Internal Security Assessor): This certification, also from the Payment Card Industry Security Standards Council, is for security professionals within organizations that store, transmit, or process cardholder data. Find out more at www.pcisecuritystandards.org.
GIAC (Global Information Assurance Certification): The GIAC family of certifications includes categories in Audit, Management, Operations, and Security Administration. GIAC non-vendor-specific certifications complementing CISSP are GIAC Certified Forensics Analyst (GCFA) and GIAC Certified Incident Handler (GCIH). Find more information at www.giac.org/certifications. Several vendor-related GIAC certifications are mentioned in the next section.
Technical/vendor certifications
We won’t even pretend to list all the technical and vendor certifications here, but these are some of the best-known vendor-related security certifications:
AWS Certified Security – Specialty: AWS offers numerous certifications in architecture, data analytics, and (of course) security. Find out more at https://aws.amazon.com/certification/certified-security-specialty.
CCIE (Cisco Certified Internetworking Expert) Security: Cisco offers several product-related certifications for specific products, including ASA firewalls and intrusion prevention systems. Find out more at www.cisco.com/certifications.
Check Point Security Administration certifications: You can earn certifications related to Check Point’s firewall and other security products. Visit www.checkpoint.com/certification.
CEH (Certified Ethical Hacker): We know, we know — an “ethical hacker” is a contradiction in terms to some people, but it provides real business value for others. Read about it carefully before signing up. This certification is offered by the International Council of E-Commerce Consultants (EC-Council). You can find out more at https://cert.eccouncil.org.
ENSA (Network Security Administrator): Also from EC Council, this certification recognizes the defensive view as opposed to the offensive view of CEH. You can read more at https://cert.eccouncil.org.
LPT (Licensed Penetration Tester): Another EC Council certification takes penetration testing to a higher level than CEH. Learn more at https://cert.eccouncil.org.
CHFI (Certified Hacking Forensics Investigator): Also from EC Council, this certification recognizes the skills and knowledge of a forensic expert who can detect computer crime and gather forensic evidence. Find out more here: https://cert.eccouncil.org.
CSFA (CyberSecurity Forensic Analyst): This certification demonstrates the knowledge and skills required for conducting computer forensic examinations. Part of the certification exam is an actual forensics assignment in the lab. Check out www.cybersecurityforensicanalyst.com/ for more information.
CompTIA Security+: A security competency certification for PC techs and the like. We consider this certification an entry-level certification that may not be for you. Still, you may advise your aspiring colleagues who want to get into information security that this certification is an excellent place to start. You can find out more at www.comptia.org/certifications/security.
OSCP (Offensive Security Certified Professional): Offered by Offensive Security, OSCP is considered one of the top penetration testing certifications available. Many people consider CEH the entry-level pen testing cert and OSCP the top dog. Find out more at www.offensive-security.com.
You can find many other security certifications. Use your favorite search engine and search for phrases such as “security certification” to find information.
Choosing the right certifications
Regularly, technology and security professionals ask us which certifications they should earn next. Our answer is almost always the same: Your decision depends on where you are now and where you want your career to go. There is no single “right” certification for everyone; determining which certification you should seek is a very individual thing.
When considering other certifications, ask yourself the following questions:
Where am I in my career right now? Are you more focused on technology, policy, operations, development, or management?
Where do I want my career to go in the future? If (for example) you’re stuck in operations, but you want to be focusing on policy, let that goal be your guide.
What qualifications for certifications do I possess right now? Some people tackle certifications based on the skills they already possess, and they use those newly earned certifications to climb the career ladder.
What do I need to do in my career to earn more qualifications? You need to consider what certifications you may be qualified to earn right now and what experience you must develop to earn future certifications.
If you’re honest with yourself, answering these questions should help you discern what certifications are right for you. We recommend that you take time every few years to do some long-term career planning; most people will find that the answers to the questions we’ve listed here will change.
You might even find that some of the certifications you have no longer reflect your career direction. If so, permit yourself to let those certifications lapse. There’s no sense hanging on to old certifications that no longer exhibit (or help you attain) your career objectives. Each of us has done this at least once, and we may again someday.
Finding a mentor, being a mentor
If you’re somewhat new to infosec (and even if you’re not!), and you find yourself asking many questions about your career, perhaps you would benefit from a mentor. A mentor is someone who has lived your professional lifestyle and been on the security journey for many years.
We suggest you shop around for a mentor and decide on one after talking with a few prospects. Mentors often have different approaches, from casual discussions to more structured learning.
If you’re not sure where to find a mentor, start with one or more of your area's local security organizations or activities. You may have to find a long-distance mentor if you live outside a major city, but the experience can still be rewarding!
As you transition in your career from a security beginner to a security expert, consider being a mentor yourself. You’ll find that although you’ll be helping another aspiring security professional get their career started, you’ll also learn quite a bit about security and yourself