| career | career progression - Michael Hess
8 Most Difficult IT Security Certifications
Making a career in IT security requires both experience and certification. Organizations are increasingly aware of the need to have top-notch infosec people and when hiring, they use security certifications as one way to screen candidates.
Of course, everyone must start somewhere, and you can bootstrap yourself into IT security (as we wrote about recently). But once you set out on the infosec track, there are loads of certification options. Some certs are relatively easy. Others are notoriously difficult.
We recognize that exam difficulty is on a sliding scale. It all depends on how much you know, how much you studied, and the amount of hands-on experience you bring to the exam. If you're brand new to IT, Net+ might be tough. We know from experience that a bunch of advanced security certs on this list give some people trouble. While other breeze right through.
It's even harder to rank a certification's difficulty because testing organizations don't necessary release pass rates.
However, there's plenty of chatter about the relative difficulty or ease of obtaining IT security certifications. From those opinions and some input from CBT Nuggets trainers, here are the eight most difficult IT certs.
8. Systems Security Certified Practitioner (SSCP)
The SSCP certification from (ISC)2 is the only entry-level security certification on this list. It's roughly on the same playing field as CompTIA Security+ (at least according to the Department of Defense). But, it's on here precisely because it's an entry-level exam that goes deep.
It has seven domains intended to validate what you learned in the first year on the job as a security professional. Again, that means you should first be in a security role, which is something you typically graduate into as an experienced IT professional. In other words, your first IT job ever probably won't be in security.
You're required to have a minimum of one year of experience. Then you must pass a 3-hour, 125-question, multiple choice exam, with a score of 70 percent or better. Once you're a SSCP, you also must re-certify every three years by earning 60 Continuing Professional Education (CPE) credits.
SSCP certification is one of the US Department of Defense (DOD)-approved baseline certifications for both Level I and Level II Information Assurance Technical (IAT) certifications.
7. CCNA Security
Unlike the first certifications, CCNA Security is vendor-specific and focused on security of Cisco networks. CCNA Security is also approved for both DOD Level I and Level II IAT baselines and typically carries more weight with private employers than both the SSCP and Security+ certs, CCNA Security tends to be a better "door opener" than either the SSCP or Security+.
Some people have expressed surprise at the depth of knowledge required when sitting for the exam. As one person put it, "The exam is fair, but difficult." Cisco exam objectives are a great starting point to study for the CCNA Security, but hands-on experience is the best way to pass this tough exam.
6. GIAC GSEC
The Global Information Assurance Certification Security Essentials (GSEC) is an intermediate-level infosec certification that is DOD-approved for Level II IAT security technicians. If you have networking experience, you may find the GSEC topics familiar. It has a lot of definitions, and a ton of incident handling. It's also deceiving because it's open book.
This exam is open book, but don't let that fool you. You really need to know your stuff — and not just security-wise. Even though the cert has "security essentials" in its name. Security means you've got to know it all. Security certs can throw anything at you.
The GSEC exam is a 5-hour, 180-question, open-book exam. The exam is proctored and candidates pass with a grade of 74 percent or better. The GSEC exam tests the candidate's understanding and problem-solving skills with scenario-based questions.
The GSEC is valid for four years and can be renewed with 36 Continuing Professional Experience (CPE) credits.
Note: Again, though this certification is called "security essentials," it actually also implies "networking essentials." We recommend that you brush up on material from CCNA, CompTIA Network+, and IPv4 subnetting.
5. White Hat Hacking
White hat hacking is focused on the prevention of most common attacks and securing systems and networks.
White hat hacking is designed to ensure a strong understanding of hacking practices including footprinting and reconnaissance, scanning networks, SQL injection, worms and viruses, DoS attacks, social engineering, and honeypots.
With the increasing number and awareness of cyber-attacks, white hat hacking resonates with many employers.
VIDEO: Top 4 Most Difficult IT Certs
4. Certified Information Systems Security Professional (CISSP)
The Certified Information Systems Security Professional (CISSP) from (ISC)2 is arguably the current gold standard of infosec certifications.
It's an advanced-level certification for IT security professionals and is recognized and valued by both industry and government employers worldwide. Like CASP, CISSP is approved as a DOD baseline for Level III IAT security technicians. That's where the comparison ends.
CISSP certification is designed for security professionals who develop information security policies and procedures. This is the most advanced certification we've discussed so far, and for many candidates, it may require up to a year to prepare for the exam.
The certification exam is a 6-hour, 250-question monster. And in order to take the exam, you must prove that you have worked at least five years as a security professional. That's important. They have fairly strict requirements for counting security experience. There's a little wiggle room in the five-year experience requirement with a four-year degree, but it has to be the right type of experience.
Without the requisite experience, you can pass the exam, but you'll remain an (ISC)2 Associate until you reach the minimum number of years. And not all experience is counted.
You must also be endorsed by an (ISC)2 sponsor. If you don't have a sponsor, that's alright. You just need to perform a couple extra steps to be endorsed by (ISC)2.
As you can see, there a lot of hoops to jump through to become a CISSP. Once you're a CISSP, you must re-certify every three years through at least 120 hours of continuing professional education, and you must pay a yearly $85 fee to maintain your certification.
It's intensive but definitely worth it.
3. CCIE Security
Of course a CCIE is on this list. Every CCIE is going to be tough, and CCIE Security is among the toughest out there. To pass this exam, you sit for a 2-hour exam — and then pass the 8-hour lab. To put this one in perspective, the average CCIE takes the 2.3 times to pass the lab. But if you can get through it, then you'll be among the 4,000 people in the world who have passed this exam.
2. Offensive Security Certified Professional (OSCP)
The second most difficult IT security certifications is the Offensive Security Certified Professional (OSCP). As the name suggests, this cert is designed for security practitioners who are involved in the penetration testing process and lifecycle.
Why is this certification difficult? Well, to even be eligible for the exam, candidates must first complete the OSCP-hosted "Penetration Testing with Kali Linux" training course. If you're interested, Keith Barker covers that some of the ground in his CBT Nuggets course Penetration Testing with Linux Tools.
The OSCP certification exam itself is the famous (or perhaps infamous) 24-hour marathon exam where you have to bag as many machines as you can in a massive virtual environment. The candidate must then submit a comprehensive penetration test report at the conclusion of their exam.
This certification is a true test of the candidate's penetration testing process expertise. It's close to the most arduous exam we've encountered, except for this next one.
1. GIAC Security Expert (GSE)
At latest count, there were only 228 GSEs in the world. You can go for the GSE after passing GSEC, GCIH, and GCIA with gold in two, but most GSEs have 8 GIAC certs. The cert itself is a multiple choice exam, research paper, and a two-day hands-on lab.
An interesting aside: The first hands-on GSE exam pitted GSE #1, John Jenkinson, and GSE #2, Lenny Zeltser against one another in a red team, blue team exercise for five days. They called it after four and a half days.
There's no question that the concern for the security of information and networks continues to drive the need for qualified — and certified — infosec professionals. We've listed eight well-known practitioner certifications that are hard to earn.
There's no such thing as a one-size-fits-all certification plan. As you enter and progress in the expanding field of information security, you need to tailor your certification path according to your personal situation and goals, and get the right experience.
Do you have another cert that should be on our list? Do you agree with our selection and ranking of security certifications? Tell us about it.