IT security is one of the largest growing sectors in the IT field overall and as such IT security professionals are in high demand. As a result, security field employers are using certifications more and more as their baseline for evaluating and comparing security professional position candidates. As an IT security professional, I have gone through many certifications in my career.
Here is an overview of the major IT and security certifications I have obtained:
Cisco Track CCNA, CCNP: As many Security professionals, my journey in IT certifications started with Cisco routing and switching track, as I was in the networking field prior to the security field. Cisco certifications are highly technical and very demanding in terms of hands-on abilities on routers and switches. Cisco certifications gave me a strong knowledge on networking technologies and a deep understanding of routing protocols. Currently to obtain the CCNP certification, three exams are required (routing, switching and troubleshooting) after CCNA. Like all Cisco certifications, CCNP is valid for three years and requires taking a professional level exam or expert level written exam before expiration date, in order to renew certification.
Security+: This is the first certification to think of for a junior IT professional aiming to specialize in IT security field. CompTIA Security+ is an international, vendor-neutral certification that demonstrates competency mainly in network security, threats and vulnerabilities, access control and identity management. This was my first step in the IT security world. It was not highly technical; instead, it was more focused on learning the terminology and basic security concepts used by security professionals. Security+ is valid for three years and requires taking the exam in order to renew certification before expiration date.
CISSP: After gaining the required five years experience in the security field (with a strong networking flavour), I took the CISSP exam. This is a very demanding certification with a large volume of documentation to walk through. It took me about 4 months to finish the Shon Harris study guide (studied only during the weekends), then about a month to practice CISSP exam like questions. CISSP is not the most technical certification but by far the most complete one in terms of security subjects’ coverage. It took me around four hours to finish the 250 questions of the exam. CISSP is valid for three years and gaining CPEs is required to maintain and renew the certification.
CEH: It is much more technical than the Security+ certification and focused on penetration testing methodology and various hacking tools. I can’t say I learned pen testing with CEH. Indeed, prior to taking the CEH exam, I already had some experience on pen testing and security assessments, CEH gave me a strong knowledge on methodology and the targets to be defined for each step in the pen testing process. CEHv6.0 was more focused on tools whereas the new CEH curriculum CEH v7.0 is more focused on methodology with an OWASP flavour. CEH certification is valid for three years and CPEs are required in order to maintain the certification.
CISA: CISA is a well known audit certification, most probably the oldest certification in the field of information systems audit. The CISA exam was focused on IT governance, Risk management and General IT audit process & methodology. Unlike the CISSP exam, which I found to be pretty easy; this exam was hard, really hard. Indeed, few questions were of a technical nature and the business process and risk management related questions were very subjective and ambiguous. Just like CISSP, CISA is valid for three years and gaining CPEs is required to maintain and renew the certification.
The journey is not finished yet; this year I’m targeting GIAC certifications and will focus more on audit process, risk and security program management.
What has your certification path been like? Are there any certifications you would highly recommend? Do you agree or disagree with emphasis and importance that employers place on certifications during the hiring process?