Synopsis

Cybersecurity has become one of the top sought after careers in the Information Technology field.  Careers ranging from an ethical hacker to a security auditor.  With so many options to choose from, where do you start to pursue such a purposeful and exciting future?  I will explain some of the top certifications that are offered and what fields they are associated with.

Institutes and their certifications

International Information Systems Security Certification Consortium, Inc. (ISC)2

(ISC)2 is one of the premier organizations that offer security certifications for professionals.  One of those certifications is the Certified Information Systems Security Professional (CISSP).  It is a highly regarded certification to get when looking to become either a Chief Information Security Officer or Information Security Officer.  Don’t think though you can just start studying and then take the test.  This certification makes you work for it.  There are a few requirements that are needed to start this path.

  1. You must have 5 years of paid full time work in 2 of the 8 required security domains.  The domains range from Security Operations, operations such as incident response and disaster recovery, to Communications and Network Security, which can be along the lines of network security design.  If you don’t have the necessary requirements but want to start the process, you can take the test and become an associate.  An associate will have to work in the field for 6 years until they can assume the CISSP title.
  2. So you have 5 years already and you would like to schedule your exam.  The exam can be scheduled at Pearson Vue by creating an account and finding a location that offers the exam.  The exam is 6 hours long, has 250 questions and requires a passing score of 70 (700 out of 1000 points).  Oh, do you have a shady past?  If you have any criminal activity in your past you may not be able to take this test.
  3. Pass the test.  Pretty simple step huh?  Good luck!
  4. With the test passed you will need to have a member of ISC2 (another CISSP will do) to endorse you.  You will have to fill out the endorsement form and have them sign it.  I would start making friends and having great security conversations with your new CISSP professional.
  5. Now you are a CISSP.  Your training and hard work has paid off, so you don’t have to worry about it anymore.  Well, not exactily.  With this new certification you will have to maintain it every 3 years.  There are a few things you must do to keep up your new shiny CISSP title.  To keep your certification maintained you will have to get 120 CPE’s within that 3 years.  The CPE’s are points that show you are keeping up with the cyber security world and its changes.  You can get the CPE’s by attending security conferences such as BlackHat, DefCon or in my home state of Michigan GrrCon in Grand Rapids.  These conferences can get expensive so you can look at free ways to earn points.  One way is to join a cyber security community or listen to podcasts.
  6. The last thing is that as a CISSP you must adhere to a code of ethics.  This code of ethics is very similar to that of a doctor.  A doctor must at all costs strive to save lives.  The CISSP must strive to protect and secure his network and physical locations at all costs.

So what job titles would benefit from being a CISSP?  Here are a list of positions…

  1. Security Consultant
  2. Security Manager
  3. IT Director/Manager
  4. Security Auditor
  5. Chief Information Security Officer
  6. Security Analyst

Information Systems Audit and Control Association (ISACA)

ISACA is also another institute that offers a very popular certification.  CISA or Certified Information Systems Auditor offers a professional certification that compares to the CISSP.  The CISA emphasizes more on security auditing.  Auditors are trained to find and assess a networks security and compliance.  Auditors are needed for companies that need to be compliant in PCI, HIPPA and Sarbanes Oxley.  CISA also has requirements very similar to CISSP.

  1. The first step is to take the exam which is available to anyone.  The scoring rate is not based on percentages but a system that has a scoring system of 200 to 800.  If you gained a score of 450 or less you failed.  The scoring system can be a little confusing but I wouldn’t worry about it and focus more on your studying.
  2. Once you pass your exam an application is needed to start your certification process.  CISA also requires previous work history in the information security community.  5 years in needed with waivers given up to 3 years.  Examples of waivers are a bachelors or masters degree from a university that enforces ISACA sponsored model curriculum.
  3. Adhere to the code of ethics.  This is very similar to the CISSP code of ethics.
  4. CPE’s are also needed within 3 years just like a CISSP.
  5. All CISA professionals must adhere to the Information Systems Auditing Standards.

Job titles who would benefit from a CISA certification.

  1. Information Security Audtiors
  2. Information Security Consultants
  3. Information Security Officers
  4. Information Technology Directors/Managers

SANS/GIAC

Global Information Assurance Certification (GIAC) was founded by SANS, which stands for SysAdmin, Audit, Network and Security, as a certification entity that gives tests on SANS security courses.  Of the many courses SANS offers, the most popular would be the GSEC (SANS GIAC Security Essentials) certification.  This certification is comparable to the CompTIA Security+ since it is an entry-level course, the only big difference is the cost and upkeep needed.  The cost of the exam is $1,249 but a training course is offered if needed.  You also must attend one of the SANS events to take the course which can be expensive but the teaching is top notch.  You will also need to maintain 36 CPE’s every 4 years and in that 4 years you will need to renew your certification by paying $399.

SANS offers many other certifications that fall in the categories of,

  1. Security Administration: - GCUX – GIAC Certified UNIX Security Administrator
  • GPEN – GIAC Penetration Tester
  1. Auditing - G7799 – GIAC Certified ISO-17799 Specialist
  • GSAE – GIAC Security Audit Essentials
  1. Management - GISP – GIAC Information Security Professional
  • GCPM – GIAC Certified Project Manager
  • GCSC – GIAC Certified Security Consultant
  1. Forensics 1. GCFE – GIAC Certified Forensic Examiner
  2. GNFA – GIAC Certified Network Forensic Analyst

And many more.

Job titles who would benefit from a GSEC certification.

Any entry level IT position would benefit from this certification.  It’s the first step to start preparing for a bigger certification and even job promotions.

CompTIA

CompTIA offers an information security certification that is meant for a beginner called Security+.  If you are getting out of college with a degree in Information Technology and want to start pursuing a security career this is the first step to get your first certification.  The requirements are nothing compared to the CISA of CISSP just a trip to a certified test taking facility and a passing score and you can have this intro certification.

The test is composed of 90 questions that need to be done in 90 minutes.  A passing score is a 750 out of 900.

Job titles who would benefit from a Security+ certification

Any entry level IT position would benefit from this certification.  It’s the first step to start preparing for a bigger certification and even job promotions.

EC-Council

Have you always thought of having the skills to break into a company’s network and getting paid legally to do it?  Yeah, that’s a thing.  EC-Council’s Certified Ethical Hacker teaches you the necessary skills to find weaknesses and vulnerabilities in someones network and also physical security and expose any flaws.  Company’s will pay you top dollar to show them what they need to do to be more secure, either for a compliance audit or for their own security.  To beat a hacker, you need to think like a hacker.

The certification contains training on how to use Kali, pick locks and to learn the art of social engineering among many other things.   The test is comprised of 125 questions and must be done in 4 hours and have a passing score of 70 or more.

Job titles who would benefit from a CEH certification

  1. Penetration Tester
  2. IT Director
  3. Information Security Auditor
  4. Security Consultant

Conclusion

These are 4 out of many security certificates that are offered.  The CISSP and CISA are some of the highest security professional certifications that you can receive.  These 2 tests are not easy and were meant to be that way.  To pass these exams shows you have put the time and effort into your career path.  CompTIA’s Security+ certification may be an intro cert but it is the basic beginning for any person who is looking to pursue a path in information security.  Last, but not least, EC-Councils CEH.  If you want to learn how to protect your network or show other companies how to as well then this certification can be a great compliment to the other certs mentioned here.

References

(ISC)2

ISSAC

CompTIA

EC-Council

SANS/GIAC