Making a career in IT security needs both certification and experience. Companies are increasingly aware of the requirement to have great infosec people, and when hiring, they prefer security certifications as one way to choose candidates.

Of course, everyone must begin somewhere, and you can bootstrap yourself into IT security. But once you start on the InfoSec track, there are many certification choices; some tough, some costly, and some with excellent industry reputations.

We take a look at some of the most consistent IT security certifications from the perspective of how difficult they are to earn.

1) Systems Security Certified Practitioner (SSCP)

The SSCP certification from (ISC)2 is an excellent entry-level security certification. You are required to have at least one year of experience in one of seven designated security areas. Then you have to pass a 3-hour, 125-question, multiple choice exam, with a score of 70 percent or better. The review is inexpensive, costing USD250, and you must pay a USD 65 annual maintenance fee. You also have to recertify every three years by earning 60 Continuing Professional Education credits.

SSCP is seen as a comparatively easy, vendor-neutral badge to get, and is not as very regarded as others on our list. However, SSCP certification is one of the US Department of Defense-approved baseline certifications for both Levels I and Level II Information Assurance Technical certifications.

2) CompTIA Security+

CompTIA Security+ certification includes network security, compliance and operation security, vulnerabilities, and threats, as well as application, host security, and data. Required experience for this certification is two years as an IT admin, with a security focus. You will then need to pass a 90 minute, 90 question exam with a score of 750 of 900.

The Security+ certification is also among the least costly in this list, costing around USD 320 to take the exam. But, CompTIA Security+ is valid for three years. You have to earn 50 continuing education units within three years to maintain your certification.

CompTIA Security+ Certificate is one of the DOD’s approved baselines for Level II IAT security technicians. However, many reflect it to be too basic and lacking product specific information. Therefore it may be underrated by some employers.

Despite these deficiencies, I recently recommended CompTIA Security+ as one of the four best ways to start your security career and even suggested that you should begin with Security+, even before CompTIA Network+.

3) CCNA Security

CCNA Security is vendor-specific and focused on the security of Cisco networks. CCNA Security has also approved for both DOD Level I and Level II IAT baselines and carries more influence with private employers than both the SSCP and Security+ Certifications, CCNA Security tends to be a solid door opener than either the SSCP or Security+.

To become CCNA Security certified, you must have a Cisco CCENT, CCNA Routing, and Switching, or CCIE certification and then pass a 90 minute, 60–70 questions 210–260 CCNA Security exam.

4) EC-Council Certified Ethical Hacker

The CEH is an intermediate-level certification focused on the prevention of most common attacks and securing systems and networks.

CEH is designed to secure a strong understanding of hacking practices including footprinting and reconnaissance, scanning networks, SQL injection, DoS attacks, worms and viruses, social engineering, and honeypots.

CEH certification requires successful completion of a 4 hour, 125-question multiple-choice cybersecurity examination, with a minimum 70% score. With the rising number and awareness of cyber-attacks, the Certified Ethical Hacker attains with many employers. However, there is some controversy about the value of the certification.

Regarding difficulty, the EC-Council maintains tight control over entry to the certification exam. To be eligible to appear for the CEH exam, it needs that applicants attend an EC-Council official training program or present employer-verified proof of at least two years of information security experience.

5) CompTIA Advanced Security Practitioner (CASP)

CompTIA CASP is designed as an expert-level security certification. Although just two years old, it is approved as a DOD-baseline for Level III IAT security technicians.

If you are looking to work in a DOD and government environment, then CASP is a more comfortable option than the CISSP that comes later in our list. However, CISSP has far better name recognition even within the government so even if you choose CASP now, you may need to get CISSP-certified later.

Applicants for CASP are expected to have 10 or more years of IT admin experience, including five years of hands-on technical security roles. The current CASP certification exam is a 165 minute, 90-question, multiple choice test. Candidates are failed or passed, with no grades being published.

1. CAS-002: Advanced Security Practitioner

2. CAS-003: CompTIA Advanced Security Practitioner

6) GIAC GSEC

The Global Information Assurance Certification Security Essentials (GSEC) is an intermediate-level InfoSec certification which is DOD-approved for Level II IAT security technicians. Candidates are needed to show an understanding of information security beyond simple terminology and concepts.

The GSEC exam is a 5 hour, 180-question, open-book exam. The exam is proctored, and applicants pass with 74% or better. Although the exam is an open book, the GSEC exam tests the candidate’s understanding and problem-solving skills with scenario-based questions. You need to know your stuff.

Although a highly respected certification, GSEC is also costly. The exam costs USD 249.

The GSEC is valid for four years and should be renewed with 36 Continuing Professional Experience credits.

7) Certified Information Systems Security Professional (CISSP)

The CISSP from (ISC)2 is arguably the current gold standard of InfoSec certifications.

It is an advanced-level certification for IT security professionals and is recognized and valued by both government and industry employers worldwide. Like CISSP, CASP is approved as a DOD baseline for Level III IAT security technicians. That is where the comparison ends.

The CISSP certification is designed for security professionals who develop information security policies and procedures. This is the most advanced certification I have discussed so far, and for many candidates, it may need at least a year to study for the exam.

The certification exam comprises of 250-question and 6-hour long. And to take the exam, you must prove that you have worked for at least five years as a security professional, and you must subscribe to the (ISC)2 Code of Ethics.

Once you are a CISSP, you must recertify every three years by means of at least 120 hours of continuing professional education, and you must pay a yearly USD85 fee to maintain your certification.

CISSP makes you a cyber-crime investigator. It’s intensive but worth it.

8) Offensive Security Certified Professional (OSCP)

The final entry on our list of the most demanding IT security certifications is the OSCP. As the name suggests, this cart is designed for security practitioners who are required in the penetration testing process and lifecycle.

The OSCP certification exam itself is a full 24-hour marathon. It is perhaps the most challenging exam we’ve encountered. It is extremely hands-on, with candidates being given connectivity instructions to a private network, for which they must submit a complete penetration test report after their exam. This certification is a real test of the candidate’s penetration testing process expertise.