With every breaking news story about a major hack affecting the data stored by organizations ranging from government agencies to online dating sites, that need for talented people with the skills necessary to prevent the next major data brach becomes all the more obvious.
Yet, it's no secret that there's a shortage of qualified cybersecurity professionals. A report published earlier this year by Intel Security found that 82 percent of survey respondents working in the cybersecurity field in countries across the globe said there was a shortage of cybersecurity skills in the workforce, and 71 percent said that shortage was doing “direct and measurable damage” to their organizations.
There are many ways those skills can be developed. You can go to college, get a degree in computer science, and specialize in cybersecurity. You could lock yourself in the basement, hack everything you can without getting caught, and then bring those skills into the private sector. Or, you could get a one of the many professional certifications that are available for people in the cybersecurity industry.
“I can say that through my professional experience of over 30 years, as well as some of the research that I've done, it is important to be really careful to establish a baseline of one or two certifications,” explained Candy Alexander, a longtime industry veteran who directs the Cyber Security Career Lifecycle program at the Information Systems Security Association (ISSA).
“It is important to be really careful to establish a baseline of one or two certifications.”
It isn't ISSA policy to recommend one certification over another. The organization is supportive of all certifications and/or trainings—whatever the group's individual members feel is useful is what the ISSA wants to supports.
Alexander, whose program at ISSA aims to serve the needs those just getting into a cybersecurity profession to those retiring from the workforce, urges cybersecurity professionals interested in obtaining professional certifications to think strategically. “Beyond [a couple base-level certifications], unless your company pays for it, it may not be worth it,” she recommended. “It may be worth you taking your time and your money and investing it in just-in-time learning. That would mean, for example, if you're on the job, and you already have a CISSP or an Ethical Hacker certification—one of the big ones—then it may be worth just investing in some training classes in sharpening your expertise skills rather than getting a certification.”
While there is a measurable salary boost that comes from obtaining most cybersecurity certifications, Alexander notes that many business leaders' understanding of what the certifications entail is limited. Some positions list certain certifications in their job descriptions. Beyond that, companies largely just want to see that candidates have done some professional training.
However, Alexander added an important caveat: If you can get your company to pay for a certification, you should probably do it.
Here is a list of handful of different popular cybersecurity certifications that are available:
The CISSP is a vendor-neutral certification issued by the International Information System Security Certification Consortium. Launched in 1994, more than 100,000 people in over 160 countries have obtained the certification. It's widely seen as the single most prominent credential in the cybersecurity field and was developed in conjunction with the NSA. Alexander called it a “magical” certification and recommended that everyone who wants to make a long-term career in cybersecurity at least strongly consider obtaining it.
CISSP covers a wide variety of skill sets within the cybersecurity field—it's largely seen as a generalist qualification that helps job candidates get a foot in the door by proving they have a general competency across much of the cybersecurity field.
Data from Payscale.com shows that obtaining a CISSP certification can result in an annual salary bump ranging from $5,855 to $20,084. The most common job titles for people holding a CISSP certification are Information Security Analyst ($86,726), Information Security Manager ($111,477), and Security Engineer ($98,773).
The 250-question test required to obtain the certification takes about six hours. Candidates need to have at least five years of paid cybersecurity work experience before they become eligible; however, professionals with a four-year college degree (or regional equivalent) can apply for a waiver to become eligible after only four years.
The official study guide for the test can be purchased here.
Offered by the International Council of Electronic Commerce Consultants, the Certified Ethical Hacker (CEH) certification focuses on penetration testing—using hacking techniques to discover vulnerabilities in computer systems. The word “ethical” in the certification's title indicates “white hat” hackers, meaning their penetration of computer systems has the ultimate purpose of making those systems stronger against future attacks.
While there are other ethical hacker certifications, such as the GIAC Penetration Tester and the Offensive Security Certified Professional, the CEH is generally considered the most broad and wide-ranging in its coverage areas. Some of the specialties covered under the CEH certification include network scanning, cryptography, viruses, denial-of-service attacks, and social engineering.
The 125-question multiple-choice exam takes four hours. Courseware for the test cost $850 for people in the United States and $885 for those located outside the U.S. Applicants who elect to not take the training need at least two years of information security experience.
According to Payscale.com, the annual salary bump for people with CEH in the most common positions for those holding the certification receive annual salary bumps ranging between $3,500 and $7,000 over their colleagues without a CEH certification. The most common job titles for people holding the CER certification are Information Security Analyst ($80,232), Security Engineer ($92,655), and Penetration Tester ($83,171).
Over 45,000 people around the world have earned the Security+ certification offered by the Computer Technology Industry Association (Comp TIA). The generalist certification, intended for people who are relatively new to cybersecurity, covers topics like network security, operation security, application security, access control, identity management, and cryptography.
While other certifications require a set amount of experience in the industry before applying, Security+ has no such mandates. However, two years of security-focused IT experience, in addition to Comp TIA's Network+ certification, are recommended before embarking on the program.
The exam, which costs $311 to take, consists of 90 multiple-choice and performance-based questions.
Renewal of the certification is required every three years in order to stay current. Renewing a Security+ certification entails passing the most recent iteration of the test as well as earning 50 continuing education credits for things ranging from publishing articles about cybersecurity to attending to industry conferences.
Payscale.com puts the range for salary boots coming from a Security+ certification between $1,034 and $4,500. The most common job titles for people holding this certification are Systems Administrator ($43,334–85,616), Network Engineer ($46,329–95,235), Information Security Analyst ($49,830–97,464).
Created in 1999 by the SANS Institute, GIAC Security Essentials is an entry-level certification for people who wish to demonstrate proficiency in a broad variety of cybersecurity-focus areas, ranging from Wi-Fi security to network mapping to DNS security.
The test consists of a 180-question proctored exam with a five-hour time limit and a minimum passing score of 74 percent. Taking the exam costs $1,099. Unlike many other certification tests, the Security Essentials exam is take-home and open-book.
GIAC certification requires renewal every four years in order to stay current. Renewal requires earning 36 Continuing Professional Education credit through activities like publishing technical work, attending graduate-level classes, or demonstrating certain types of work experience—along with a $399 payment due at the time of re-registration. These credits must be earned in the two years immediately preceding re-registration.
The salary bonus accompanying the Security Essentials certification ranges from $3,500 to $9,000, according to Payscale.com. The most common job titles for people holding this credential are Information Security Analyst ($66,192), Security Engineer ($92,188), and Security Analyst ($67,304).
Offered by the the ISACA (a professional group formerly known as the Information Systems Audit and Control Association) since 2003, the CISM certification is largely for managers. It focuses on managing the risks that come with enterprise IT systems and covers information security governance, information risk management and compliance, information security program development and management, and information security incident management.
In order to apply for the certification, applicants need to prove they've been working in the information security field for at least five years with a minimum of three years doing security management. This work experience needs to have occurred within the decade immediately preceding the application date. However, obtaining certain select credentials—such as the CISSP certification or post-graduate degree in information security—can knock some time off of this requirement.
Registration for the CISM exam costs between $415 and $595 depending on when the applicant registers and if they're a ISACA member. The exam occurs twice a year, once in September and once in December.
Payscale.com lists the annual salary bump provided by the CISM as between $4,000 and $19,949. The most common job titles for people holding a CISM credential are Information Security Manager ($83,229–149,862), Chief Information Security Officer ($117,208–219,988), and Information Security Officer ($67,286–$147,333).