What are the best IT certifications to start with?
Choosing an information security certification depends largely on your business objectives. With so many options out there, it’s best to determine whether you’re looking to further your team’s foundational skills, acquire new technical skills, or validate an employee’s highest level of experience.
Some of the best entry-level security certifications out there include:
- SSCP: The Systems Security Certified Practitioner (SSCP) course is an entry-level cybersecurity course run by the (ISC)². It hones in on several core areas of cybersecurity, including cryptography, access controls, monitoring and analysis, networks and communications, and security operations and administration. The certificate is a good way to validate your team’s technical skills and knowledge of security best practices, policies, and procedures. To achieve SSCP certification an IT professional needs only one year of experience and must pass a three-hour, 125-question exam with a score of at least 700 out of 1,000. SSCP is the first step individuals must take to qualify for the more prestigious CISSP, which we will detail later.
- Security+: The Security+ certification is offered through CompTIA. It’s very similar to SSCP certification in that it focuses on the foundational elements of cybersecurity—risk management, risk mitigation, threat management, and intrusion detection. Professionals with this certification are considered fully equipped to troubleshoot security issues and address viable ways to avoid attacks from occurring. The Security+ test has approximately 90 questions, runs for 1.5 hours, and has a passing score of 75% on a scale of 100–900. Professionals who seek this certification typically have two years of IT experience.
- CEH: The EC-Council hosts the Certified Ethical Hacker (CEH) course, designed to get participants thinking like a hacker so they can mitigate attacks by avoiding common pitfalls, like network vulnerabilities and weaknesses within the IT infrastructure. This certification provides MSP professionals with a more proactive approach to risk management. Individuals must have at least two years of IT experience and pass a four-hour, 125-question test with a minimum score of 70 to receive this entry-level CEH certification. After earning CEH recognition, participants can continue on to take the CEH Practical, a rigorous, six-hour exam that requires the ability to demonstrate advanced ethical hacking techniques, including vector identification, network scanning, OS detection, vulnerability analysis, system hacking, web app hacking, and more to solve security audit challenges.
- GSEC: GIAC Security Essentials Certification (GSEC) was designed for individuals who have more than an abstract understanding of information security terminology and concepts, but hands-on experience with IT systems. GSEC demonstrates the ability to apply security best practices in real-world situations and is a very respectable certification. Interested professionals must take a five-hour, 180-question exam and receive a score of 73% or above.
What types of specialized certifications exist?
Many of the reputable sources outlined above offer courses that focus on more technical skills. These courses and their coinciding certificates provide MSPs with an excellent way to validate the technical skill sets of their team. Some of the most recognized skill-based certificates out there include:
- CISM: ISACA’s Certified Information Security Manager (CISM) focuses on information security management and is a more senior-level qualification—individuals must have at least five years of verified experience within the IT and cybersecurity industries to take the exam. Three of the five required years must have been spent in an information security management role. Interested participants need to pass a 200-question, four-hour test with a score of 450 or above, proving their ability to manage information security programs and respond appropriately to security threats. MSPs with CISM-certified employees have a leg up with their customers.
- CISA: The Certified Information Systems Auditor (CISA) is an American National Standards Institute (ANSI) accredited certification also run by ISACA. Individuals with this certification are recognized internationally for their audit experience, skills, and knowledge as well as their ability to assess vulnerabilities, report on compliance, and institute security controls. Like CISM, those looking to earn CISA certification must pass a 200-question, four-hour test with a score of 450 or above. The exam is considered very rigorous and interested participants must have a minimum of five years of experience with auditing, control, security, or assurance to qualify.
- OCSP: The Offensive Security Certified Professional (OSCP) course and certification is highly respected among industry professionals due to its in-depth penetration training and extremely detailed exam. The test requires participants to virtually connect to an isolated exam network and manipulate multiple operating systems and devices within a 24-hour period. To pass, they must thoroughly demonstrate and document their information-gathering capabilities, vulnerability detection, and successful attack execution.
Are vendor-run certifications reputable?
Microsoft and Cisco offer some of the most recognized and trusted vendor-run information security certifications in the industry today. Cisco certifications in particular are considered especially challenging and are highly regarded among industry professionals. The Cisco Certified Internetwork Expert (CCIE) exam is said to be one of the toughest exams—less than 3% of those who take the test pass. Those who do pass earn instant credibility. CCIE-certified professionals have demonstrated the knowledge needed to architect, engineer, implement, troubleshoot, and support all Cisco security technologies and programs. These individuals are fully equipped to protect their clients against security threats and vulnerabilities. For a member of your team to qualify for the exam, it is highly recommended they have between three to five years of strong industry experience.
If the CCIE is out of reach at this point in time, the Cisco Certified Network Associate Security (CCNA Security) certification is a more approachable but just as respected option. CCNA Security zeroes in on the skills required to develop a security infrastructure, recognize network threats and vulnerabilities, and mitigate a range of modern security threats.
Microsoft boasts a wide range of certifications and exams as well, including Microsoft Certified Solutions Expert (MCSE): Core Infrastructure, which evaluates a professional’s ability to run a highly efficient data center, and MCSE: Productivity Solutions Expert, a certification for those responsible for cloud data and security. While security is a core component of many Microsoft courses and certifications, the company does host a few security-specific exams. The most popular is the Securing Windows Server 2016 exam. This certification validates an individual’s ability to implement server hardening solutions, secure a virtualization and network infrastructure, manage privileged identities, and implement threat-detection solutions and workload-specific security. The exam also covers some of the most recent technological advancement from Microsoft, including Advanced Threat Analytics (ATA).
Which cybersecurity course is best?
The (ISC)² Certified Information Systems Security Professional Certification (CISSP) is the most highly regarded and sought-after certification within the IT industry. Individuals with CISSP certification demonstrate they have mastered a wide range of IT security skills and are considered extremely credible experts.
After CISSP was introduced by (ISC)² in 1994 it was quickly approved by the U.S. Department of Defense. It’s the first security certification to meet the ISO/IEC Standard 17204 and has set the bar high for other certifications in the industry. CISSP certification is now available in 114 countries across the globe and is held by approximately 129,000 IT professionals.
Individuals interested in CISSP must have five years of experience within at least two of the eight CISSP-specified domains:
- Security and Risk Management
- Asset Security
- Security and Architecture Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
Those who want to receive CISSP certification but don’t have the required five years can still take the exam. If they pass, they will be considered an Associate of (ISC)² and will have six years to earn the five years’ experience needed to be considered a full CISSP-certified professional.
The original CISSP exam took six hours to complete and was comprised of 250 questions, but as of 2017 (ISC)² implemented a new testing method that cuts the test time and questions in half. The core content of the exam remains the same, and participants should be prepared to address security management practices, access control, cryptography, security models and architecture, telecommunications, networking, and more at an in-depth level.
For MSPs looking to set themselves apart, having CISSP-certified employees is the gold standard. However, any of the certifications outlined above are highly regarded and will prove to your customers they’re working with a team of qualified, experienced IT security experts.
Read through our recent blog posts to ensure you're keeping up with more of the most recent information security news.