information Security Manager (CISM)

The CISM certification is designed for anyone that's going to be managing, developing, and overseeing information security systems. This is a newer certification on the scene, but what sets it apart is that its geared toward maintaining the highest quality standards when it comes to audit, control, and security of an organization's security systems. It's not an entry-level certification either. This certification is designed for one with experience. The requirements for this certification include:

  • Agree to ISACA's code of professional ethics
  • Pass an exam
  • Have 5 years experience
  • Comply with a continuing education policy
  • Submit a written application

As you can tell, there's a bit of work included in just obtaining the certification, and that's not counting the actual security knowledge you need.

Would the CISM Benefit Me?

The CISM is a bit more expensive compared to other certifications. If you have the money, have the time, and can meet the requirements, then holding this certification is extremely beneficial.  Hiring managers recognize the certification, and when you combine it with experience, the Infosec Institute ranges the pay from $52,402 to $243,610.  Yes that's a very wide range, but you have to factor experience into the mix. An entry-level position isn't going to pay top dollar, no matter what certification you hold.

Final Thoughts

At the end of the day it's up to you. How much time to you want to commit to certifications vs hands-on experience?  Are you even looking for a job? I knew a guy that had about 40 different certifications and the only reason he got them is because he was bored at work. He had no intention of leaving his high-paying job that was paying for him to become certified. Especially when he didn't have much to do when he did have to work.

Still, one should recognize that employers try to filter through potential candidates, and having a security certification can help shuffle your resume to the top. If you get that far you'll have to prove that you know your stuff in an interview, and that's a whole other conversation.

20 Comments

Good article. 

MVP
MVP

I need to look into at least the first one or two in the list above...

Level 13

I earned the CompTIA Security + several years ago.  It was basic as described, but still a good start.

At that time, the next most noticeable one was the CISSP, but since I wasn't on the security team where I worked and due to department size Security person there, wasn't likely to put it to use there.  I have taken some Cisco Security classes, but not to the full CCIE level.  It might be worth looking at one of the other ones now.

MVP
MVP

Nice article

CISSP is certainly on my radar.

I appreciate the "How will this cert benefit me?" analysis.  Thank you!

Level 14

Good write up and if anyone needs any of these, I know a great place that teaches them all and tests you wherever you are.  RFK Solutionz

Level 12

Thanks for this.  I have some things to ponder now. 

Level 9

These are great certs to have. I believe that even a CISO or someone in that capacity to hold a heavy cert or two so they understand what goes on at the security and operation level.

Level 13

Nice reading.  Really opens the eyes on this topic.

Level 14

All good certifications.  Choose your path well.

Level 12

I get a kick out of employers requiring CISSP for entry level security positions. I can't imaging anyone in security actually wanting to work for a company that would require that certification for an entry level job. I just dismiss that employer as stupid and only caring about buzzwords and not knowing the meaning behind any of it, or the requirements for it.

Sadly I see this more and more going on in IT lately. Employers wanting to hire people who have experienced certifications (Those requiring actual work experience before you're even allowed to take the classes and tests for it) for entry level positions. Even in my small area I am seeing more and more of it. Saw a company looking for an entry level Junior Network Analyst paying $18 an hour, and one of the requirements was to have the CCNP certification, but would be willing to accept CCNA with 3 years experience. Talk about unrealistic expectations. Hiring and paying for an entry level position, but requiring mid level experience and certifications.

I would love to get some certifications under my belt, but with my employer not really willing to foot the bill for it, I cannot really afford to do so on my own sadly. Not when a CCNA boot camp costs 5-6 grand. That is almost a whole year of rent for me.

Level 13

obtaining the CEH was fun...during the training sessions, our instructor had us hacking a lot of things that I never even dreamed of...the scariest part was how easy it was, and the fact that all the tools we used were free downloads on the internet.

I've seen the same, entry level CISSP positions. Nearly as bad as needing 15 years of node.js experience.

Level 12

I had to go look up when node.js was actually created. 2009. Yeah that sounds about right for the IT world now days. It's only been around for 9 years, but if you want a job in it, you need 15 years experience. Lol.

Level 11

Mind sharing an article or giving a heads up on the tools you used and what you hacked?

brandoncarroll​ nice article.

Can you or anyone write similar article on freeware certifications that are worth and good (similar to that of Solarwinds Certified Professional)

Level 20

I've had my CISSP for over four years now and this year I'm planning to cover and get CEH.  With those two you can cover most of the DoD IT positions:

8570-cert-REV201510.jpg

Level 17

Excellent Breakdown! Thank you for the review.

MVP
MVP

neat layout, that will be useful this year

Level 21

I really like the additional info provided on who these certifications are best suited for; thanks for taking the time to write this up!

About the Author
Brandon Carroll, CCIE #23837 is the CEO of California based Global Config Technology Solutions, Inc, Tech Blogger, and Cisco Press Author. With over 15 years in IT, a few certifications, and a love for technical education you'll find him at Cisco Live, on the Packet Pushers Podcast, Twitter, and Google+.