Ready to Start Your Career?
January 1, 2016
Which Certification Is The Best In IT Security Field?
January 1, 2016
As far as I know, CISSP is one of the most recognized certification in the industry. I have just started my job as Information Security Consultant. I have CEH and studying for GWAPT now (as my company mainly doing web penetration testing). Next should be GPEN. However, if I wish to further my study, what should be next? Hard to say, but the most practical ones out there are probably the Offensive Security certifications. Read more at https://www.offensive-security.com/information-security-certifications/ I have not find the price for those courses. I was wondering if they offer it for free. CISSP is by far the most universally recognized security certification in the US and overseas. But it has stringent requirements for experience, with 5 years in two separate security domains to complete the certificate. Its also is criticized for being too general. Its been said the knowledge is a mile long and an inch deep. An alternative is SANS (sans.org) which offers a wide variety of vertically-focused, intense courses and certificates in various certificate disciplines, e.g. Intrusion Detection, Forensics, Linux System Admin, etc. People with SANS certificates are sought after by employers. I think GSLC is the SANS equivalent of CISSP. They all have thier requirements but the CISSP is recognized universally as being a top level Cert due to the requirements. You used to have to have someone with a CISSP sign saying you had worked in the field for x number of years. Not sure whet the current req's are Thanks for information. Yeah I agree in some point. In Asia Pacific, CISSP is very useful only when you are going to apply for a new job. Other than that, CISSP is not significantly useful. Thanks for the information! nice guys, i have learnt a lot from you people.., I am looking to get my Security+ because my job is paying for it, then CEH, and maybe another from ISACA like auditing. Thanks for information. cissp CISSP and I also believe that if you want to give it a shot, (if you are qualified) then do CEH also. As you said, you just started your job so first of all you need to check your area of interest i.e.information security,audit,compliance or into some core technical. Once you identify your core area of strength only then you can decide to which route we need to follow. CISSP - You cant start now as you don't have much experience in the industry. So forget as of now of this. OCSP - More professional and dedicated to Pen area only. If you want to do you can start but very hard one. or otherwise you can go for vendor neutral certification in security as well. Thanks. Shakti OSCP for sure offensive security if you are in pen testing...best quality/price so far for all the things you get from them While the CISSP is probably the most well known security certification, it really is more of a management certification that focuses on security. Unless your career goals are to work for either the government or a government contractor where a CISSP is generally required for most positions, I would personally put it on the nice to get someday list. As a pentester, I would focus more on the GIAC/SANS courses and certifications as that will meet your current career path. Not trying to downplay the CEH, I am certified under C|EH v.7, but it's kind of like the CompTIA certs in that it's very knowledge based without any real hands on experience needed. You may want to consider supplementing your CEH with the Certified Penetration Tester (CPT) cert. The knowledge portion is very similar to the CEH exam but it also includes a hands on portion that requires you to successfully penetrate two systems and gain root access. The next level exam, the Certified Expert Penetration Tester (CEPT), requires you to actually discover a create a working exploit in both Windows and Linux. CISSP is pretty solid in terms of a general certification, at least once you have a few years under your belt. I believe you can technically take it now and pass it, but can't actually GET it until you have the requisite experience. The offensive security ones are very well though of, but it honestly depends on exactly what you want to do. Since you already have CEH, it does sound like the Offensive Security ones would be the most applicable for you. CISSP and CEH will help you find a job and HR knows about them. OSCP is the best imho. Just an FYI, OSCP is nothing like the CEH. You actually have to know how to hack for the OSCP. I don't really think there is a certificate that is the best, you would always have to go for the next one once you receive one to increase your knowledge. At this moment CISSP is recognized by a lot, and there are also SANS certificate that are very well known. It all depends on the field you are going towards and should focus more towards that field of certificates. Hope that helps! I work in security management and i decided that my path will be CISM > CISA > CISSP, then i will decide what to pursue next, based on my role/job description. thanks mates nice info Any suggestions for an entry level CERT? Comptia Security+ is the most recognized entry cert. CISSP as well as SANS are the most effective Courses for your career goals Thanks for the info. https://www.professionalpentester.com/index.html CISSP is what they call "A mile wide, an inch deep". It'll cover most of the security domains, but won't make you an expert in any one of them. It's good both for InfoSec theory, and maybe also for getting on HR hunters radars, being a very recognized cert, though since infosec has many sub specialties, you should also be looking at more specific certs like OCSP (hands on), CEH (pen testing), CCSK/CCSP (cloud computing security) etc., or any other cert which is relevant to your carrier goals. Other than this, practice, practice and more practice, certs and good starting point but they'll only get so far, and there is no real substitute for industry experience. Good luck! sometimes certifications doesn't matter at all if youve completed even the materials in cybrary its more than enough OCSP Anytime. So far I've gotten SANS 408 and Sec+ while still in the military. I can challenge the other CompTia certs but I was informed they are "petty" certs. Sans too expensive, anyone know certs that are worth bang for your buck? Doesn't it depend on what else (degrees, training etc) you already have? Very much depends on your career path, experience and what your're aiming for. If you're looking to get more experienced in Pentesting so OSCP is probably the most effective, for Infosec management path I would suggest going for CISSP, CISM or something of that sort. I say follow the ROI/money http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/ Best group to ask this to are real world hackers...which cert do they believe best arms someone to prevent their exploits. Suspect most would say few if any of the certs prepare someone to stop penetrations and exploits. The current mantra across the cyber community is "it's not if, but when, you've been hacked." The CEH and OSCP certs (& related pentest/explot certs) imply the ability to always gain access and exploit. Thus the best answer seems to be the offensive, pentest, CEH, and exploitation based certs would rise to the top. Some of the best experts out there have no certs. Thanks all for your contribution You might want to take a look at this list - http://www.tomsitpro.com/articles/best-it-certifications,1-1352.html The OSCP is great if you are interested in pentesting. Very practical compared to the CEH where the focus seems to be more on tools than techniques. How hard was it to pass the CEH test and what is it like, multiple choice, or a lot of command prompt console? CISSP any day Here is my breakdown on Certifications in a nutshell: To get your foot in the door in any IT job you need the fundamentals; those are A+, Net+ and Sec+. Don't expect to get a security job with these though, you'll likely end up with PC support or help desk. These are FOUNDATION CERTS for IT, your next certification is the most important as it sets your direction within IT. C|EH, CCNA, MCSA are examples of ground floor certs for security, networking and systems administration respectfully. The problem with these certs are that everyone in the world interested in getting into these fields have these certs, so they don't make you stand out much. Here is where experience comes into play if you have it but if not you need to take it another step certification wise. Now I see a lot of CISSP talk in this thread and let me say I agree with what everyone says about it's recognition but let me warn you that the CISSP is difficult to get because of the requirements, usually results in a good paying job, but will also put in line for a paper pusher job more than a keyboard ninja (there are some exceptions of course). The current trend is the GIAC certification route, they have certifications in Incident Handling (GCIH), Intrusion Analysis (GCIA), Pen Testing (GPEN) and tons more.. I also saw some mentions of the OSCP, this is an AWESOME cert but again it's difficult to get just because of the final exam, which isn't a traditional test so much as a skills assessment. This will tell you if you have the chops to be a pen tester or not and can really help you stand on cloud 9! The disadvantage to the OSCP is that it's not yet recognized by the majority of hiring companies; Companies that specialize in CS though will immediately recognize it and it will likely put you on a short list for positions. Unlike the CISSP these Certs are functional certs more than management certs. There are a ton of certs out there and be careful you know what you're getting yourself into with them. Some will take you down a management path, other down a functional path. If you want to be a manger CISSP, ITILv3, CRISC, CISM, PMP are ones you want to look at. For the functional side, check out the GIAC cert paths to land a job with the majority of companies or the OSCP for more specialized companies (and later the OSCE, OSEE as follow ups). This was long but I hope it helps! That's good insights! Also starting with a company that promotes training and mentorship is always a bonus! To phrase the question another way, are there any certifications that any experienced IT professional here would recommend *avoiding*? I've heard of certain certs, especially in the CS field, that are just entirely a waste of time and money, and I was wondering if there were any IT or security certs that were similar. Hmmm... I've never really put much thought into certs that just don't have much weight. Without doing any research on what else is out there I can say that CompTIA certs beyond A+, Net+ and Sec+ start to loose their relevance a bit (such as Linux+, Server+). I heard they recently released an advanced security cert and I'm not sure how that one is doing. They're still good to have just for the knowledge, but won't translate well into dollars earned. I'm going to reluctantly put OSCP in as one to avoid also just because it's not yet understood by most employers, but I have a feeling this is going to change very soon. I guess a route I would suggest is just keep an eye on job boards and look for what companies are getting behind. If you catch wind of a new cert, punch it into indeed (the job search board) and see how many results you get. If there aren't any companies getting behind it then it's probably not worth getting. Thanks for sharing. CISSP is the one that has been highly recommended. But given that it is a general knowledge-base I argue it's actual usefulness. It could give one an artificial sense of breadth of knowledge. In regards to what [@Dragon](https://www.cybrary.it/members/drag0n/) says, I'm inclined to agree. I've started looking seriously at going after the CISSP, and all those I've talked to (including a lot of folks who have it) tend to be of the opinion that it is more of a "management" type certification instead of a more technical one. Here is my planned cert path, my role is security officer: ITILv3 > CISM > ISO27001 lead auditor > CISA > CISSP I'm currently waiting for my CISM results and will participate on ISO27001 training + cert next week;) go for data scientist. big data Big Data is a hot field Pretty pricey, but the SANS GSEC cert is worthwhile. It's very much a technical certification. How about the CSX from Isaca? Anyone found that interesting or "hot" recently? https://cybersecurity.isaca.org/csx-nexus One additional thought is that as important as certificates are networking and knowing people and having contacts is even more important. Specific to a certification, it depends on what you are doing. I would choose something that is focused on your interest or the CISSP is a good general starter.