7 most difficult information security certifications
Demand for information security professionals has grown in the last few years, as more companies are upping the ante on protecting the security of their digital assets. The infosec workforce gap is expected to reach 1.8 million by 2022 — a 20 percent increase since 2015 — according to Frost & Sullivan’s annual Global Information Security Workforce Study (1).
Lack of qualified workers is the biggest challenge for employers. That’s where information security certification is a benefit. Having one (or five) credentials on your resume may instantly bring you to the top of the list if you’re looking for a new job (2).
Current employers, too, see certifications as a measurable professional achievement. While Certification Magazine’s 2018 annual salary survey didn’t find consistency in how certs lead to higher salary (3) — as it did in the 2015 survey, for example (4) — it did find that those who earned a new certification last year were more likely to receive a pay bonus (5).
Which certification to pursue is a question of individual professional goals. However, suffice to say, some are more difficult to attain than others. Here’s a list of some of the top most-difficult information security certifications available.
Certified Information Systems Security Professional (CISSP)
Offered through the globally recognized education nonprofit (ISC)2, CISSP is considered one of the top in the industry and is one of the top-paying information technology (IT) certifications (6). CISSP focuses both on the operations side of infosec and on threat response, covering eight domains of security and drawing from a global, comprehensive and current body of knowledge.
With five years of paid, full-time experience required in IT, this certification has a higher barrier of entry than some others that measure broad-based knowledge. However, it has high credibility and has even been compared to being a CPA (certified public accountant) in the accounting profession (7).
Certified Information Security Manager (CISM)
Another certification that requires five years of experience in the field and is among the top for salary earnings, CISM is provided by the independent nonprofit ISACA and is designed for information security managers. Of the five years of verified experience, at least three have to be in infosec management in a minimum of three out four job practice areas (information security governance, information risk management, infosec program development and management, and infosec incident management).
The credential puts a large emphasis on how those job practice areas tie into an organization’s broader business objectives. Essentially, you have to demonstrate that you can develop and manage an infosec program that aligns with an organization’s goals.
Certified Information Systems Auditor (CISA)
Although it has a narrower focus specific to information systems (IS) auditing, this credential is not only highly recognized, but it’s also becoming more sought-after as regulations are always evolving and expanding. An ISACA certification, CISA (8) requires at least five years of professional experience in IS auditing, control or security.
The rigorous CISA exam covers five domains: IS auditing process; IT governance and management; IS acquisition, development, and implementation; IS operations, maintenance and service management; and information asset protection.
CompTIA Security +
Although entry-level, CompTIA’s Security+ certification could be considered a tough one because it’s typically the first credential that information security professionals pursue once they launch their career. Named by Dark Reading as one of the eight valuable certifications for 2017 (9), Security+ is based on a comprehensive exam that covers areas such as network security, compliance, threats and vulnerabilities, and identity management, among others.
The certification recently became more vigorous, as CompTIA introduced performance-based questions for several of its exams.
CompTIA Advanced Security Practitioner (CASP)
For those who want to demonstrate technical knowledge in the field, the CASP provides an advanced-level credential focused on enterprise-level infosec management (10). A hands-on, performance-based certification, CASP logically continues the path after the Security+ credential.
The areas included in the exam are risk management; research, development and collaboration; and enterprise security operations, architecture, and security integration. CompTIA recommends having at least 10 years in IT admin, including five years of hands-on technical experience; however, this is not a requirement.
GIAC Security Essentials (GSEC)
GIAC (Global Information Assurance Certification) is a certification program administered by the SANS Institute, and like CASP, GSEC (11) is a technically oriented credential that tests more than 30 areas of security. Of 10 GIAC cyber-defense certifications, GSEC is the only one at the intermediate level.
Although the certification itself doesn’t require minimum experience or training, it does involve a high level of technical mastery (12). The test is open-book, but the scenario-based questions add a level of difficulty.
Licensed penetration tester (Master)
Offered by the International Council of E-Commerce Consultants (EC-Council), this rigorous certification requires extensive, advanced knowledge of penetration testing (pentesting). Organizations are increasingly looking for ethical hackers and other hands-on intelligence activity experience, and pentesting mastery is the ultimate level in that field.
As EC-Council describes it, “LPT (Master) training is not comfortable (and the exam is even worse!) but filled with intense stress meant to elicit the best from you (13).” While you only need two years of pentesting experience for this certification, you first have to participate in two of EC-Council’s training programs: Certified Ethical Hacker and the Certified Security Analyst. Both include several days of hands-on training.
All these certifications are vendor-neutral, but various vendors like Cisco and Fortinet also have their own certification programs that have varying degrees of difficulty. The credential you choose should be based on your long-term career goals, but do your research and have a plan so that you can follow a logical progression.
- Global Information Security Workforce Study
- CSO: “Top cyber security certifications: Who they’re for, what they cost and which you’d need”
- “Salary Survey Extra: Does having more certs = having more salary?”
- “Salary Survey PLUS: Cybersecurity certs = big money”
- “Salary Survey Extra: New certifications and increased income”
- CRN: “Top 15 moneymaking certifications for 2017”
- Certification Magazine: “Why certify? One man’s journey from learner to leader to educator”
- ISACA Certified Information Systems Auditor
- “8 valuable security certifications for 2017”
- CompTIA Advanced Security Practitioner
- GIAC Security Essentials
- Daniel Miessler blog article: “A guide to information security certifications”
- EC-Council Licensed Penetration Tester (Master)