29

Which credentials of the sub-list of IT certifications (as per the Information Systems Security Association) would be considered MUST HAVE for a IT Security specialist?

  • CEH Certified Ethical Hacker
  • CIPP Certified Information Privacy Professional
  • CISM Certified Information Security Manager
  • CISSP Certified Information Systems Security Professional
  • GIAC Global Information Assurance Certification
  • LPT Licensed Penetration Tester
  • AHC Anti-Hacking Certification
  • AISC Advanced Information Security Certification
  • CHFI Computer Hacking Forensic Investigator
  • CPP Certified Protection Professional
  • SSEC Software Security Engineering Certification
kalina
  • 3,374
  • 5
  • 21
  • 36
Eric Warriner
  • 3,291
  • 3
  • 26
  • 20

5 Answers5

29

None.
Generally speaking, certifications in the security field, much like most other tech areas, are required only for entry-level positions (when you have no experience to speak of), senior positions (when you need the long signature), and government jobs (when you need to answer an RFP to work there).
By themselves, none of these are a replacement for good ol' experience and knowledge.

That said, these are the ones that get more "respect" (that I am familiar with):

  • CISSP
  • CISM
  • GIAC
  • CEH for a juniorish pentester

Also OWASP is supposedly coming out with their own cert soon, that would probably be respectable enough....

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
AviD
  • 72,708
  • 22
  • 137
  • 218
11

I'll agree with @AviD there aren't really any must have certifications in Security. That said CISSP/CISM can be very useful in the hiring process for getting past Agency/HR screening.

A couple of additional ones that I've not seen mentioned so far for the penetration testing side of things

  • OSCP - I've not taken it but from what I've read it seems quite good
  • CREST - UK specific, but a good mark for testers, in that the exam is pretty rigorous and has a strong practical component, so it's not just relying on written answers.
Rory McCune
  • 61,541
  • 14
  • 140
  • 221
8

For an experienced information security professional, the overarching credential in the UK is Full Membership of the Institute of Information Security Professionals - this is in a slightly different space to the ones listed above, as it is not based on a particular specialisation exam like CISSP or CISM, instead it is based on competencies across the whole field, accreditation and interview by a panel.

There are junior memberships and affiliations, but the aim of the Institute Full Membership is to represent experienced skilled professionals in this field, and on a CV it ranks highly.

(caveat - I am a Full Member, interviewer, accreditor and chairman of the Scottish branch, but also a CISSP and CISM and the positioning of these does work for me in improving the industry as a whole)

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Great background information @Rory, thanks. It sounds more like a professional membership. I have joined the [NZ Computer Society](http://www.nzcs.org.nz/) for similar professionalism reasons. – Andrew Russell May 11 '11 at 06:40
7

First, GIAC isn't a certification; it's a certification body tied closely to SANS. GIAC produces dozens of different certs, and are generally well-regarded. Second, it depends on what you're looking for. For example, if you're looking for general info, the CISSP is regarded as the standard, though the certification itself doesn't go far to validate actual knowledge or capability--it covers security "a mile wide and an inch deep." But the CISSP does carry a requirement of five years of information security background. I've seen some people with a CISSP that lied, breaching the code of ethics they bind you to. That alone should tell you something about that individual. Another general certification is the GIAC Security Essentials (GSEC).

If you're looking for penetration testing or incident response, the GIAC Certified Incident Handler (GCIH) is a good choice. If you're looking for computer forensics, the GIAC Certified Forensic Analyst (GCFA) is better.

Now, the other "it depends" pertains more to whether you're looking for enrichment and career opportunity for yourself, then having any will help, especially since it allows you to expand your knowledge and experience. The bonus is that it helps show that initiative on your resume. If you're looking for certifications for a new-hire, remember that some of these certifications are trivially easy to get.

jth
  • 726
  • 6
  • 10
  • "I've seen some people with a CISSP that lied": Can you give some details on how you mean that? Like, lied about their work experience before getting the cert or lied for something else afterward and what was that? Just curious! – john May 12 '11 at 21:53
  • @john, from the context it seems like he meant the first - i.e. claimed years of experience they did not have, and thus received the cert that they were not entitled to. – AviD May 12 '11 at 23:42
  • @AviD For posterity, I do know that (ISC)2 performs spot audits of CISSP holders to verify that they meet the requirements and will revoke if warranted. So not only a breach of ethics, but also risky. – Scott Pack May 13 '11 at 11:35
  • @Scott, yes, that is true - but it is still relatively rare. Still risky, though... – AviD May 14 '11 at 19:20
  • @AviD I can't disagree, it does feel a bit like an empty threat. My understanding is that their audit percentage is extraordinarily low. – Scott Pack May 14 '11 at 20:24
  • Yes john, AviD has it right. Scott Yes, chances are low, and it would not be all that difficult to forge. (I've actually been audited, both regarding experience and regarding CPEs.) – jth Apr 04 '13 at 18:32
3

Of course, that depends on which field you're planning to work. In my line of business - consulting - you have to be able to show which knowledge you have so that a customer can see your experience. However, if you're working in a tech-firm and your customers don't see which techies are working on the project, you don't have to worry that much and then I agree with @AviD. Anyway, if you have the chance you should always get the certifications since you can proof your knowledge and experience in an "objective" way.

Also note that, for example, CISSP requires a minimum amount of 3 years(or 5, don't remember) of experience before you can have the title. So having a CISSP title always shows besides knowledge also experience to the outside world.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
Henri
  • 1,545
  • 10
  • 11