Vendor-neutral certification guide for infosec professionals

The vendor-neutral certification landscape features over 100 certs designed for infosec pros who want to advance their careers and apply their knowledge for current and future employers.

This special report highlights the best vendor-neutral security industry certifications for achieving goals specific...

to your information security career path. It's a companion to three other surveys that cover an intro to security certifications (the vendor-neutral survey), vendor-specific security certifications and popular cloud security certifications in brief.

The table below summarizes the certification counts in the vendor-neutral survey. Although 19 vendor-neutral certifications have been added since 2015, several credentials were retired or recategorized. In the end, the overall count increased by 15 certifications.

As was indicated in the companion vendor-specific certification analysis, it is easy to decide which vendor-specific certifications to pursue: earn those that apply to the technology your employer or customers use, or those that will have value to potential future employers or customers.

Summary of changes, by the numbers

Deciding what to achieve on the vendor-neutral side not only involves an understanding of where individual certifications and certification programs fit in the overall scheme of coverage, but also requires comparing similar programs to decide which ones can best help support your career goals.

With over 150 certifications covered in the vendor-neutral, vendor-specific and cloud security surveys, there is no shortage of options. The question is, how do you know which certification is right for your career path? This article provides a brief analysis of the vendor-neutral certification landscape and suggested educational options for your information security career path that you can pursue at any point in your career.

Today, (ISC)2 Inc.'s Certified Information Systems Security Professional (CISSP), SANS Institute's Global Information Assurance Certification (GIAC) and the ISACA Certified Information Security Manager (CISM) are the best-known and most widely followed IT security certification programs. That said, the CompTIA Advanced Security Practitioner (CASP) is included in U.S. Department of Defense Directive 8570.01-M, which means that credential is bound to be extremely popular with government employees and government contractors alike.

The number of certified individuals in these programs varies; some have fewer than 10,000 certified members, while there are now more than 112,000 individuals worldwide who hold the CISSP designation. The CISM, by comparison, has a certified population of just over 27,000.

CompTIA's Security+ still weighs heavily among the entry-level certifications, as it continues to attract ongoing interest and participation. Today, the number of Security+ certifications tops 250,000. IBM includes Security+ in some of its own certification programs, Apple and Dell incorporated Security+ into their training programs or require the certs from job candidates, and the U.S. Department of Defense accepts Security+ to meet its most basic information assurance (IA) certification requirements. Holders of Security+ can also substitute it for one year of job experience toward the CISM certification requirements.

Security+ remains my leading selection as the best-recognized and the best overall entry-level information security certification currently available. To earn the Security+ certification, candidates must pass a single exam.

More broadly, the entry-level credentials with the most weight are CompTIA's Security+, SANS GIAC Information Security Fundamentals Certification (GISF) and the (ISC)2 Systems Security Certified Practitioner (SSCP).

The CISSP, the CISM and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more than entry-level security credentials, while Certified Ethical Hacker is now a viable option for those interested in highlighting their current system penetration techniques and counter-hacking skills.

The Certified Protection Professional, Professional Certified Investigator, Physical Security Professional and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to even qualify for the exams.

There have been some interesting changes to the requirements for individuals, including contractors, who wish to work in information security for any arm of the U.S. government or branch of the U.S. military. In this realm, IA means more or less the same as what computer scientists often refer to as information security or cybersecurity.

This is also a world where the word qualification means that individuals have obtained the clearance and competence documents necessary to fill IA job roles, and have met certification and hands-on requirements to demonstrate their skills and abilities and real-world performance. Thus, when you see the word qualified in some infosec or IA certification names, you must understand that this speaks to a hands-on orientation, as well as testing that includes performance-based methods in its scope and coverage.

Given this landscape and the following security certification ladder, individuals can start and climb at any point, depending on their current knowledge, skills and experience.

Start your vendor-neutral certification journey with a broad, entry-level security cert. This could be one of the following credentials, any of which will provide an excellent and thorough background in computer security theory, operations, practices and policies.

CompTIA Security+

CompTIA's Security+ certification is the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. The certification meets the International Organizations for Standardization/International Electrotechnical Commission 17024 standard for personal certification programs and is compliant with the U.S. government's Federal Information Security Management Act. It covers network security, application security, cryptography, identity and access management, and other areas.

The Security+ exam, which costs $320, consists of 90 multiple choice and performance-based questions. Instructor-led training courses are also available. CompTIA recommends that applicants have two years of IT administrator experience with a security focus, plus the CompTIA Network+ certification.

Source: CompTIA Security+

(ISC)² Systems Security Certified Practitioner

The International Information Systems Security Certification Consortium is also home to the CISSP, the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.

Those interested in pursuing the SSCP need to possess at least one year of experience in one or more of the seven SSCP Common Body of Knowledge domains. Candidates must also pass an exam to obtain the credential.

Those who do not yet meet the experience requirement may choose to first obtain the Associate of (ISC)2 certification, which is available to any candidate who passes the Certified Authorization Professional, Certified Cyber Forensics Professional, Certified Cloud Security Professional, CISSP, Certified Secure Software Lifecycle Professional, Healthcare Information Security and Privacy Professional or SSCP exam.

Source: (ISC)² SSCP

SANS GIAC Information Security Fundamentals Certification

The SANS Institute is a long-standing and well-recognized powerhouse in the security industry. Likewise, its GIAC certifications continue to accrue visibility and acceptance. The GISF opens the door to other credentials in the respected SANS GIAC program.

Since the GISF is an entry-level credential, there are no prerequisites; candidates need only pass a single exam to obtain the credential.

From here, practitioners can tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many also require submitting papers or research results in addition to passing exams, as well as taking specific classes. Of these, four are particularly worthy of mention, and pick up where the previous three leave off.


CompTIA Advanced Security Practitioner

The CASP is intended as a follow-on to Security+ and recognizes IT professionals with three or more years of direct, day-to-day information security experience and the skills and knowledge to match. With CASP, it is recommended to have 10 years of IT administration experience, with a minimum of five years familiarity with hands-on technical security experience.

The CASP requires continuing education for maintenance or a retake of the exam every three years. It costs $426, which is less than the CISSP, but it is ranked the same for a variety of Department of Defense-related IT positions, which will no doubt contribute to its future popularity.

Source: CompTIA CASP

(ISC)² Certified Information Systems Security Professional

The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and it is requested by name in job postings and classified ads more than any other infosec certification.

Those who are interested in extending their CISSP credentials should also look into its three concentrations -- Architecture Professional (CISSP-ISSAP), Engineering Professional (CISSP-ISSEP) and Management Professional (CISSP-ISSMP). The CISSP exam costs $599, with an additional fee of $399 for each of the three specialty concentration areas.

Candidates without a college degree must possess at least five years of paid professional experience to qualify for the credential; degreed individuals only need four years of paid experience. A waiver for one year of experience may be obtained (approval required) if the candidate possesses an (ISC)2 credential from an approved (ISC)2 list.

Source: (ISC)² CISSP

SANS GIAC security certifications

The SANS Global Information Assurance Certification offers numerous topical specializations that extend the GISF and the GIAC Security Essentials Certification, including perimeter protection, incident handling, intrusion analysis, Windows and Unix administration, and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences.

For those willing to acquire at least three of these individual credentials (two of them gold) and sit for a lengthy exam in two parts, which includes a multiple-choice and hands-on lab, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.

The GSE multiple-choice exam requires infosecs to apply for the exam after passing the prerequisites. The fee for the test is $429. Upon passing the test, infosecs are eligible to take the hands-on lab exam for an additional $2,199

Source: SANS GIAC security certifications

Qualified Information Security Professional Certification

Security University's Qualified Information Security Professional (Q/ISP) certification requires some of the best, most intense and most hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.

Classes in the Q/ISP certification include topics such as ethical hacking, penetration testing, forensics and network defense. Those who earn the Q/ISP certification are required to obtain 120 CPE credits every 3 years to stay up to date and to maintain their body of knowledge.

Source: Q/ISP

About the author:
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking consultant, technical trainer, writer and expert witness. Perhaps best known for creating the Exam Cram series, Ed has contributed to more than 100 books on many computing topics, including titles on information security, Windows OSes and HTML. Ed also blogs regularly for TechTarget (Windows Enterprise Desktop), Tom's IT Pro and GoCertify.

Next Steps

Read the guide to cloud security certifications

How gaming can narrow down the cybersecurity skills shortage gap

Determine whether sending an employee to a cybersecurity training center is worth the cost

This was last published in July 2017

Dig Deeper on Careers and certifications