Cyber Security Qualifications

The basics

There are many types of cybersecurity certifications available. They range from intrusion and forensics to ethical hacking. These certifications are usually administered by independent accrediting agencies like CompTIA and EC Council, GIAC and ISACA, as well as (ISC).

Accrediting agencies often classify their programs into three types: expert, intermediate, and entry-level.

• These certifications are intended to give you a solid foundation in the basics, such as best practices and important tools.
• Expert- and intermediate-level certifications require extensive work experience and a thorough understanding of the subject matter.

No matter what level or topic:

• IT security certificates can be used in all types of jobs and organizations.
• Credentialing usually involves training and a final examination.
• All certifications must be renewed every 3 years.
• You will need continuing education credits and the ability to pass the current exam to be reaccredited.

Costs and commitment

When you decide to get your cybersecurity certification is up to you. If you have the skills, there’s nothing to stop you from starting when you’re an undergraduate. A recognizable credential will burnish your résumé and catch the eye of hiring managers.

We won’t smoke up your proverbial. Certification can be costly and time-consuming. A credential for entry-level status can take up to nine months and cost $300-$600 to complete.

You may not need to pay. Employers and universities often pay the bill. In a 2014 SANS survey of cybersecurity trends:

• Respondents reported that their employers paid 100% for certification training.
• 15% of employers split the cost

The U.S. Department of Veterans Affairs also approved reimbursement under G.I. Bill for certain certifications. Discuss funding options with your Accrediting Body.

Is it worth the effort? Yes, if you find the right one. Accreditation can lead to promotions, better job prospects, and/or raises. SANS survey respondents reported that they saw a 5% increase in their salaries after being accredited.

Which Certification Should You Choose?

When it comes to entry-level training, you might start by considering certifications such as:

• CompTIA Security+
• GSEC: GIAC Security Essentials Certification
• SSCP: Systems Security Certified Practitioner

Compare CompTIA Security+ with GSEC. GSEC is a well-respected industry certification and has been approved for DoD-8570 Baseline Information Assurance. Security+, another popular beginner’s certification, is also available. Ed Tittel of Tom’s IT Pro named it to his list of Best Information Security Certifications for 2015.

After you have completed the initial steps, certification will be based on your expertise and field of interest. GPEN is an example of a certification that a Penetration Tester might want to look at.

These certifications are very popular in the industry:

• CISSP: Certified Information Systems Security Professional is a high-level credential focused on security policy and management. This certification is the most commonly mentioned in the industry. It was also one of the top-paying IT security certifications in 2014.
• CISA: Certified Information Systems Auditor is designed for professionals who audit, control, monitor, and assess information technology and business systems.
• CISM: Certified Information Security Manager is geared towards people in managerial positions (e.g. CIO of IT security
• GCIH: GIAC Certified Incident Handler is for incident handlers responsible for detecting, responding to, and resolving computer security incidents.
• CEH: Certified Ethical Hacker is often discussed among white hat hackers and penetration testers.
• OSCP: Offensive Security Certified Professional is designed for penetration testers and includes a rigorous 24-hour certification exam.

In March 2014, Burning Glass surveyed cybersecurity job postings and found that CISSP, CISA, Security+, CISM, and GSEC were the top 5 requested certifications.

Many organizations will encourage you to begin with the entry program and work your way up to more advanced credentials. However, it is not necessary to complete every level. Be sure to read the requirements.

Directive 8570 of the Department of Defense

The Department of Defense recognized that it had a problem in 2004. It did not have a formal training program for its information security personnel. It didn’t have any way to know if its IT administrators, managers, and directors were competent to perform their duties.

In response, the DoD issued Department of Defense Directive 8570 (announced in August 2004 and implemented in December 2005). This directive was designed to ensure that the cyber task force of the DoD was ready for battle.

It is:

• Mandatory baseline professional certifications are required for all Information Assurance (IA), positions
• Required that IA certification be accredited by ANSI or an equivalent authorized body under ISO/IEC Standard 17024
• Anyone with DoD system access, including military personnel and civilian contractors, is eligible

The following five categories were used to break down IA jobs:

1. Information Assurance Technician (IAT).
2. Information Assurance Manager (IAM).
3. Computer Network Defense (CND).
4. Information Assurance System Architecture & Engineering, (IASAE).
5. Computing Environment (CE).

These categories were further divided into proficiency and expertise levels. Baseline certification requirements would vary depending on your level.

For example, an IAT might need Security+ at Level 2 and an IAM would need CISSP at Level 3 (view a chart of DoD 8570 certification requirements at (ISC)2).

Department of Defense Directive 8140

DoD 8570 categories are becoming somewhat obsolete as cyberspace expands into mobile, wireless, and cloud. This is the Department of Defense Directive 8140 (also known as the Information Assurance Workforce Improvement Program) that addresses this problem.

DoD 8140 has created seven categories within the National Initiative for Cybersecurity Education framework (NICE). These are:

1. Security Provision
2. Keep it up and running
3. Protect & Defend
4. Analyze
5. Operate & Collect
6. Oversight & Development
7. Investigate

Each job and task is broken down into different categories. Analyze, for example, includes Cyber Threat Analysis, Exploitation Analysis, and All-Source Analysis.

Notice: DoD 8140 was originally intended to be released in 2013. However, it has not been fully implemented as of October 2014.

More Security Certification Resources

Cybersecurity Education and Training Catalog

NICCS maintains an up-to-date listing of all cybersecurity and cybersecurity-related education and training courses offered in the United States. There are currently more than 1,300 courses in the catalog. Searches can be made by proficiency level, delivery mode, specialty area, keyword, and more.

Josh More’s Blog Series on Security Certification

Although it’s only a few years old Josh More’s insider view of the pros and cons of certification is fascinating reading. He even created a mathematical formula to assess the overall learning value of a certification.

Tom’s IT Pro Security Certification Section

Tom’s IT Pro contains some blog posts and articles on security certification. We’re particular fans of Ed Tittel’s advice column, where he gives career guidance to security professionals around the world.

Cybrary. it

Cybrary, founded by Ryan Corey and Ralph Sita, Jr., is an online community that offers dozens of training courses for cybersecurity professionals. Students interested in CompTIA certification can enroll in Cybrary’s CompTIA A+ Certification Training Course. You can search for courses by topic or skill level, join an online discussion group, and view listings of cybersecurity jobs.

Security Certification Organizations

Below is a list of 13 cybersecurity certification agencies and notes about some of the most popular. These organizations are also listed on the website of the National Initiative for Cybersecurity Education (NICE). The big ones – CompTIA, EC Council, GIAC, ISACA, and (ISC)2 – are members of the Cybersecurity Credentials Collaborative (C3), an effort to promote the benefits of certifications in the skills development of information security professionals around the world.

This is not an exhaustive list. The Department of Defense, for instance, has developed a separate SPeD Certification program run through the Center for Development of Security Excellence.

Reach out to your network if you are unsure about the right certification for you. You can trust your professors, employers, and/or senior-level colleagues to help you decide which certification is worth the investment.

Notice: Exam fees and renewal times can change so we recommend that you visit each certification website to get the most current information.

CERT Program

Run as a division of the Software Engineering Institute (SEI), the CERT Program partners with the DHS, industry, law enforcement, and academia to counter large-scale, sophisticated cyber threats.

Two security-focused certifications are offered by SEI:

• CERT Instructor
• CERT-CSIH: Computer Security Incident Handler

CERT-CSIH is designed for professionals who are involved in a computer security team. The training covers incident management and handling.

Notice:2013 was the last year that SEI had its ANSI accreditation. This means that CERT-CISH no longer qualifies as a DoD 8570 baseline certificate. You will need to look elsewhere if you want to fulfill DoD 8570/8140 requirements.

CISCO

Even though it is not a vendor-neutral certification, we wanted Cisco to be included in our list. The Department of Defense (DoD), has approved Cisco’s CCNA Security certificate for DoD Information Assurance Technician Levels 1 and 2.

Cisco has divided its security certifications into four levels:

• CCENT
• CCNA Security
• CCNP Security
• CCIE Security

CCENT covers basic network security and network basics. This certification certifies that you can set up, manage and troubleshoot small branch networks for your enterprise.

Associate-level certification is the CCNA Security. This certification is about protecting and defending Cisco networks. You’ll prove your knowledge of core security technologies, installation/troubleshooting/monitoring of network devices, and Cisco security structures.

You can then choose to move on to CCNP Security, which is specifically aligned to the job of Cisco Network Security Engineer, or expert-level CCIE Security.

CCIE Security doesn’t require any formal requirements. You will need to pass both a written qualification exam as well as a lab exam. This is similar to other top-tier certifications. Cisco recommends that you have three to five years of experience in a specific job before you attempt certification.

Notice: CCNA Security is an ANSI/ISO/IEC Standard 17024 Accredited Certificate.

CWNP: Certified Wireless Network Professional

Founded in 1999 by CWNP, CWNP offers a variety of vendor-neutral training programs, exams, and certifications, including four levels for professional enterprise Wi-Fi career certification.

These are the most important security qualifications:

• CWSP: Certified Wireless Security Professional
• CWNE: Certified Wireless Network Expert

CWSP is a certification that helps you protect enterprise Wi-Fi networks against hackers. It can be used with any Wi-Fi equipment. You must hold a valid CWNA credential to earn a CWSP.

The expert-level qualification CWNE is. This qualification goes beyond security and gives you the ability to use wireless networks in any way that you want.

This program requires job experience in advanced design, protocol analyses, intrusion detection, prevention, performance analysis, and QoS analysis, spectrum analysis and management, and other related areas.

CompTIA

CompTIA offers a variety of vendor-neutral IT certifications. These include 16 exams in the cloud, networking and servers, Linux security, and many more.

Some notable security accreditations include:

• CompTIA Network+
• CompTIA Security+
• CASP: CompTIA Advanced Security Practitioner

CompTIA Security+, as we have already mentioned in the introduction, is a strong base certification that can be used to secure a network and manage risk. It also meets the requirements of the DoD 8570 directive’s IAT and IAM levels (see above).

CASP is designed to provide IT professionals with advanced security knowledge and skills. This certification is for IT professionals, analysts and risk managers, security architects/ISSO penetration testers, and ethical hackers.

Candidates for the CASP exam should have ten years of experience in IT administration and five years of experience in technical security.

CASP does not require CompTIA Security+ certification, but there are no prerequisites. It has been approved by DoD to fulfill IAT and IAM certification requirements.

Notice: CompTIA Network+ Security+ and CompTIA CASP are all ANSI/ISO/IEC Standard 17024 Accredited Certificates.

DRI International

DRI International was established in 1988. It is a non-profit organization that provides education and certification worldwide in disaster recovery planning and business continuity. There are more than 12,000 certified professionals in the world.

The most popular DRII certification is the intermediate-level: CBCP: Certified Business Continuity Professional.

This certification follows the associate-level ABCP and precedes expert-level MBCP. DRII offers tiered certifications for Certified Specialties (Auditor Public Sector and Healthcare), Certified Vendor, and Certified Risk Management.

The DRII process can be quite complex. The CBCP requires a qualifying exam, references, and an essay. You must have at least two years of experience in business continuity/disaster restoration.

Notice: DRII keeps up-to dateDirectoriesBoth DRII-certified professionals and vendors.

EC-Council: International Council of Electronic Commerce Consultants

EC-Council offers a wide range of IT security training, including courses in the network, information, and Internet security. Online courses can be taken via iClass, or by live instructors.

EC-Council’s flagship course is CEH: Certified Ethical Hacker.

Candidates learn how to scan, test, and hack their own systems in this intermediate-level program. This content-rich course is five days long and includes a four-hour multiple-choice exam.

The truth is that there are security professionals who dislike EC-Council deeply and will bias against anyone with one of their certifications.

However, many hackers prefer IACRB’s CPT and Mile2’s CEH, but CEH is consistently on top lists of top (and highest-paying!) hacking certifications.

Do your research, speak with colleagues, and decide for yourself. Notice: CEH is an ANSI/ISO/IEC Standard 17024 Accredited Certificate.

GIAC: Global Information Assurance Certification

GIAC was founded in 1999 by SANS. It offers more than 20 job-based cybersecurity certificates, including assessments in information security and forensics.

You might be interested in a GIAC credential.

• GSEC: GIAC Security Essentials Certification
• GPEN: GIAC Certified Penetration Tester
• GCIH: GIAC Certified Incident Handler

We mentioned in the introduction that GSEC is a solid credential for beginners. Candidates must demonstrate a basic understanding of security concepts and techniques over the course of a proctored exam. DNS, Honeypots, ICMP, Linux, TCP, etc. (

GCIH and GPEN are higher-level qualifications. GPEN is for security professionals who are responsible for identifying vulnerabilities in target systems and networks. GCIH is for incident handlers. It focuses on the skills needed to detect, respond to and resolve computer security incidents.

At the top of the GIAC heap is GSE: GIAC Security Expert.

This accreditation is a first-tier one, roughly equivalent to CISSP. This exam determines if candidates are proficient in the skills required for top security consultants or individual practitioners.

No specific training is required to obtain GIAC certification. You can use your experience and take courses offered by SANS. High-scoring exam-takers have access to valuable online mailing lists. You can also pursue other certifications once you have your certificate.GIAC Gold StatusThis is a great tool for self-promotion. Notice: GCIH, GSEC, and GPEN are ANSI/ISO/IEC Standard 17024 Accredited Certificates. Check out the complete list.GIAC’s ANSI accreditations.

IACRB: Information Assurance Certification Review Board

IACRB, a non-profit organization that offers a range of industry certifications to suit a wide variety of job titles (e.g. Penetration Tester and Reverse Engineer, Data Recovery Professional, etc. (

The following are competitors to the CEH qualification of the EC-Council:

• CPT: Certified Penetration Tester
• CEPT: Certified Expert Penetration Tester

CPT is the first certification. CEPT is an expert-level version. CPT covers pen testing domains like network protocol attacks and exploits for Windows/Unix/Linux, as well as wireless security. CEPT dives deeper into network attacks, recon, memory corruption, and shellcodes.

CPT and CEPT both consist of a multiple-choice exam followed by a practical. To become accredited, candidates must pass three penetration challenges. Notice: The history of IACRB is not clear. The IACRB’s history is a little unclear. about states that the website was created by information security professionals but does not specify who they are or when it was founded. Justin C. Klein’s blog post “The IACRB & CEPT Certification” revealed that Jack Koziol is the registered owner of the website. He is a senior instructor and security program manager at InfoSec Institute.

ISACA

ISACA was founded in 1969 and provides guidance, benchmarks, and tools to all businesses that use information systems. It hosts a Knowledge Center where members can participate in communities, shared interest groups, discussions, and document sharing. In addition, its Cybersecurity Nexus (CSX) is a central location for cybersecurity research, education, guidance, and certifications. ISACA is a well-respected organization that has been around for many years.

The organization offers certifications in CISA, CGEIT, CRISC, and CISM: Certified Information Security Manager. CISM, like CompTIA and CISSP, was included in KnowledgeNet’s Top 10 Cybersecurity Certifications of 2018.

CISM is for senior management professionals who manage and oversee information security in enterprises. These areas of work include program management, compliance, governance, and risk management.

CISM isn’t easy. To gain accreditation, you must pass the exam and submit a written request.

Notice: CISM is an ANSI/ISO/IEC Standard 17024 Accredited Certification.

(ISC)2: International Information Systems Security Certification Consortium, Inc.

The ISC)2 offers a wide range of information security certifications including SSCP and CAP. Members have access to an extensive range of resources, including a job board, e-Symposium, networking, and a Chapter Program where peers can share knowledge, exchange resources, collaborate on projects, and create new ways to earn CPE credits.

(ISC)2’s banner certification is the globally recognized CISSP: Certified Information Systems Security Professional.

CISSP holders can work as security directors, network architects, security analysts, and security managers. This program includes access control, network security, operations security, governance, risk management, and other topics.

Concentration is also possible

• CISSP-ISSAP: Information Systems Security Architecture Professional
• CISSP-ISSEP: Information Systems Security Engineering Professional
• CISSP-ISSMP: Information Systems Security Management Professional

You must have at least five years’ experience as a full-time worker to be eligible for the CISM exam. An (ISC2) certified professional must endorse your application and you are required to agree to the (ISC2) Code of Ethics.

Notice:(ISC2) was the first information security certifying organization to comply with the requirements of ANSI/ISO/IEC Standard 17024.

MI: McAfee Institute

MI offers real-world training for IT professionals who are involved in fraud and law enforcement.

Security certifications for crime-related activities include:

• CCTA: Certified Counter-Intelligence Threat Analyst
• CEFI: Certified eCommerce Fraud Investigator
• CCIE: Certified Cyber Investigative Expert
• CCII: Certified Cyber Intelligence Investigator
• CCIP: Certified Cyber Intelligence Professional
• CORCI: Certified Organized Retail Crime Investigator

Candidates must pass an exam after completing online training.

While the About page is not very detailed, MI lists its advisory board members. To implement the Workforce Framework, it has also partnered up with the Department of Homeland Security.

Notice: MI is not as well-respected as ISACA and other accreditation bodies, so it’s worth asking around for advice.

Mile2

Mile2 offers a range of cybersecurity training programs and certifications, including a CISSP substitute called CISSO. The Committee on National Security Systems (CNSS), National Training Standards has approved the courseware.

Mile2 is directly competing with the EC-Council’s CEH and IACRB’s CPT. Its hacking certifications are:

• CPTE: Certified Penetration Testing Engineer
• CPTC: Certified Penetration Testing Consultant

CPTE candidates must have at least one year of experience in networking technologies. Candidates must complete 20 hours of training in the real world and pass a multiple-choice exam.

CPTC is an advanced certification in penetration testing, aimed at IT managers, chief security officers, and security consultants. Candidates must pass a six-hour exam that includes a vulnerability assessment, and a full penetration test on two IPs. Candidates then have 60 days to submit a written report on their penetration testing results.

Notice: Both CPTE or CPTC can be used to get NICCS approval.

Offensive Security

Offensive Security is a private firm that offers training courses, penetration testing services, and certifications. The team members at Offensive Security are the funders, founders, and developers of Kali Linux, the successor to BackTrack Linux, a free security auditing operating system and toolkit. View a full list of their community projects.

If you’re a Pen Tester looking for a top-notch certification, you should seriously consider OSCP: Offensive Security Certified Professional. This certification requires you to be able to do penetration testing and ethical hacking. You will be allowed to compromise vulnerable networks for 24 hours to pass the exam. A detailed penetration test report must be submitted for the network and PWK laboratories.

Offensive Security also offers information security certifications such as the advanced OSCE: Offensive Security Certified Specialist, but OSCP is what we hear infosec professionals most often refer to.

Notice: Successful OSCP exam-takers qualify for 40 (ISC)2 CPE credits.