After a lot of Google and forum searches, I found out CISSP is one of the few valuable certs. Unfortunately, I only have 2 years of experience and don't have any specific experience in security testing. Which should I pursue, CEH or GIAC? Are there any other good options for me?
-
1To answer that we need to know what you want to do with it. What are your goals? – nealmcb May 12 '11 at 05:10
-
I'm aiming for a splendid career in the IT Security field and i need a good start!! – Karthik May 12 '11 at 05:35
-
2I think what @nealmcb means is what aspect of security- testing, management, risk, threat modelling, etc? CEH is an entry level cert for people who want to do security testing. It is simple and quite tools based. The GIAC certs are more complex and require much broader knowledge, and is also appropriate across a wider range of security disciplines. – Rory Alsop May 12 '11 at 06:00
-
@Rory, i was completely unaware that i need to choose a specific type of testing to proceed with :( .. thanks for enlightening. i did a quick search and got [here](http://stackoverflow.com/questions/402705/security-testing-types). if that is the case, i would be interested in, Posture Assessment and Security Testing (or) Operational testing. _p.s. if you think i still don't get it, kindly tel what i should look for and i'll go look for it_ – Karthik May 12 '11 at 06:39
-
1@TheLearner - that isn't what I meant, it was more to clarify whether testing was what you were interested in, or other security fields. As per your comments, I have added an answer. – Rory Alsop May 12 '11 at 07:12
-
@TheLearner, you might also be interested in my answer on this SO question: [What is the day to day role of a Security Analyst/Engineer?](http://stackoverflow.com/q/744956/10080). This can give you a better idea of the various, *very different* career paths in "the security field" (actually, I would call them fields...) – AviD May 12 '11 at 21:40
4 Answers
If you are focusing on Security Testing, the CEH does seem to be a useful entry level certificate. See the answers on this question on professional certifications. It will get you an understanding of the common tools used in the industry and it is recognised by recruitment agencies.
It doesn't give you the broader view of security, as to where it fits in with real world business needs, but to be honest, that will be further down the road for you and when you want to start looking along those lines, studying CISSP (links to free resources here) gives you a wider perspective and it is a very well respected cert.
GIAC is more in depth, and requires more knowledge and experience, but is valued higher than CEH. It is not an entry level cert.
- 61,367
- 12
- 115
- 320
-
thanks.. i already took a look at the link about professional certs and thats where i found that CISSP needs a 5yr exp. for an entry level, i planned to go for CEH.. whats your view on this. _(not that im asking too much questions.. just wanted to know what the experts think about this. a safer side before shifting my career)_ – Karthik May 12 '11 at 07:40
-
CEH also requires some proof of two years of experience in fields related to security. – john May 12 '11 at 09:57
-
@John - but as I understand it you can qualify with experience at university in related fields, no? – Rory Alsop May 12 '11 at 09:59
-
1You may or may not. The official requirement is for 2 years of experience, but can be lifted on a case by case basis upon sending details about education. I imagine they are not very strict though, judging by the certificate itself (of which i have the worst opinion!). I don't know if and how the recent introduction of version 7 of the certificate changed their processes (except doubling the cost..) – john May 12 '11 at 10:07
-
Yeah - the people I know who have taken it say it is very easy, but really is all about the tools, hence entry level. For a new graduate to have it on a CV I think it would be useful to get a foot in the door, but not for anyone experienced – Rory Alsop May 12 '11 at 10:50
-
2@The-learner "safer side before shifting my career" along those lines I would suggest you read this first: http://www.overcomingbias.com/2011/04/what-arent-they-thinking.html .Follow it's recommendations, if you really want to get into security go and attend a few security meetups (meetups.com) e.g. search for your local OWASP chapter. See if you can even shadow a few people for a day. This will give you a lot better idea of you really want a career in security rather than a certificate IHMO – Rakkhi May 12 '11 at 12:15
-
Very good point Rakkhi. Gave you an upvote to get your comment on the first page. – Rory Alsop May 12 '11 at 12:37
In the comments and on chat I ran across some great underlying career advice and I just want to be sure it gets at least "answer" status (if Avid or Rakkhi want to expand on them, I'd be happy to delete this answer)
There is an important career-planning aspect to your question, and deciding what direction you really want to head in is the first, most important step. Here are some great resources:
What are the career paths in the computer security field? - IT Security
What Aren’t They Thinking? - an article from the Overcoming Bias blog on why folks should be out there shadowing folks in jobs that interest them, studying the job market, getting internships, etc. Look before you leap!
GIAC offers many certifications in many areas of security. So it actually gets worse than deciding what type of security testing you're interested in--you may not even be interested in testing!
See the GIAC certification list to see what I mean. If you have any more specific career aspirations than "security" we can help more. Otherwise, the GSEC is a decent entry-level security certification for IT practitioners and security folk alike. Another option you may have available is the SSCP, which requires as little as one year of experience. Also note, that both the SSCP and CISSP grant some credit for college degrees.
- 726
- 6
- 10
-
yep.. i took a look at their certifications and confused!! but i am interested in testing. now again, gsec looks promising, but is it recognized? – Karthik May 20 '11 at 06:36
-
1@TheLearner - yes, GIAC is definitely recognised and has good standing in the industry. – Rory Alsop May 20 '11 at 07:01
If you know the material, take the CISSP. It's a very broad area of knowledge that I do think requires some history of application to understand. You'll technically be an "Associate of" CISSP, but you'll have passed the test. I'm in a similar boat -- I've been working at my current employer for six years, but I don't work full-time. They won't accumulate my 65% work hours.
Experience required can be four years + a college degree, or four years and some other certification that they recognize.
- 38,090
- 9
- 93
- 171
-
so.. if you write the cissp, you'll have a cissp badge and the recognition of a cissp or is it just the associate of isc2? – Karthik May 20 '11 at 07:24
-