At this time, SANS has the best process and exams. They have mature curriculum, some of the best instructors in the industry and difficult practical exams. In addition, these certifications are currently more recognizable than many of the other industry certifications. However, SANS does have a couple of drawbacks:
- SANS is proprietary. If you want to take an exam, you must enroll in their training program.
- Their practical exams are difficult and time-consuming. While SANS offers numerous exams, only approximately 10,000 people have been certified -- mainly due to the difficulty of the exams.
When researching types of certifications, consider what you want to accomplish. CISSP is a broad exam that provides a good foundation for anyone in the security sector. More people are taking the Certified Information Systems Auditor (CISA) exam, because of the increased government regulations affecting organizations. However, even if you are not and do not want to be an auditor, I recommend taking this exam, because at some point in your career, you'll need to pass audit evaluations and it would be beneficial to understand the auditing process.
Now that we've examined the benefits of the more recognizable certifications, here's an overview of some others:
- CompTIA has an entry-level security exam called, Security+. It does not hold a lot of value in the market, but it is a good place to start if you're new to security.
- If you are a networking professional, you may want to look at Microsoft and/or Cisco's security certifications.
- If you're a forensics professional, look into taking the Certified Computer Examiner (CCE) exam. It's currently the most recognized and respected exam because of its practicality and hands-on approach. Since EnCase is the most popular tool used in forensics, it's beneficial to achieve their certification.
- If you want to be a wireless security professional, look into the CWNP series. You can find information about these at http://www.cwnp.com.
- If you're a government contractor, in the military or work for a government agency, I suggest you look into (ISC)2's ISSEP and their new CAP exam. The CAP is specific to DoD certifications and accreditation requirements.
Although you can benefit from ISC(2)'s SSCP and CISSP concentrations (ISSAP, ISSMP), TruSecure's TICSA or TICSE, and other certifications offered by various training companies, they're not accepted by the industry. Therefore, most employers do not recognize them, so they will not necessarily help with job advancement.
Overall, the CISSP and CISA are useful to almost anyone in the security sector. From there you will need to specialize. There are certification exams that cover broad topics, but they are not as recognized as the CISSP and CISA certifications and overlap in material.
This was first published in January 2006