Cybersecurity engineer

Security engineer certifications

March 1, 2023 by Kurt Ellzey

It may be a bit counterintuitive to say this, but cybersecurity engineers, also known as security engineers, are not the only people looking for or needing cybersecurity engineering certifications. While some may be full-on security professionals, others may have positions in other IT realms, but working for organizations where security is the order of the day. Because of these reasons, cybersecurity engineer certifications are among the most popular in the field today.

Due to the sheer amount of information that cybersecurity engineering certifications cover, most certification bodies have what they consider to be a “baseline” certification, along with an advanced version of that certification. 

What is a security engineer?

Let’s take a step back for a second and explain what we mean by security engineering. The management lays down recommendations and rules on what needs to be done, the administration makes sure they keep running, but a security engineer figures out how it will all work together. They spec out and design the proposal and then implement the systems, backups and redundancies to ensure that whatever solution is decided upon can do the job far down the line. Additional IT positions also need to understand these basics so they can wrap their heads around the concepts critical to their responsibilities. 

DoD 8570 compliance

We’ll also address an essential element that many looking at security engineer jobs need to consider — Department of Defense Directive 8570 compliance. DoD 8570 isn’t a certification on its own but rather a set of guidelines and preparations that a person must meet before being granted access to a DoD network. Each tier of requirements has its own set of compliant certifications, so if you’re looking at a higher-level position, you’ll need a different certification than someone starting at an entry-level position. 

Even if you aren’t looking directly at a DoD security job listing, many other positions in IT that perform classified or other high-security tasks require cybersecurity certifications, regardless of your responsibilities. Because of this, employees must either already have the specified certification or obtain it within a specified period after being hired. 

As certifications change and requirements evolve, the Compliance Matrix adapts to what is necessary at each level of employment. As a result, you’ll want to check the DoD Approved 8570 Baseline Certifications for the latest information. You can also read Infosec’s DoD 8570 IAT certification and requirement article to learn more. 

Here, in no particular order, are the top six security engineering certifications. 

Security+ CE

Certification body: CompTIA

Is this certification DoD 8570-compliant? Yes

CompTIA has pretty much written the book on vendor-neutral certifications, with many people first starting in IT studying for their CompTIA  A+ or Network+ certifications. It’s incredibly convenient for these test takers to continue to Security+. Even though there are no prerequisites to take the Security+ exam, CompTIA’s Career Pathway recommends taking the Security+ exam after the A+ and Network+. 

While Microsoft, Cisco and other vendor-specific certifications want you to learn the official way of handling things, CompTIA often showcases methods that “just work” in the real world.

According to CompTIA, “More choose Security+ for DoD 8570 compliance than any other certification.” Security+ is undoubtedly more advanced than the A+ and Network+ but doesn’t have the time or experience requirements that some of the other certifications on this list need. It can therefore be a great first step for someone starting out or helping others to round out their existing set of certifications if the jobs they are looking for explicitly require a Security+. 

Please note that CE denotes a continuing education requirement. Simply put, if you earned your Security+ certification during 2010 or later, you have it.

CASP+ CE — advanced security practitioner

Certification body: CompTIA

Is this certification DoD 8570-compliant? Yes

CompTIA flat-out says on their website for the Advanced Security Practitioner (CASP+) that this “is the only hands-on performance-based certification for practitioners — not managers — at the advanced skill level of cybersecurity. While cybersecurity managers help identify what cybersecurity policies and frameworks could be implemented, CASP+ certified professionals figure out how to implement solutions within those policies and frameworks.” 

The CASP+ is a capstone Certification for CompTIA. The path starts with Security+, advances to CySA+ (cybersecurity analyst), then finishes off the cybersecurity pathway with the CASP+. However, having the previous two certifications isn’t required before you take the CASP+ exam. The only real requirement is 10 years in IT administration, with five of those in hands-on security experience.  

CEH — certified ethical hacker

Certification body: EC-Council

Is this certification DoD 8570-compliant? Yes

“To beat a hacker, you need to think like a hacker.” This has been the mantra for the Certified Ethical Hacker (CEH) certification since its inception. 

In cybersecurity engineering, it’s vital to show that your principles and ideas work and are safe and hardened against potential threats. While other certifications such as Security+ and the CISSP work to showcase security for a system by building up in a particular, precise and refined fashion, the CEH takes a big ol’ wrecking ball and tries to crack something in half.

LPT — licensed penetration tester

Certification body: EC-Council

Is this certification DoD 8570-compliant? No

Like the CASP+ is to Security+, the Licensed Penetration Tester (LPT) is a capstone-level certification. This path starts with the CEH, follows up with the Certified Security Analyst (ECSA) and then completes with the LPT. 

The key differences between the CEH and the LPT lie in the objectives and refinement. As discussed above, suppose the CEH is a wrecking ball to test out one specific project.

In that case, the LPT can be considered a scalpel across an entire infrastructure — poking and prodding for any microscopic way in. 

CISSP — certified information systems security professional 

Certification body: (ISC)2

Is this certification DoD 8570-compliant? Yes

The Certified Information Systems Security Professional (CISSP) exam covers enormous material across multiple domains. As a result, it is an excellent certification for consideration across various disciplines. 

It is often considered a capstone certification on its own because it expects you to be familiar with multiple technical and security fields and builds up from there. Even the Certification Body (the International Information System Security Certification Consortium (ISC)²) is aware of this and says right on the official description page: “…but it’s not for everyone.” 

The CISSP is an exceptionally strong certification, but the community surrounding it is one of the best in the world. If you choose this certification, you will be challenged, but you will not be disappointed in the results. 

After passing your exam, you will be asked to be endorsed by an existing person certified by (ISC)2. This is to verify that the exam taker has the experience required to receive the certification. Therefore, it is strongly recommended that you make contact with others who have passed these exams so that they may get to know you and know for certain that you have the required specifications if they decide to vouch for you.

CISSP-ISSEP — certified information systems security professional-information systems security engineering professional

Certification body: (ISC)2

Is this certification DoD 8570-compliant? Yes

Because the CISSP covers so much material, it can be challenging to focus on one particular aspect. Once you have your CISSP, if you have a particular section that you need to dial in on, (ISC)² has what they call “Concentrations” — additional training and certifications that go above and beyond the standard CISSP. 

The CISSP-ISSEP (and yes, that still is a mouthful) focuses on the Engineering section of information security as opposed to the other two concentrations, Architecture and Management. (ISC)² worked with the NSA to develop this concentration, showing how much of a deep dive this certification can provide to test takers. (ISC)² has designed this concentration for professionals who “have the knowledge and skills to incorporate security into projects, applications, business processes and all information systems.”

Security engineer training

Engineering requires knowledge, technique and the proper tools, and these certifications showcase what security engineering can do from a multitude of angles. If you’re looking for a place to start studying, please consider checking out Infosec’s cybersecurity training, especially if you’re planning on going for the CEH — EC-Council highly recommends that you take a training course before attempting the CEH.

Regardless of your method, the rewards that can be received by obtaining the certifications listed above are massive and will continue for a long time. 


Posted: March 1, 2023
Kurt Ellzey
View Profile

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.