What’s the right IT/Information Security Certification for me?

What’s my current level of knowledge in the field?

If you are taking your first steps in the field with a basic knowledge of information security, a good option to start with is the SANS GISF certification, which doesn’t require previous (although recommended) security experience and consists of a 150-question, 4 hours examination. The GISF in my opinion is one of the best certifications for newcomers, since you’ll not learn “HOW” to create a firewall rule, but “WHY” instead. Every Security professional, regardless of whether Technical or Management focused, should have intrinsic understanding of why information needs to be protected.
On the other hand if you’re a seasoned Information Security professional, I recommend you to sit for a Certified Information Systems Security Professional (CISSP) exam. To become a CISSP you are required to have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC)2® CISSP CBK®, or four years of direct full-time security professional work experience in two or more of the ten domains of the CISSP CBK with a college degree. Alternatively there is a one-year waiver of the professional experience requirement for holding an additional credential on the (ISC)2-approved list. Let me stress out something here: DO NOT START YOUR INFORMATION SECURITY BY PURSUING/ACHIEVING CISSP. If you want to become a successful professional, do it right: get yourself some entry level certifications, land a security job, get experienced, and only after go for CISSP.

For the technical professionals out there, most of the domains have specific certifications to be achieved, always starting from a basic, introductory level to more complex topics. The higher you go, the more prestigious your career becomes. Needless to say that memorizing questions for the certification exam doesn’t bring any value to your career. A certification should be seen as a mean, not as an end.

Do I hold any other certification?

Since every career path is different, let me give you how I have chosen to build up my own:

When I was non-certified technical professional working in operations, I analyzed my career at that very moment, and chose the certification which I could ripe the benefits as early as possible. Achieving vendor-specific certifications rewarded me with salary raises every time I added an acronym to my signature. That’s a fact: being certified gives you a stronger position to bargain for better conditions with your current employee, and also demonstrates your commitment to your career. As for which one to run for, I can’t give you precise directions since there are many specializations in the Infosec field, but you might be able to figure out the best one for you without much effort. Some options would be CCSA, SSCP, Security+, GISF, GSEC, and so on.

PS: I know some certifications I’ve mentioned here are not vendor-specific. They are listed here due to their entry-level nature instead.

Once I held a few certifications, I sought after longer term prospects. My career started to lean towards Governance/Compliance, and that was the time when I decided to go for CISSP (or CISM, depends on your expectations). After achieving the CISSP, I identified the topics in which I could further strengthen my position as a manager and pursued ITIL and Prince2 certifications. That was the best long term decision I could have taken: I was a Security manager, juggling with projects in one hand and ITIL/Cobit on the other. The knowledge absorbed through the certification process helped me to identify and work upon my weak spots, leading me to the path of becoming an all-rounded manager.

Thinking even further upon my career, I understood that becoming an independent consultant is one of the natural paths my career might take. That’s when I decided to go for CISA and ISO 27001 Lead Auditor. The illustration below should give you a best understanding of my recommendation:

information security certification path

What are the financial/logistical requirements to achieve and keep the certification in good standing?

Some other factors to consider involve the budget required to achieve/keep the certification and the re-certification requirement of the vendor/institution. Some re-certification requires you to pass an updated exam while others call for you to have continuing education credits. The process of (re)certification may be pricey when all the costs (test fees, study materials) are added up. However, in today’s highly competitive IT environment, maintaining your certification makes it easier for you to land information security jobs, and since you already spent a considerable amount of resources/energy to become a certified professional, the recertification is a must. Just to wrap this topic up, handle the whole certification process (learning about the certification itself, studying, getting ready for the exam, taking the exam and so on) as an investment on you. It’s like going to the gym: sometimes we are comfortable with our looks or current condition, but we can always get better.

Finally, make sure to do your homework and don’t buy into the hype offered by many vendors who claim that their security certification offers the best opportunities to be hired for the best security jobs. Study the requirements of your organization carefully to decide which certification best suits its needs and the responsibilities of your current information security career. If you are considering security certification in order to shift careers, make sure to look carefully at the objectives of every certification examination to see if it meshes with your desired career objectives.

That’s all for now, readers! The theme is lengthy and complex, and impossible to be covered in one go. If you have any questions about the certification topic, please send it to our e-mail and I’ll do my best to clarify!

Adriano Dias Leite.

PS: As usual, leave  a comment if you (dis)like the article! It’s always important to hear what you have to say.

Pages: 1 2

Filed Under: ArticlesCertificationsFrom me to youFront PageJob MarketMy career


RSSComments (9)

Leave a Reply | Trackback URL

  1. Hi Adriano,
    Hope you are doing well. It is a brilliant article which has helped me to decide my career path logically.
    I am an IT security and governance graduate, looking forward to become an IT Auditor (Risk, Compliance & Governance) in future. I do not have relevant work experience, but so far in my education I have learned and implemented many aspects of Information Security and Auditing (As per ISO 27K suite).
    Can you please suggest me a certification which does not require any work experience as an eligibility criteria and at the same time is competent enough to land me a job. I do understand that certifications doesn’t guarantee a job but in today’s world it is a necessary requirement to get noticed by HR.
    Kindly, Advice.

    Thanks and regards,

  2. Logan says:

    Nice Post Adriano.

    What do you say about an Associate CISSP (a person who has passed the exam, without 4 or 5 years of experience)?
    I have around 2 years of experience as a Security Engineer(Appsec/VA/PT). Can I go for Associate CISSP, If not, what certification do you suggest?

  3. Ayomide Philip says:

    Thanks for this mail. Are you saying as a 23year old graduate in Computer science who wants to start a career in InfoSec, GISF is first? I actually just joined a training that would cover Network Management, RF engineering, Transmission and GSM engineering. Can you tell me how I can relate InfoSec with Networking or how I can relate InfoSec with this training? What are those things I must do to link those trainings with InfoSec certifications?

  4. Alexandre Marson says:

    Thanks for posting this… it is exactly what I was looking for. I recently immigrated to Canada and am looking forward to entering this career. Will start looking around for certifications…
    You may wanna publish the below…. just so people get a little more excited over being in ITSEC… 🙂


  5. […] to treat it? – Please describe the steps to be taken by a company implementing an ISMS framework – Why did you become (CISSP/CISA) certified? – During an audit, an interviewee is not disclosing the information being requested. How would you […]

  6. Vincent Senatore says:

    Eugune,, you do realize that statement Mainframe is dying was made around 1990,,, and I am still waiting.
    But as for changing jobs why I am good at what I do and I enjoy my work.
    As your statement to cost,,,you should look into how many UNIX servers can run on a Z/os system,, with no additional hardware cost.

  7. Eugene Williams says:

    Vincent, that’s because there’s no market for certifying mainframe environments. The whole world is going for PC/Servers and cutting cost and throw in Green IT – vmware etc, perhaps it’s time you consider changing jobs?

  8. Vincent Senatore says:

    This is a bit of a rant, but,
    What I what to know is how come the certification community has left out the professionals who secure the Z/OS mainframe environments, using CA-TOP SECRET, CA-ACF2 AND IBM’S RACF???

    I am a Z/os Mainframe security analyst/architect and administrator(since 1983) using CA-Top Secret, who has been involved, is all phase of security implementations. On the mainframe we have to know how applications run, what resources are available for use within the application so we can secure them.

    In general our security knowledge usually requires knowledge of how system software, applications, FTP, encryption certificates (build and allow usage), and UNIX system services interacts with Z/OS system.

    So I guess my question is what SANS, ISC2, plus IBM and CA have not gotten together to create certifications for these professionals.


  9. Thanks for posting this.