I’ve seen the question asked more than a few times recently about what the best information
security certifications are. Some people already have one or more and
are looking to expand, others are just getting started and want to know
how to do so. This page will hopefully offer some help in this area.
I’m going to highlight a few of the options and discuss who I think
should be going for which, and why.

I’ll be rating each one based on the criteria below:

Note: I only have the Security+, CISSP, and GSEC credentials.
My comments on the others are based on information I have gathered from
various sources.

• Difficulty - How hard the test itself is, i.e. study-time
  neeeded, etc.
• Who - Who should be looking at this as an option.
• Respect - Technical respect rating within the infosec-geek
  community.
• Renown - How well-know the certificate is throughout the
  industry.
• Requirements - What’s needed to get the cert, i.e. project,
  exam, etc.
• Cost: - What it’ll cost you (or your company) to sit for the
  exam.
• Pros - Positive comments about the certification.
• Cons - Downsides to the certification.
• Comments - My own input about the credential.

*Note: Numbers are on a scale from 1-10 (10 being the
highest)

The Players
Security+
Sponsor: CompTIA
Difficulty: 1
Respectability: 2
Renown: 4
Requirements: Single Exam, +-100 Questions
Cost: $225 USD (discounts available online)
Who: This certification is for people just getting into the
field. If you don’t have any other certifications, and your
experience/skills are still developing, this is the certification for
you.
Pros: It’s a fairly easy cert to get and I understand it’s
getting a decent amount of recognition within federal organizations.
It’s also a fair, solid test that asks decent questions rather than a
bunch of fluff.
Cons: It’s entry-level and thus not strong as a standalone
bargaining chip.

SSCP
(Systems Security Certified Practitioner)
Sponsor: ISC 2
Difficulty: 4
Respectability: 4
Renown: 2
Requirements: Single Exam, 125 Questions
Cost: $350 USD
Who: The SSCP is for serious, dedicated information security
professionals who are not quite ready to take the CISSP exam. Only one
(1) year of experience is required for this exam vs. 3-4 (depending on
if you have your degree) for the CISSP.
Pros: The SSCP is administered in a very professional fashion,
just like the CISSP, and it thus carries some degree of the respect
that goes along with that credential. It’s also from ISC²
just like the CISSP, so that helps it as well.
Cons: Unfortunately, the certification that hurts the SSCP the
most is in fact its older brother - the CISSP. If you check the job
boards, precious few jobs ask for the SSCP. The reasoning there is that
the experience requirement for the CISSP is much of what makes it so
respectable. To take that away and ask half the number of questions
diminishes the SSCP to a significant degree.
Comments: If you can’t show the 3-4 years experience required
for the CISSP, and someone else is paying, I’d say go for the SSCP. If
nothing else, it will help prepare you for the CISSP that will surely
be in your future. That being said, if you want to get a truly
valuable credential that doesn’t require the experience, opt for the
GSEC (covered below).

CISSP
(Certified Information Systems Security Professional)
Sponsor: ISC 2
Difficulty: 5
Respectability: 5
Renown: 10
Requirements: Single Exam, 250 Questions
Cost: $500 USD
Who: The CISSP is for serious, dedicated information security
professionals who intend to stay in the field and grow. It says to
employers that you are serious about your career and are familiar with
the core basics of 10 seperate areas within the field.
Pros: The CISSP is without a doubt the king of certifications right now. It’s the first infosec cert to recieve ISO recognition -
a great acheivment not only for the certification
itself, but also for the field as a whole. It commands a great deal of
respect in many IT circles, and this can be clearly seen via job search
results. It can help your chances greatly of getting high-paying jobs,
and is an excellent addition to any resume. If you are only
going to get one infosec cert, it should be the CISSP.
Cons: While the CISSP is undoubtedly the king of information
security certifications, it suffers from being thought of as something
it isn’t. Many view it as proof that someone is an expert in the field,
and that couldn’t be farther from the truth. ISC 2 has
explicitly stated in the past that the test is designed to test a broad
base of general knowledge, not to certify someone as a master of their
field. Despite the rumors of impossibility, the exam also supports over
a 70% first-time pass rate.
Comments: The CISSP is a great exam because it is not easy to
take (experience in the field is required ), and once you are able to
take it, it’s administered in a professional, controlled environment.
What people fail to realize is that it’s for high-level security
professionals such as managers. Obviously, anyone can go for it, but
it’s not designed to test technical skills or the ability to actually
perform in the trenches of an infosec environment. It’s a
broad overview, basically - a test designed to ensure that you are
familiar with some concepts. It’s when people lose sight of this that
the confusion starts. As for the difficulty factor, I started studying
for mine on a Monday and passed the exam on that Saturday - that’s
with zero previous exposure to the CISSP study material. A buddy
of mine just got his as well, and his study consisted of around 2 weeks
of passively glancing at the material while leveling his WoW character.
Again, that’s not to say it’s not an excellent cert, it’s just that the
difficulty should not be overestimated.

GSEC (General Security Essentials Certification)
Sponsor: SANS
Difficulty: 7
Respectability: 7
Renown: 5
Requirements: Research Paper, Two 100-Question Exams
Cost: $800 USD (Cost of exam without training)
Who: The GSEC is for highly-technical, serious information
security professionals who actively work with infosec technology on a
day to day basis. Those who are looking to show considerable technical
knowledge over a large number of infosec subjects would be well-served
by attaining this credential.
Pros: The SANS organization is universally recognized as a
top-notch infosec organization. Any certification from them commands a
decent degree of respect.
Cons: The CISSP currently owns the majority of the spotlight in
this arena. Few employers are aware of the GSEC, and even if they are
they view the CISSP as just as valuable.
Comments: The GSEC does not show expertise in a given subject;
it shows that the cert-holder is technically-oriented and has a wide
base of infosec knowledge. No certs at this level demonstrate true
mastery. One particular thing to note with this exam vs. the CISSP is
that the actual exam portions are taken from home and open-book,
meaning you can use anything you want during the exams. Critics rave
that this makes the exam less respectable than the CISSP since the
CISSP is taken under supervision and no study materials may be used. I
argue that precisely the opposite is true. Infosec professionals are
not databases. We don’t pride ourselves in not having to consult
external resources when solving problems; in fact, we do it constantly.
To imply that an exam that tests your ability to solve problems in
precisely this fashion is somehow less respectable is, in my view, a
grave mistake. The GSEC exam structure represents the real world -
you’re faced with a difficult problem, you find the answer and solve
it. You don’t see consultants losing contracts because they had to
Google for solutions that saved their clients money. Ultimately this
debate comes down to an old argument: hands-on vs. academic. When
evaluating someone that’s supposed to have the actual know-how to solve
infosec problems in the real world, there’s no doubt in my mind that
the average manager is going to prefer the former.

GCFW, GCIA, GCUX, GCIH
Sponsor: SANS
Difficulty: 8-9
Respectability: 8-9
Renown: 4
Requirements: Research Paper, One Or More Exams
Cost: $800 USD (Cost of exam without training)
Who: These various SANS certs are the mid-level offerings from
the organization. They are more indepth and difficult than the GSEC,
and they focus on one area specifically. GCFW is for firewalls and
VPNs. GCIA is for IDS/IPS, GCUX is for Unix security, and GCIH is for
incident handling. These are just a few of those that are offered, and
these are geared towards veteran infosec professionals who have already
specialized into an area. If you fit this bill, I’d say that pursuing
one of these certifications would be ideal.
Pros: The SANS organization is universally recognized as a
top-notch infosec organization. Any certification from them commands a
decent degree of respect, and these specialized certs say to an
employer or client that you are truly profficient at what you do.
Cons: There are very few holders of these more advanced
certifications, and as such many employers may ask questions like, “Is
that like a CISSP? Is that the same as a GSEC?” The good news is that
it should be fairly easy to explain the situation to them.
Comments: These certifications do show some degree of
mastery of a subject. It doesn’t mean that everyone with one
is great, or that those who don’t have it aren’t. It does mean,
however, that the odds of someone with one of these certifications
being a good fit for a job in that area are extremely high. Think of
these as more difficult, more focused GSECs.

CISA (Certified Information Systems Auditor)
Sponsor: ISACA
Difficulty: 5-6
Respectability: 6
Renown: 8
Requirements: Single Exam
Who: The CISA credential is ideal for anyone already doing, or
looking at getting into information security auditing.
Pros: The credential is highly recognized and sports even more
hits than the CISSP in monster.com and other job searches. It’s highly
sought after due to the onslaught of regulation hitting the infosec
industry as a whole.
Cons: Again, many jobs that request CISA also will take a CISSP.
Certain jobs ask for CISA specifically, but most are just looking for
this “class” of cert, and will accept a CISSP in its place.
Comments: This area (auditing) is growing like mad. Due to SOX
and other new legislation, this will do nothing but continue to
accelerate. Adding a CISA to your resume is definitely a good move.

GSE (GIAC Security Engineer)
Sponsor: SANS
Difficulty: 10
Respectability: 10
Renown: 3
Requirements: You must currently have five (5) GIAC certs (one
of which must be with honors), and then pass the GSE exam.
Who: The GSE is something to be pursued by those who have
literally mastered a number of areas within information security, and
have superior talent.
Pros: If you encounter anyone who knows what all the exam
involves, you’ll earn some instant respect.
Cons: You aren’t likely to find any of those people.
Comments: The GSE credential is the final destination for anyone
pursuing certification with information security. It’s a goal in and of
itself to me since I don’t see someone with the skills to attain it
hurting for a job or having trouble getting raises.

Boiled Down
Let me try and break it down the way I see it. If
you are just getting into security and you don’t have much experience
with networking and such, get a job where you can work with computers
and start pursuing your CCNA. Study, practice, learn everything you
can pertaining to operating systems, networking, and security. Once you
feel your skills are fairly strong in the security realm, start
studying for and take the Security+ exam.

If you have been in networking and/or security for a while now (4 years
or so), and you feel your skills are pretty strong, you should be
looking at the CISSP. Ignore people who say it’s too easy or that it
doesn’t mean much - it doesn’t matter. The fact of the matter
is that it’s more beneficial to have a CISSP right now than any other
cert in its class.

After getting your CISSP, and if you’re a technical person, I suggest
you look at the GSEC. It’s the perfect compliment to the CISSP. The
CISSP covers the 10 domains from a manager/birds-eye view, and the GSEC
gets down to some technical detail within the same areas of study -
policy, encryption, etc.

Another option once you have your CISSP is to go for the CISA instead.
If you’re more of a manager anyway, and/or looking to head that way,
then it may not be necessary to show technical prowess. If that’s the
case then opt for the CISA instead of the GSEC. The certification is
absolutely on fire right now, and the odds are good that with a solid
resume and a CISSP/CISA combination you could command around $90K/U.S.
fairly easily.

If you have been in infosec for a long time, i.e. 5-10 years or more,
and you are a geek at the core, start knocking down SANS certs being
aware of the fact that you need honors for one of the 5 that are
required for the GSE. To me, the GSE is a major accomplishment in its
own right, and I don’t really see it being a money-maker. In my view,
anyone who can get a GSE already pulls a healthy check anyway.

Conclusion: I hope this short summary of my thoughts on these
credentials has been helpful. Feel free to contact me if I have made any
errors, if there is something you think I should add, or if you just
want to comment on anything said. [Daniel Miessler, CISSP, GSEC]