If you are in IT and looking to try to get into information security, the first place to start is by obtaining industry certifications. As I currently have my OSCP, CISSP, C|EH, GSEC, GCIH, PCIP and am working towards my CISA, I figured I was as good as any to review the certifications out there and provide some advice on how to focus your efforts. This blog will be a review of information security certifications, both the ones I have, and some others I hope to get. With that, lets dive in.
Certified Information Systems Security Professional (CISSP)
No review of information security certifications would be complete without mentioning the CISSP. Like it or not, the CISSP is the gold standard of information security certifications. It is certainly not the best one out there, but the fact is, if you ask someone (or are trying to get hired by someone) outside of information security, they have heard of the CISSP when compared to the others on this list. A quick perusal of job postings in this industry will quickly prove my point. Almost every single one will mention the CISSP as either a requirement, or a desired certification. The CISSP itself can be thought of as a mile wide and an inch deep. This certification will cover almost every aspect of information security, but will not require a deep-dive in any of them. Unfortunately for this test, a lot of studying is required. Buy a review book or take a review class and just memorize, memorize, memorize.
Certified Ethical Hacker (C|EH)
The certified ethical hacker certification is a great starter certification if you are hoping to one day find a job in penetration testing. This exam introduces a lot of the concepts, and even has some labs that lets you get hands-on a few times. Unfortunately, this certification does not carry a lot of weight, because it is very much viewed as an introductory level certification. With that being said, it does provide a baseline of knowledge that you will need to build on, so if you are trying to get into this field, this is a great place to start.
GIAC Security Essentials Certified (GSEC)
Another entry-level certification, this one is from SANS institute. This one holds a bit more weight than the C|EH because it carries with it the GIAC name. You will see a lot of job offers mention GIAC, and because the SANS institute does a great job in teaching and certifying, it is more well-known. One of the advantages of the GIAC exams is that they are open-book. They take the philosophy of testing you like you would be at your job. At your job, you are going to be able to reference things and look things up, so why make you memorize? Instead, they test your ability to apply the concepts to situations. I like this approach, and think this is a great certification to get if you want to transition to information security.
GIAC Certified Incident Handler (GCIH)
Another SANS open book certification. This one is geared towards incident response. When I am doing incident response for an organization, I often crack open my books from this certification. There are a lot of practical things in there to help, and with incident response in general, any misstep could lead to a loss of forensic information you need. The only negative to this certification (and any from SANS) is that they are very expensive.
GIAC Penetration Tester (GPEN)
Another SANS open book certification that carries the GIAC name, however this one is specifically geared towards penetration testing. This is a mid-level certification and will really help your resume. Full disclosure, I don’t have this certification, but there are engineers at Triaxiom that do. From what I have heard this is a great certification to get, doesn’t require you to be an expert going into it, and will really help you understand the foundations of penetration testing.
Offensive Security Certified Professional (OSCP)
This is a more advanced certification. Specifically for penetration testers, on this certification you have 24 hours in a test environment to try to hack into and elevate permissions on different systems. To prepare, Offensive Security has a fantastic lab environment with over 40 boxes for you to try to hack and learn from. This is easily the best certification process I have seen. It is fully hands-on, a lot of fun, and extremely practical to penetration testing. However, it is difficult, especially if you are new to the field. My advice to folks trying to get into this field is to get a starter certification (GSEC, C|EH, GPEN) or two first, and then try for this one. Because it is so hands-on and difficult, this one is gaining a lot of traction in the industry. Simply put, if you have this certification it will be a significant help to finding a job in penetration testing.
Once you have this one, all the others offered by Offensive Security follow the same model. Try for your Offensive Security Certified Expert (OSCE) or the other options, including wireless and web applications.
Industry Specific Certifications
In this review of information security certifications, I am not going to go into details of industry-specific certifications. These are certifications that are designed to cover specific compliance regulations (PCI, HIPAA, etc.) or deep-dive into specific technologies or industries. These certifications can help you to round-out your resume, especially if you are targeting a specific job, but will likely only help for subsets of jobs in the field. And even though I won’t cover them here, feel free to reach out with any questions using our contact us page.