There are plenty of certifications out there to choose in the market. My opinion is based on the market value and my own experience working as an employee and an entrepreneur. My reviews will be blunt and to the point, so proceed at your own risk!
Keep in mind, I have gone through most of them and realixe what value they add to your CV and to an employer as well as the knowledge attained.
Disclaimer: Unfortunately, none of the below mentioned companies pay me for anything! I endorse what I believe in and provide my honest opinion without fear of “what people will say”.
ISACA, (ISC)2, EC-Council are the most popular organizations that provide security certifications.
I would divide the tracks into 2 areas of focus.
Technical
- CCNA/CCNP Security
CCNA Security is great to learn all the technical terminology out there for security. There is A LOT. And I’ll be honest, Cisco is one of the leaders in networking products. They do a great job in covering security topics with their wide product line.
CCNP is where I think you get little value as it’s mostly about Cisco Products! Unless you will be dealing with ALL the Cisco Security products (not a real world scenario), this may be a waste of time and effort as there are 4 exams that get you to CCNP!
- CCIE Security
Again, heavily product focussed. Most companies I’ve worked with have a mix of vendors, Juniper, Palo Alto, etc. It’s GREAT for your CV and landing you a good job as you get a CCIE logo! But you don’t get much real world knowledge out of it. Cisco has done a great job in setting a market standard and brainwashing the masses that if you have a CCIE, you at the God of Networking. That’s certainly not true. The impression is there, the feeling is great, but the journey is difficult and you use only a tiny fraction of the convoluted lab scenarios you go through!
I have used probably <10% of my CCIE R&S knowledge in the real world. Let’s be honest, how many network do we know running MPLS, BGP, OSPF simultaneously requiring mutual redistribution, with HSRP and VRRP, multicast PIM AND Sparse mode, mixed security configurations, and amwhole lot of other BS going on! If you ever see a network like that, then most likely the implementation guy was practicing a CCIE lab on someones network!
Similar to the CCNA Security but better as it’s vendor natural and covers security topics in much more breadth not so much in depth, but more than enough to get a great understanding of each topic as a whole. There is a lot to learn here and this is an excellent baseline.
It is also a requirement in the Department of Defense.
Excellent for putting all that hacking knowledge and experience to use! This certainly solidifies your understanding of certain basic protocols and processes you take for granted, like DHCP, DNS, ARP, TCP, etc and how to exploit them with the intention to know how to protect yourself from them. It sort of gives meaning and excitement to the otherwise boring realm of security. EC-Council does require proof of at least 2 years of security experience if you don’t take their boot camps.
If you want to go deeper into this field, then a Licensed Penetration Tester (CPT) is the logical next step.
This is unlike any other exam. It’s a 24 hour exam with real world scenarios! You are tasked to hack into an isolated virtual network. You are tasked to discover vulnerabilities and compromise the system. At the end you must submit a penetration testing report and are awarded points accordingly. This is probably the most challenging and authentic certification and not just because it’s not backed by billion dollar companies.
Security Architectures
These are great if you don’t want to go too deep in the bits and bytes of technology and if you’re great at articulating the overall picture. Some may say it’s a great progression from technical to solution architecture, but both fields have their place and people. Not everyone can handle the intricacies of tech junkies. Having an overall architectural approach also requires a certain mindset and talent.
This is one of the most valuable an and advance level security certification in the market, from an employers standpoint. It is mainly for security architects who are involved in the design and management of information security in an organization.The roles you’ll see this most often in are: Chief Information Security Officer (CISCO), Director of Security, Security Auditors and Architects, etc.
It requires 5 years of experience in security.
Certified Information Systems Auditor, as the name implies, is targeted for Security Auditors. Job roles for such individuals usually entail auditing IT systems agains regulator compliances like HIPPA, SOX, NIST, etc.
Certified Information Security Manager, as the name applies, is made for Security Managers. It is an intermediate level certification and is quite common in that role. Responsibilities of people in this role are usually management of risk, disaster, policy, standards, compliance and overall IT Security Management.
Both CISM and CISA require 5 years of experience.
They advertise this cert for a hands-on security role. Like most, it provides a good overview of security technologies, with a focus on the practical administration side.
Although none of the big certification companies offer this, this is probably one of THE most effective ways of getting information quick (Hacking). The best resource by far is by Chris Hadnagy. Just youtube him and you’ll find tons of resources. Follow his blog and podcasts on his website. His methods and training is well established with many years of experience and research.
It is the art of influencing people to give out information that they normally wouldn’t.
Learning Resources
A lot of people ask me where to get started, what’s the best resources. So, here are my tried and tested methodologies:
1. Online Video
Start with online videos, the BEST is CBT Nuggets. They have a great approach to education! Their videos are short (5-10mins) and funny! Let’s face it, we all have a short attention span and to bring humor to such boring topics is just pure talent! I love their doodling, pictures, animations and live demonstration. Lynda.com is also good, short and concise videos (free for .edu emails), but not as good as CBT Nuggets. Youtube is also a great source for learning. There are tons of free educational playlists around security training.
2. Courseware
I’m not a book guy, I prefer the pdf versions as you can’t do Ctrl+F on a hard copy! Short guides on the certification topic are great.
3. Dumps
Just so you know, Brain Dumps are a violation of exam policies and the certification authority has the right to revoke your certificate if they find out you’ve been using dumps.
That being said, if you’re preparing to give the exam, it should be no surprise that almost everyone views dumps to get a feel before they attempt the exam. If you say, no not me, then you are in the minority. People don’t mention it because they think it’s taboo or cheating! Did you every notice how accurate they are? Cisco has 100’s of small certifications out there for every single topic. If you as a Cisco Partner want to sell a certain product or get incentives, the company must have certain certified individuals. No one has time to take so many product exams. Most if it is marketing fluff. I personally don’t believe in exams or standardized test taking as a measure of skill. I know plenty of people who’ve failed exams like CCIE labs and are way smarter at problem solving in real life than any certification could prove. At the end of the day, the vendor makes money by you giving the exam and selling their product. But as long as you are judged by the certificates in your CV, they will always hold value. Don’t get me wrong, certifications are a “quick and dirty” way to judge a persons abilities without digging too deep, if only the content and methodology was right.
Brain dumps are not the right path. The proper way to go about any exam is to take a class (if you have time and money), watch videos, read the official exam guide books/pdf and research individual topics on google, those that are still not clear to you. Exam dumps should only be looked at after all this just to know the structure of the actual exam (I repeat, they are a violation even to look at and can cost you your exam and be banned from ever taking it again). Never rely on them as they could be wrong and worse, the vendor may have set up a honey pot like trap for you where they collect names of people who buy them. But people will find plenty of alternate sources (hint: torrents, forums, etc). The questions most people get wrong are not the technical ones. It’s the ones in the grey area. The ones that require pure memorization unfortunately like the marketing, statistics, products and opinionated questions.
Remember, test taking is a skill, you have to answer what they want you to answer, not necessarily the right choice. There are no “depends”. The test bank seldom changes. I’ve taken a few exams multiple times over the years with the very similar Q&As. I’m not sure why they don’t change it up more frequently, it’s quite easy to do so!
Don’t get too intimidated or disheartened if you don’t pass exams. Standardized Tests/Multiple Choice Questions (MCQs) only prove one thing, you were good in taking the exam!
For some, exams don’t mean a thing. Most 14-20 year old kiddie hackers haven’t even heard of the above certifications and could care less. Yet they could teach a few! But for career growth and to add some shiny new dubs to your CV, you must have a go at them.