Top 5 Information Security Certifications for 2013

Saturday, September 28, 2013

1. Best InfoSec Certs

Serious minded information security professionals should consider adding one or more of these top 5 information security to their to-do lists if they want to set themselves apart and pitch themselves as leaders, movers, or shakers in the field of information security.

When it comes to information security (aka InfoSec), you need only read the headlines to observe that those with malintent constantly find new and scary ways to access -- and misuse -- privileged information for unscrupulous or questionable purposes. As a result, IT professionals skilled in information security remain in very high demand.
When evaluating prospective candidates, employers frequently look to certification as a measure of excellence and commitment to quality. In this article, I take a look at five InfoSec certifications I consider to be leaders in the field of information security.

Ed Tittel
Ed Tittel is a 30-year-plus veteran of the computing industry, who’s worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written and blogged for numerous publications, including Tom's Hardware, and is the author of over 140 computing books with a special emphasis on information security, Web markup languages and development tools, and Windows operating systems.

2. CompTIA Security+

CompTIA's Security+ credential is a well-respected, vendor-neutral security credential. Credential holders are recognized as possessing superior technical skills, broad knowledge, and expertise in multiple security-related disciplines. While Security+ is an entry- or foundation-level certification, successful candidates should possess at least two years of experience working in the area of network security. Credential holders possess expertise in knowledge areas such as cryptography, identity management, security systems, organizational systems, identifying and mitigating security risks, network access control, security infrastructure, and more.
The Security+ credential is relatively inexpensive with the exam currently priced at $266 USD (discounts apply to those who work for CompTIA member companies). Training is available, but not required. Professionals who earned this credential prior to January 1, 2011 remain certified for life. Those who certify after January 1, 2011 must renew every three years to stay current. To renew, credential holders are required to pass the current Security+ exam, as well as to complete 50 Continuing Education Units, or CEUs, prior to the expiration of the three-year period. CEUs can be obtained by engaging in a variety of activities ranging from teaching, blogging, publishing articles or white papers, participating in conference events, or similar activities.

3. GIAC Security Essentials

Another fine entry level credential, GIAC Security Essentials certification is designed for those professionals seeking to demonstrate that they not only understand information security terminology and concepts, but also possess the skills and technical expertise necessary for “hands-on” security roles. Credential holders demonstrate knowledge and technical skills in areas such as 802.11 protocols, identifying and preventing common and wireless attacks, network mapping, public switched telephony networks, access control, authentication, password management, DNS, cryptography fundamentals, ICMP, IPv6, Public Key Infrastructure, Linux, network mapping, network protocols, and much, much more.
The GIAC Security Essentials exam is quite a bit more expensive than the Security+ exam: it’s currently priced at $999 USD. While a training program is not required, credential seekers may take a “boot camp” course that includes the cost of the exam. Certifications must be renewed every four years. To renew, credential holders must accumulate 36 Certification Maintenance Units or CMUs, all of which must be obtained in the two year period immediately preceding certification expiration. GIAC offers three ways to meet the 36 CMU requirement including passing the current certification exam (worth 36 CMUs), attending or teaching ISO 17024 related courses, or publication of books, articles, or research papers.
For more information on the GIAC Security Essentials credential, visit www.giac.org/certification/security-essentials-gsec.

The SANS GIAC Program

In addition to the Security Essentials credential, GIAC currently offers a full range of certifications (over 50 individual credentials, in fact) ranging from entry to advanced levels for IT professionals seeking careers in the fields of security administration, forensics, legal, audit, management, and software security. GIAC certifications are designed to stand-alone; however, GIAC recommends that credential seekers obtain entry level certifications and use them as skill builders for more advanced credentials.
For more information on other GIAC credentials or to view the entire GIAC certification roadmap, visit www.giac.org/certifications/get-certified/roadmap.

4. Certified Ethical Hacker (CHE)

Hackers are certainly innovators and constantly find new ways to attack information networks, systems, and exploit system vulnerabilities. Savvy businesses proactively protect their information systems by engaging the services and expertise of IT professionals skilled in beating hackers at their own game (often called “whitehat hackers” or simply “whitehats”). Such professionals use the same skills and techniques used by hackers to identify system vulnerabilities, access points for penetration, and prevent unwanted access to network and information systems.
The Certified Ethical Hacker (CEH) credential is an intermediate level credential offered by the International Council of E-Commerce Consultants (EC-Council). It’s a must-have for IT professionals pursuing careers in ethical hacking. CEH credential holders possess skills and knowledge on hacking practices in areas such as foot-printing and reconnaissance, scanning networks, enumeration, system hacking, Trojans, worms and viruses, sniffers, denial of service attacks, social engineering, session hijacking, hacking webservers, wireless networks and web applications, SQL injection, cryptography, penetration testing, and evading IDS, firewalls, and honeypots, and more.
To obtain the CEH certification, candidates must pass an examination priced at $500. A comprehensive 5-day CEH training course is recommended with the exam presented at the end of training. Candidates wishing to self-study for the exam may do so but must submit verification of at least two years’ work experience in information security with employer verification. Self-study candidates are also required to pay an additional $100 application fee. Education may be substituted for experience, but this is approved on a case-by-case basis. Because technology in the field of hacking changes almost daily, credential holders are required to obtain 120 continuing education credit in each 3-year cycle, with at least 20 credits obtained each year.
For more information on the CEH certification, visit www.eccouncil.org/certification/certified_ethical_hacker.aspx.

5. Certified Information Systems Security Professional (CISSP)

The Certified Information Systems Security Professional (CISSP) is an advanced level certification for IT professionals serious about careers in information security. Offered by the International Information Systems Security Certification Consortium, usually known as (ISC)² (pronounced ISC-squared), this vendor neutral credential is recognized world-wide for its standards of excellence.
CISSP credential holders are decision makers and possess expert knowledge and technical skills necessary to develop, guide, and then manage security standards, policies, and procedures within their organizations. The CISSP continues to be highly-sought after by IT professionals, well recognized by IT organizations, and a regular fixture on most-wanted or must-have security (and other) certification surveys.
CISSP is designed for experienced security professionals. A minimum of 5-years experience in at least two of ISC2’s ten common body of knowledge (CBK) domains is required for this certification. CBK domains include Access Control, Application Development Security, Business Continuity and Disaster Recovery Planning, Cryptography, Information Security Governance and Risk Management, Legal Regulations, Compliance and Investigations, Operations Security, Physical Environmental Security, Security Architecture and Design, and Telecommunications and Network Security. Pease note that the test domains were scheduled to change on January 1, 2012 so credential seekers will want to check the ISC2 website frequently for updates and the latest certification requirements. The cost of the exam is $599. Annual maintenance fees of $85 are required to maintain the credential along with 120 hours of Continuing Professional Education, or CPE, credits. At least 20 CPEs must be earned annually to maintain a current CISSP.

CISSP Concentrations: ISSAP, ISSEP, and ISSMP

CISSP also offers three concentrations or "merit badges" targeting specific areas of interest in IT security:

CISSP Architecture (CISSP-ISSAP),
Engineering (CISSP-ISSEP),
Management (CISSP-ISSMP).

Merit badge exams are $449 each and credential seekers must currently possess a valid CISSP.
For more info on CISSP, ISSAP, ISSMP, and ISSEP credentials, visit: www.isc2.org/CISSP/Default.aspx.

6. Certified Information Security Manager (CISM)

The Certified Information Security Manager (CISM) is a top credential for IT professionals responsible for managing, developing, and overseeing information security systems in enterprise level applications, or for developing best organizational security practices. The CISM credential was introduced to security professionals in 2003 by Information Systems Audit and Control Association, also known as ISACA.
ISACA's organizational goals are specifically geared to IT professionals interested in the highest quality standards with respect to audit, control, and security of information systems. The CISM credential targets the needs of IT security professionals with enterprise level security management responsibilities. Credential holders possess advanced and proven skills in security risk management, program development and management, governance, and incident management and response to such incidents.
Designed for experienced security professionals, CISM credential holders must agree to the CISM Code of Professional Ethics, pass a comprehensive examination, possess at least five years' security experience, and submit a written application to qualify. Some combinations of education and experience may be substituted to meet the experience requirement.
The exam is relatively inexpensive. ISACA members who register early can take the exam for as little as $425. Non-members can expect to pay around $615 USD for the exam. The CISM credential is valid for three years. Credential holders must pay annual maintenance fees of $40 for ISACA members while non-members pay $85 annually. Credential holders are also required to obtain a minimum of 120 Continuing Professional Education, or CPE, credits over the three year term to maintain the credential. At least 20 CPEs must be earned each year.
ISACA also offers numerous other certifications for those interested in best practices and information security. Other credentials worth considering include:

Certified Information Systems Auditor (CISA)
Certified in the Governance of Enterprise IT (CGEIT)
Certified in Risk and Information Systems Control certification (CRISC)

The CISA designation was created for professionals working in information systems auditing, control or security. The CGEIT credential targets IT professionals working with IT Enterprise in management, governance, strategic alignment, value delivery, and risk, resource and performance management. IT professionals seeking careers in all aspects of risk management will find the CRISC credential nicely meets their needs.
For more information on CISM and other ISACA credentials, visit the ISACA web site at www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/What-is-CISM/Pages/default.aspx.

7. Beyond the Top 5 Information Security Certs

In addition to these must-have information security credentials, there are many, many more certifications available to fit the career needs of any IT professional interested in information security. On behalf of SearchSecurity.com, I conduct an annual survey of information security certifications. There, you'll find information on certifications for all career stages from beginner to expert, along with information on vendor-neutral and vendor-specific credentials. Regardless of your career interests, you're certain to find a certification that's right for you.
To help you on your security certification certification journey, check out the following:

We expect to revise this survey (last conducted in May 2013) by the early 2014, so you should find a new version online sometime early in 2014.

More IT Certification Resources:
Cloud Certifications in 2013 Top 5 Programming Certifications for 2013 Top 5 Storage Certifications for 2013 Top 5 Web Certifications for 2013 Setting a Value on Advanced IT Certs