Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10 Security Certifications To Boost Your Career
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
10/6/2015 | 2:15:06 AM
So who can actually afford them?
Most orginizations won't pay for the certifications if you don't already have them, especially if they don't fit into your current job description. And the prices of most of this is a full two weeks paycheck for most.

They keep saying there isn't enough "qaulified" security professionals. What constitutes qaulified? Those that sold their house to get certified, those that can find the ways to study but don't have certifications due to lack of funds?

IF they count only those with certifications as qaulified, they need to find ways so that those of us that really want to get into the field, help in the field can get those without selling our first unborn and grandparents.


User Rank: Apprentice
10/6/2015 | 9:17:19 AM
Re: So who can actually afford them?

Hit the nail on the head.  Also, if you aren't in a technical role it becomes even more difficult to get approval from your employer.  I know a lot of good, decent sales people out there that would like to expand their skill set and get the "big picture" when it comes to their clients, and the cost of these certifications forces them into learning through their customers.  This can be fine depending on the situation, but usually it just makes them look incompetent. 
User Rank: Strategist
10/7/2015 | 10:56:49 AM
Alternative sources for education
There's some discussion here on where to get your learn-on from. I think a lot of people are confusing a "boot camp" with actual education. A boot camp that is a week or so long really should be seen as a review for a test. I took one for my CISSP and it helped as it jogged my memory and made me aware of where I was a little weak. However, I don't think you'd pass without background/experience unless you went to a test-question boot camp, good luck on that one. I also don't think an employer would pay for someone to get a MS in an IT related field since that would be the closest thing to getting any real information about a particular subject versus hands-on/industry experience.

That being said, there are plenty of places to get your learn-on from: YouTube, Udemy, SecureNinja, to name a few. YouTube is free and Udemy also has courses for free, a lot of good courses for $10 and if you hunt them down, coupon codes for other excellent courses. With Udemy I have CCNA, CCNP, PMP, some cloud stuff... and I can usually d/l it so I can listen to it during the morning commute or I'll stream it.

There are also places like ISSA and ISACA. I joined ISACA and will be going for CISM review shortly. There are also community colleges that have a lot of IT courses for continuing education as well.
User Rank: Apprentice
10/30/2015 | 11:12:44 AM
Re: So who can actually afford them?
The CISM is a money pit of cash and travel though they do force you to stay up to speed if you take it seriously.

I had to volunteer to be the mascot of the security team for over a year before I now get to play in their sandbox.

I also volunteered for the veracode side of the house with the Devs to get more experience while still doing my day job of Incident / Problem mgmt.
User Rank: Apprentice
10/6/2015 | 10:49:49 AM
Be creative
If you really want training in infosec you will find a way to get it. Don't wait for an employer to hand it to you. Look for scholarship opportunities and work study programs. SANS has big discounts for people willing to work for their training. If you wait for someone else to make your future for you, you are going to be waiting a long time. 
User Rank: Apprentice
10/6/2015 | 10:56:17 PM
In regards to the CompTia (SY0-401) Security+ Certification:
The following statement: 

"Candidates must have a minimum of two years of experience in IT administration with a focus on security."


is incorrect (or misleading at the very least). Prerequisite impies that something is required beforehand. It is not a requirement to have a minimum of two years of experience in IT admininstration with a focus on security - or any experience at all for that matter. Unlike most other security-related certifications, it is only recommended that the individual have said experience. They also recommend taking and passing the A+ and Network+ exams first as a prerequisite as well. Personally, I just purchased the voucher, took the exam, and passed as a 1st-time "go". I took it less than a month after earning my B.S. in Cybersecurity; without attempting neither the A+ nor Network+ exam(s) beforehand. Also, keep in mind that this is definitely an entry-level certification. It has provided little to no benefit for me in gaining an entry-level job in the InfoSec field (even working the most basic "InfoSec Help Desks"), and thats in addition to me having a Bachelor's of Science degree in Cybersecurity from an NSA/DHS approved institution of academic excellence in teaching information assurance. 

User Rank: Apprentice
10/11/2015 | 5:18:42 PM
CEH!?! Really?
I am not sure if the Author has completed the CEH vs other Penetration Testing certifications, however it does not hold a candle to either GIAC GPEN or Offensive Securities OSCP. I have completed them so believe that I am in a pretty good position to judge. Pen Testing / Offensive type security must be learnt by doing, it's alot like coding, CEH is 100% theoretical and because of this, you forget most of it right after the exam.

If any of your readers are serious about Pen Testing or learning the capabilities of a hacker in order to defend against the techniques then I would highly recommend:



3. CEH (if you want to do an organised course, otherwise self training and research is your best bet)
User Rank: Apprentice
10/13/2015 | 10:19:37 AM
Re: CEH!?! Really?
Unlike all the other certs, the OSCP requires actual demonstration of penetration skills on a test network; there is no 'multiple guess' test here. This makes this certification stand out above all others, especially over the "management" oriented certs (CISSP) which can be passed with a minimum of studying and luck on the exam.
User Rank: Strategist
11/3/2015 | 8:07:10 AM
Re: CEH!?! Really?

I agree with your take on the certs.  CISSP is the Ph.D. of management security certs, but not necessarily the practical side.  The SSCP makes great strides to bridge that gap, but does fall short.  The GIAC certs, of which I've attempted one, are good, but totally impractical due to cost.  I don't know how they stay in business with what they charge.  If companies are willing to fork over those funds, oh well.  For most individuals paying on their own - ain't happenin'.  Thanks again for your note.
User Rank: Apprentice
10/30/2015 | 3:11:31 PM
I think that certifications that actually help to ensure an efficient process of constant monitoring and incident response must be included on your list. Talking about security operations are increasing his demand and it helps to identify hugh improvement opportunities.
User Rank: Apprentice
11/9/2015 | 10:21:35 AM
Certifications always pay off...
Agree with everyone who questions CEH - it is a horrible cert.


I hold CISSP, GSIF, GSEC, GCED, GCIH, GSLC, CEH, Security+, Network+, A+, CTT+.  That is 11 total, 5 from GIAC (and CISSP since 1998 - cert # 4181).  I paid for every last one of them.  And every time I did, I advanced my career.


Not holding certs in this industry because they are a expensive is a mistake.  Certifications pay for themselves in the long run (yes, even CEH since it sounds cool and can land you an interview).
User Rank: Strategist
2/3/2017 | 11:23:16 AM
Re: Certifications always pay off...
Agree on CEH not being worth the time.  In the last 5 years I have begun discounting the CISSP also.  I have hired two ex-military CISSPs only to find out DoD paid for a boot camp for them to get the paper. One could not have spelled "CISSP" if you spotted him the 'CIS' and the other was only marginally better. We had to let both go. I had another apply who claimed an MS and PhD from a school that has never existed who failed our background check.  I reported him but as far as I can tell nothing has been done about him. 10 years ago the CISSP meant something but apparently it no longer does.
[email protected],
User Rank: Apprentice
11/9/2015 | 11:57:33 AM
Is it just me, or is there a counting problem?
The title calls out 10 certs, but I count only 9 in the slide deck:

2. ISC-squared CISSP
3. ISC-squared SSCP
6. EC-Council CEH
7. EC-Council ECSA
8. CompTIA Security+

As such lists go, this one ain't half bad. I've written extensively about this subject for years, and do a biannual survey of Infosec Certs for SearchSecurity over at TechTarget. I'd love to see what the author would come up with for a 10th item, just for completeness' sake.

One more thing: those worried about the cost of the SANS credentials should look into their various scholarship programs. They're running special scholarships for women in infosec right now, and a pilot program for active duty military (Air Force and Army right now, at Joint Strike Base Lewis McChord in WA state) to help them transition into infosec jobs to transition into civilian employment. Their training is terrific and their credentials top-notch, if costly, so those who are interested should inquire about assistance if money is the only thing holding them back.


Ed Tittel www dot edtittel dot com writes on security topics for Tom's IT Pro, various TechTarget sites, GoCertify, InformIT and PearsonITCertification. Creator of the "Exam Cram" cert prep series in 1997.
User Rank: Apprentice
9/28/2016 | 7:43:11 PM
Re: Is it just me, or is there a counting problem?
That is because the last two were place together. ;)
User Rank: Strategist
2/21/2016 | 9:15:04 AM
Alternative Certifications
There's been discussion on the relative real use of EC Council's CEH in real world application. Although DOD 4750 lists this certification, it is by nomeans a must have. Meaning, there are alternatives that match, and in most cases, out perform this over advertized "one-stop" cert in hacking. 

First off, the 4750 is being replaced witht he newer Directive 8140 that highlight areas that certifications should match, therefore a specific certification is not going to be required. With the build up and advertizing funds that EC Council (Malaysia) has dumped into making people think they are the permiere cert, the Pentagon and other DoD/US Government entities that hired and then forced their employees to gain the CEH have found it did not provide them with the actual technical skills to perform the job. The results was a series of foreign hacking successes reported in the news. DoD is now re-evaulting with the lack of skill with CEH. 

This of course is met with vile and anger from those that may hold that particular cert, those that work in the corporate arena and know nothing of US DoD inside talk, or those that think even mentioning this is rude. 

I, however, want to get the word out. The competition is fast rising. One such competator is a company I've seen listed in the newest CompTIA Roadmap 2016 called Mile2. THey have the premiere Certified Penetration Testing Engineer course and certification that is listed as Expert by CompTIA. I would like see more discussion on certification vendors that deliver training that actually teaches the skill set, not fluff and over funding a certification that was stated to be the end-all of ethical hacking, only to end up short and cuased failures. 

Mile2 actually was the training vendor that developed CEH back in the early days after 9/11. They continued to train the most people after they devloped the CEH course for EC Council. Having personnnaly been thorugh both training platforms, I find that the direct approach Mile2 takes with a known list of popular tools that are weaved into Labs that are performed by the student actually teach the necessary skills that are higly important now.

Recently, as of 15 OCT 2015, EC Council decided to do a major over-haul of their CEHv8 exam to v9 that was unannounced and caused a major failure rate globally. Upon complaints, they droped the $350 re-take fee down to $250, but the expense and time that student invested in the v8 material was now null and void and those students who chose to re-take the exam had to spend more funding and time to achieve a pass. That is unprofessional and a backdoor under-the-table tactic. 

CompTIA, SANS/GIAC, Mile2, Cisco, ISC2, Offensive Security (OSCP), and other vendors give out ntoifications and wanring when updates are pending and never would trash their students like EC Council has done. CEH has fallen from grace due to it's own marketing and inferior training. THere are alternative training vendors that met or out perform CEH, I suggest student looking to get into hacking seek out other vendors and stay away from EC Council! You'll only get burned!
User Rank: Apprentice
7/28/2016 | 12:55:04 AM
Requesting info
I've recently enrolled in cooled for cybercrime but may change it it to security. I found out that college looks good on paper but it's the certifications that matter. Can any one tell me what certs I need and where I can get them on my own time without spending and arm and leg. Please start with the beginning to advanced please. Any help would be greatly appreciated it.
User Rank: Apprentice
6/12/2017 | 9:47:27 AM
Re: Requesting info
My question too

User Rank: Apprentice
2/3/2017 | 9:24:54 AM
About certs
I got my start in the industry as a broke college student.  I saved up for and studied for the exams myself.  I don't agree that you have to sell everything you own to get these.  Some of the certs might be on the more expensive side, but none of them require that you take a class from a vendor.  Buy a book and read it.  Download the free tools and use them.  You'll learn 50x as much downloading and using the tools for six months and reading a study guide on the side than you ever will in a week long course.  You can even borrow the books from your local library, or buy them used online (watch the versioning).  Best yet... check your local community college!  Most of them are now offering classes for computer security; they're pretty cheap and come with 16 weeks of class!
User Rank: Apprentice
6/12/2017 | 9:42:54 AM
Re: About certs
pls can you give advices on any of the certification for begginners pls

User Rank: Apprentice
3/27/2017 | 6:33:59 AM
New certification for Software/Application Security Professionals.
Hack2Secure has now Come-up with its first certification on SDLC Known As SWADLP (Secure Web Application development Lifecycle Practitioner ).This certificaton can give a boost to the Security Professionals.
User Rank: Apprentice
9/7/2020 | 8:13:41 AM
yber security live online training & certification
Nice post! it is really very helpful for us. if anyone want to know the details about cyber security live online training & certification 

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file