Pick the Right Security Certification

International Information Systems Security Certification Consortium

As the world gets more connected, it also gets less safe. And as more and more information is exchanged via email and websites, and more folks buy stuff online, more data and money is at risk than ever before.

That’s why those with technical certifications in security are becoming more and more in demand. But there is a lot to choose from; which one might be right for you? We’ll give an overview of the most popular, and in-demand, security certifications you can get.

For this article, we’re going to look at vendor-neutral certifications, which means specialized credentials from security companies like CheckPoint, RSA, and Cisco won’t be included. These certifications teach general security principals and will have the widest range of usability.


The CISSP, from the International Information Systems Security Certification Consortium, known as (ISC)2, is generally considered the hardest security title to get, and the most well-regarded as well. How hard is it? You’re not even eligible unless you have five years of security-specific experience. It also requires an endorsement by someone who can attest to your experience and qualifications.

Even if you pass the exam, you may still be audited. That means (ISC)2 can investigate and make sure you have the experience you claim to have. And after that, you need to recertify every three years.

Is it worth it? Most CISSPs would tell you yes because the CISSP certification is the name hiring managers and others know. It verifies your expertise. As security expert Donald C. Donzal of The Ethical Hacker Network says, many consider the CISSP “the gold standard of security credentials.”


The baby brother of the CISSP is the Systems Security Certified Practitioner (SSCP), also by (ISC)2. Like the CISSP, it requires passing an exam, and has the same rigorous checks in place, like needing an endorsement and the possibility of being audited.

The main difference is your knowledge base is expected to be smaller, and you only need one year of security experience. The test is much easier, as well. Still, the SSCP is a solid first step into your security career and is backed by (ISC)2.


The other major vendor-neutral certification organization is the SANS Institute, which oversees the Global Information Assurance Certification (GIAC) program. GIAC is SANS’ certification arm.

The GIAC has multiple levels. The first is the Silver certification, which requires passing a single exam. It has no real-world component, making it of dubious value in the eyes of potential employers. All you really need to do is be able to memorize the material.

Above that is Gold certification. This requires writing a technical paper in your area of expertise in addition to passing a test. This adds significantly to the value; the paper will demonstrate an individual’s knowledge of a subject; you can’t fake your way through a technical paper.

Finally, the Platinum certification is at the top of the heap. It requires a proctored, two-day lab practical after achieving Gold certification. It’s given only at certain times of year during a SANS conference. This could be a stumbling block to some certification-seekers, who may not have the time or money to fly to another city to take a lab test over a weekend.

If, however, you make it through that process, you’ve proven your skills as a security expert. Although not as well known as the CISSP, a GIAC Platinum credential is certainly impressive.

Certified Information Security Manager (CISM)

CISM is administered by the Information Systems Audit and Control Association (ISACA). ISACA is more well known for its CISA certification for IT auditors, but CISM is making a name for itself as well.

The CISM has the same experience requirement as the CISSP – five years of security work. Also, like the CISSP, one test must be passed. A difference between the two is that you need to do some continuing education every year.

The CISM appears to be as rigorous as the CISSP, and some security pros think it is actually more difficult to get. The reality, though, is that it is still not as well known as the CISSP. That should be expected, however, given that it didn’t exist until 2003.

CompTIA Security+

On the lower end of security certifications, CompTIA offers the Security+ exam. It consists of one 90-minute exam with 100 questions. There is no experience requirement, although CompTIA recommends two or more years of security experience.

Security+ should be considered entry-level only. With no required experience component and a simple, short test, its value is limited. It might open a door for you, but only a crack.