Top cyber security certifications: Who they're for, what they cost, and which you need

Expand your skills, know-how, and career horizons with these highly respected cyber security certs

Two of the most common questions I’m asked are, "Is having a computer security certification is helpful in getting a job or starting a career in computer security?, and if so, "Which certification should someone get?." The answer to the first question is a definite yes. Getting a certification, while not a cumulative showing of your entire experience and knowledge in a particular area, can only help you. That’s true not only in getting a new job, but in improving your knowledge and experience overall, even in your current job.

Critics often say a certification means nothing, and that acumen and experience are the only true differentiators. As a holder of dozens of IT certifications, I beg to differ. More importantly, most employers agree with me. While a computer certification doesn’t tell the whole story, to say it doesn’t say anything about a person is an error in the opposite direction.

Every certification I’ve gained took focused, goal-oriented study, which employers view favorably, as they do with college degrees. More important, I picked up many new skills and insights into IT security while studying for each certification test. I learned about new things, and I also gained new perspectives on subjects I thought I had already mastered. I became a better employee and thinker because of all the certifications I have studied for and obtained. You 

Sometimes, a particular certification is the minimum hurdle to getting an in-person job interview. If you don’t have the cert, you don’t get invited. Other times, having a particular certification can give you a leg up on competing job candidates who have similar skill sets and experience, but don’t have the desired certification.

Security is more important to computing and the internet than ever before, and the following, well-respected security certs will not only help you stand out from the crowd, but also make you a more valuable member of the IT security community.

IT Security Certifications

Here is a summary of some of the most desired IT security certifications.

Certified Information Systems Security Professional (CISSP), ISC2

The International Information Systems Security Certifications Consortium’s(ISC2) Certified Information Systems Security Professional (CISSP) certification is the most coveted and accepted computer security certification around. This general computer security knowledge certification exam covers eight Common Body of Knowledge (CBK) domains, including access control, operations security, cryptography, and more.

The test consists of 250 multiple-choice questions that must be answered in six hours. Candidates must already have four to five years of professional experience in two or more of the CBK domains, and they must be endorsed by a current CISSP certificate holder. Those who pass the certification must also sign and agree to follow a set of ethics, and each certification holder must periodically resubmit proof of continuing education, along with a fee, to keep the CISSP designation. Initial exam cost is $699.

I used to be an unofficial CISSP exam instructor and have taught hundreds of students how to take and pass the exam. In my experience, candidates should buy at least two CISSP exam prep books and take at least 1,000 practice questions. Every student I had who followed this advice passed on the first attempt.

I haven’t always been a big fan of the CISSP test questions themselves. Back when I took and passed the exam, test questions weren’t always well edited or even technically correct. When I contacted ISC2 to complain, I was told these were most likely “beta” test questions that didn’t count toward scoring. Furthermore, no matter how much you studied or how many practice questions you answered, a large part of the exam would seem unfamiliar. Back in the day, most CISSP test takers would walk out of the exam not knowing how they did, even if they did well.

Although I hear the overall quality of the test questions are now better, test takers still feel they don’t know how they did until they are scored, but they find out immediately how they did. Despite those significant criticisms, there isn’t a more respected security certification. Customers rarely ask what certifications I have, but if they do, they are almost always waiting to hear me say CISSP because the person asking usually has their CISSP. It’s a good club to be in.

Truth be told, you’ll be a lot better computer security person having studied for and taken the exam. It covers a wide range of computer security topics and if someone starts talking about the “CIA triad,” you’ll know what they are talking about. ISC2 has at least seven other certification exams, all of which are well respected.

SysAdmin, Networking, and Security (SANS) Institute

The SysAdmin, Networking, and Security Institute (SANS) organization and website is a great resource for security pros. Training, research, education, books, certifications -- SANS does a lot and does it well. If you’re interested in being a respected technical expert, SANS offers the certs for you. It even offers two master-level accredited degrees under the brand of the SANS Technology Institute, if you want the pinnacle technical achievement of our field.

SANS has a host of certifications, ranging from very niche security topics -- malware analysis, firewalls, host security, security controls, and so on -- to its hugely respected Global Information Assurance Certification (GIAC) Security Expert designation. I don’t think I’ve ever taken a SANS course that didn’t teach me more in a few hours than in weeks spent in classes offered by other training vendors, and I’ve yet to meet a GIAC holder that didn’t impress me.

GIAC certifications are classified in five subject areas: security administration, forensics, management, auditing, and software security. Most exams are open book and have a time limit of two to five hours. The candidate must complete the certification within four months of attempting the exam. Unfortunately, according to the GIAC exam guide, some tests could include “unscored” test questions like the CISSP. My guess is there will be fewer beta test questions and what they have is better proctored. SANS is starting to venture into hands-on testing that involves live virtual machines (VMs).

Some of SANS’s most popular GIAC exams are GIAC Information Security Professional, GIAC Certified Incident Handler, and GIAC Reverse Engineering Malware, but it offers courses that run the gamut, including Windows, web servers, penetration testing, Unix security, wireless networking, programming, leadership, and program management. GIAC testing is meant to be taken after attending SANS training, which usually lasts a week, but you can challenge (not take the official training) the exam for $1,699. All GIAC certification exams must be renewed every four years. If you want to learn a lot about computer security, how hackers hack, and how malware is made, start your SANS courseware now.

Certified Ethical Hacker (CEH), the EC-Council

The EC-Council’s Certified Ethical Hacker (CEH) certification is well-respected way to learn how to be a white-hat hacker (or professional penetration tester). The CEH introduced me to some interesting hacking tools that I still use today. The four-hour exam includes 125 multiple-choice questions. The application eligibility fee is $100.

You will sometimes hear long-time computer security professionals talking down about the CEH certification. I think that is from earlier versions when CEH was one of the first computer certifications for penetration testing, back when computer security exams, in general, were new and easier to pass. Today, the CEH holds its own for general toughness, and the EC-Council offers a number of other useful exams, including Computer Hacking Forensic Investigator, Licensed Penetration Tester, Certified Incident Handler, and Certified Disaster Recovery Professional. It even has an exam for a Chief Information Security Officer.

Offensive Security Certified Professional (OSCP)

If your hacking love is penetration testing and you don’t want to take the easy route, the Offensive Security Certified Professional (OSCP) course and certification has gained a well-earned reputation for toughness with a very hands-on learning structure and exam. The official online, self-paced $800 training course is called Penetration Testing with Kali Linux and includes 30 days of lab access. Because it relies on Kali Linux (the successor to pen testers' previous favorite Linux distro, BackTrack), participants need a basic understanding of how to use Linux, bash shells and scripts.

The OSCP is known for pushing its students and exam takers harder than other pen-testing paths. For example, the OSCP course teaches, and the exam requires, the ability to obtain, modify and use publicly obtained exploit code. For the “exam,” the participant is given instructions to remotely attach to a virtual environment where they are expected to compromise multiple operating systems and devices within 24 hours and thoroughly document how they did it.

Offensive Security offers more advanced pen testing courses and exams including web, wireless, and advanced Windows exploitation. Readers might want to take advantage of their free, online basic Metasploit tool course .

Security+, CompTIA

CompTIA offers entry-level, comprehensive certification exams in PC repair (A+), networking (Network+), and security (Security+). Because a CompTIA exam is often the first test taken by many people new to the computer industry, it unfortunately has the reputation for being too basic a certification.

In my opinion, and by the standards of many employers, this is not true. The exams might not be as respected as other certification leaders, but they are comprehensive and you must study hard to pass. CompTIA Security+ certification covers network security, cryptography, identity management, compliance, operation security, threats, and host security, among other topics. You get 90 minutes to complete 90 questions. I took the Security+ exam a long time ago, but it was tougher than expected for an exam that covers the basics. It even includes some simulated environments where the test taker has to select the right options. Price is $311.

ISACA

ISACA, formerly known by its full name, Information Systems Audit and Control Association, offers a range of respected certifications focusing mainly on auditing, management, and compliance. Its major certifications include the following: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC).

While the titles might not blow you away with excitement, it’s precisely their professional staidness that sells the value of these certifications. If you are interested in computer systems auditing or computer security management, these are the certifications to get. ISACA exams are frequently earned by top moneymakers.

One of the first and hardest exams I ever took and passed was a state-level Certified Public Accountant (CPA) exam, which has nothing to do with computer security, of course. The type and structure of the ISACA exam questions remind me the CPA exam. I’ve earned both the CISA and CISM, and I have found both to be good tests of security knowledge. Application fees are only $50, but they require five years of relevant experience for you to be eligible to take the tests. Buying a preparation book and taking a few hundred practice test questions, on top of your experience, should be all you need to earn these certs.

CREST

Internationally, the not-for-profit CREST information assurance accreditation and certification body’s courses and exams are commonly accepted in many countries, including the United Kingdom, Australia, Europe, and Asia. CREST’s mission is to educate and certify quality computer security professionals. All CREST-approved exams have been reviewed and approved by the UK’s Government Communication Headquarters (GCHQ), which is analogous to the United States’ NSA.

CREST’s basic information security exam is known as the CREST Practitioner Security Analyst (CPSA) and there is a pen testing exam called the CREST Registered Tester (or CRT). Exams and costs vary by country, but in Australia, for example, the CRT exam cost $1,000 AU.

Vendor-specific certifications

Many vendors, such as Microsoft and Cisco, offer security-specific exams that are worth pursuing. Years ago, Microsoft had several security-specialist exams, such as MCSE: Security. Security has become a general concern for all platforms and technologies, and for years Microsoft has put more and more security questions and testing into all its exams.