A growing number of certifying organizations offer many cybersecurity certification programs. Certifications are crucial for ensuring that IT professionals have the latest skills and knowledge needed to protect their organizations against today’s ever-growing cyber threats. Certificates are seen as critical to professional and career growth.
Professional certifications are a means whereby a specific proficiency level in a clearly defined technology or knowledge domain is demonstrated by passing an exam. This proficiency indication helps employers ensure that job applicants meet a minimum skill or knowledge threshold.
This guide is designed to help security professionals choose the cybersecurity certifications that best align with their career objectives. Individual certifications are not covered in-depth; instead, this document provides an overview of the purpose of the certification process, indicating the role of common certification programs.
Cybersecurity Certification Online?
Obtaining a cybersecurity certification online is becoming increasingly more common. Online academic cybersecurity certification programs (covered in more depth below) are readily available, and some professional cybersecurity certification programs are available online. In other cases, participants can prepare with online cybersecurity certification courses but then take the final certification exam in-person.
Generally, these are the main requirements for both online cybersecurity certifications and traditional certification programs:
- A candidate must meet the educational or professional experience requirements set forth by the certifying authority.
- They must gain the required knowledge.
- They must sit for a test.
Passing the examination is how the certification is earned.
Educational or experience requirements: Nearly all professional certifications require applicants to have worked in the field for a minimum number of years. The number of years needed will vary by credential, but five years is standard.
Often a college degree in a related technology field can substitute for a portion of the required work experience. For example, in defining the work experience requirements for the CISSP certification, (ISC)2 states, “Candidates must have a minimum of five years cumulative paid work experience in two or more of the eight domains of the CISSP CBK. Earning a four-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required experience. Education credit will only satisfy one year of experience.”
Gain the required knowledge: Few candidates will obtain all the required knowledge and skills through their work experience. Certification examinations cover several knowledge domains that cover the industry broadly. A cybersecurity professional that has worked for several years as a security analyst in a SOC, for example, may never have been exposed to the security principle involved in software development. They would be ill-equipped to pass the CISSP exam portion that covers software development security.
Most candidates find it necessary to attend a test preparation course before sitting for a certification exam. Exam preparation courses are offered by the certifying authority or their third-party partners. Check with them for the certification details, but most test-prep courses are offered in-person, online instructor-led, and online self-paced. Costs will vary with in-person as the most expensive and online self-paced as the least costly. Each student needs to know their learning style. If they learn better in a highly interactive setting, an in-person class may be the best solution.
Sit for the test: Certification examinations should never be taken lightly. They usually take several hours, sometimes longer, to complete. They are designed to test the students’ understanding thoroughly and require critical thinking skills.
For example, some certifying authorities, CISCO, permit candidates to sit for their exam online, at home, or in their office. Other authorities, such as (ISC)2, require students to take their test in person at a third-party testing center. In either case, candidates are well-advised to get plenty of rest before their exam date, clear their environment from all distractions, and be prepared to focus intently on the exam material.
Academic Certificates vs. Professional Certifications
Academic cybersecurity certificates are not the same thing as professional cybersecurity certifications. An academic certificate generally indicates the completion of an educational program offered through a college or university. The coursework required to earn a cybersecurity certificate can vary from completing a single course to completing multiple classes and a capstone project.
College certificate programs often pair cybersecurity coursework with computer science, IT, or networking core major classes. An academic cybersecurity certificate helps students who wish to demonstrate to potential employers that they understand the basics of security in addition to their chosen major. A would-be computer programmer, for example, may want to highlight their understanding of cybersecurity concepts to set themselves apart from other job-seeking graduates.
On the other hand, a private organization or company usually offers a professional cybersecurity certification. It is designed for people already working in cybersecurity or a closely related field. Certification shows proficiency in a specific technology or, depending on the certification, may indicate mastery of the principles and concepts of cybersecurity.
Earning a certification is generally the result of passing an exam. Prerequisites for taking the exam often include a related college degree or a minimum number of years working in the security industry. Specific professional certifications are often a requirement for high-level cybersecurity positions.
An academic cybersecurity certificate can enhance a graduate’s employment prospects; however, this guide will focus exclusively on professional cybersecurity certifications.
Who Should Pursue Certifications?
According to the (ISC)2 Cybersecurity Professionals Workforce Study, 2020, “Most cybersecurity professionals (63% worldwide) are currently pursuing or planning to pursue some sort of security-related certification within the next year.” This is one reason why many cybersecurity professionals earn multiple certifications throughout their careers.
The benefits of adding a few cybersecurity certification designations after their name are apparent for anyone who works or would like to work in the cybersecurity field. This guide will discuss those benefits, but security professionals are not the only ones that can boost their careers with security certifications.
Anyone who works in IT, networking, or technology can set themselves apart and increase their workforce value by earning a cybersecurity certification.
Suppose an IT specialist’s job includes helping others to do their work using computers, networks, mobile devices, or any technology. In that case, the specialist can help them stay safe and protect the company and customer data and infrastructure.
By earning a cybersecurity certification, an IT specialist signals to those who help their employer that they take security seriously.
Maybe a technologist doesn’t have reason to signal to others that they understand security, but they want to ensure they keep up with the latest cybersecurity best practices. Studying for and then passing a certification exam will provide a high level of confidence that their knowledge is current and relevant.
Over and above those who don’t work as a security professional per se but want to ensure they are knowledgeable, the primary beneficiaries of earning a cybersecurity certification are those looking for a job or wishing to advance their careers.
Jobseekers generally fall into one of two categories. Some need a particular certification to qualify for the position they want. If a job description lists a certification as a requirement, an applicant that does not hold that certification may be a non-starter.
Some companies have precise guidelines that govern a particular department’s required certifications to provide consistency across the organization. To support sales and marketing, other companies signify that everyone in one specific department holds one specific certification. They must then enforce particular certification requirements to meet that commitment.
The second category of jobs seeker that should consider a cybersecurity certification is those who wish to set themselves apart from other candidates applying for a particular position. All other things being equal, hiring managers will favor the candidate with appropriate certification. Even if a candidate lacks some specified requirement, like job experience or a college degree, holding a certification may adequately compensate for such a deficiency.
The benefits for those wishing to advance in their careers are similar to new job seekers. One notable exception is that people who want to add a certification to their qualifications for career advancement, especially within their current employer, often know precisely which cybersecurity certification will best help them achieve their career goals. They benefit from being able to talk with the decision-making managers before choosing which certification to pursue.
Most industry certifications require ongoing involvement within the security industry or the certifying organization to maintain the certification. This practice is often criticized as being no more than an effort by the certifying organization to build a recurring revenue stream on their certification holders’ backs. This complaint is more valid for some certifying authorities than others.
However, it is essential to consider two excellent reasons for the ongoing involvement and one-time test prep and exam costs.
First and foremost, to a large degree, the designation’s reputation as a meaningful certification rests with the certification holders’ knowledge and skills. To stay relevant in the industry, the certifying organization must put measures in place to ensure that certification holders remain abreast of new security technologies, techniques, and practices. They require holders to earn continuing education credits by attending training classes, seminars, and conferences.
Secondly, there is a significant cost associated with establishing, maintaining, and promoting the value of a certification. Who better to bear the burden of these costs than those who benefit most from these efforts, namely, the certification holders?
There exists, in this model, the opportunity for abuse. Free-market competition between cybersecurity certification organizations will cause those designations that fail to provide a value greater than their cost to die on the vine.
Some large employers realize the benefits they receive from certification programs, so they, in turn, provide substantial support to certifying organizations. Many employers will pay the cost of test preparation and exams to provide certification within their ranks.
The Benefits of a Professional Certification
The proper cybersecurity certification will demonstrate that a security professional is at the top of their game in both knowledge and experience.
The demand for certified professionals is at a record high, with numerous workforce studies indicating that the demand far outstrips the number of credentialed professionals.
Increased earning potential: According to Monster, employees with a professional certification make at least 25% more than those without across the board. (ISC)2 boasts that cybersecurity professionals holding a CISSP earn $131,030 a year on average.
Enhanced career potential: If nothing else, a cybersecurity certification says that a security professional is serious about their career. It makes a bold statement that they are not just working at a job. Earning a certification while employed in the field tells their employer that they are interested in advancement opportunities. It signals to potential employers that they are earnest about gaining new skills and technical abilities.
Surveyed corporate leadership told (ISC)2 that they value certified cybersecurity professionals for several reasons: 36 percent said the top benefit for hiring individuals with professional certifications was displaying more vital skills in key cybersecurity areas. Additionally, 30 percent said they have greater confidence in workers with cybersecurity certifications to meet security challenges. And 27 percent indicated that certification holders better know security and privacy trends.
Broader knowledge of the cybersecurity landscape: From a Network+ certification to a CISSP, each cybersecurity certification will require a practitioner to embrace an ever-widening view of threats, vulnerabilities, exploits, and mitigation strategies. The knowledge that is a mile deep but only an inch wide is not conducive to career advancement. A security professional may perform their current job exceptionally well. Still, if the job description changes or they desire to move up in the organization, a more all-inclusive view is needed. Earning a certification will help them broaden their knowledge base.
Become part of a larger community: Whether CompTIA provides a person’s certification of choice, (ISC)2, CISO, EC-Council, or another organization, becoming a certified professional gives them access to a community of peers. Certifying organizations go to great lengths to ensure that there are demonstrable benefits in mentors, peer review, and networking for their members.
Which Certification is Best?
Every security professional’s career path will take a different trajectory. Depending on their interest, experience, and employers’ needs, the combination of professional cybersecurity certifications they choose will vary.
Below is an alphabetical list of fifteen more common certifications with a short description of what they indicate about a holder’s skills.
Certified Cloud Security Professional (CCSP) – Offered by (ISC)², the CCSP indicates the holder has the technical skills and knowledge needed to design, manage, and secure infrastructure and data applications in the cloud using best practices, policies, and procedures.
Certified Ethical Hacker (CEH) – Provided by EC-Council, a CEH is a professional who knows how to identify weaknesses and vulnerabilities in target systems. They are trained to use the same knowledge and tools as a malicious hacker to assess the security posture. The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.
Certified Information Security Manager (CISM) – ISACA’s CISM certification is for professionals with technical expertise in IS/IT security who want to move to a management role. A CISM can add credibility and confidence to a practitioner’s interactions with internal and external stakeholders, peers, and regulators.
Certified Information Systems Auditor (CISA) – With ISACA’s CISA, security professionals validate their expertise and gain leverage to move up in their careers. CISA is globally recognized as a standard of achievement for those who monitor, audit, control, and assess information technology and business systems.
Certified Information Systems Security Professional (CISSP) – The CISSP validates that a security professional has what it takes to effectively design, implement, and manage a best-in-class cybersecurity program.
Cisco Certified CyberOps Associate – The Cisco Certified CyberOps Associate program focuses on operational skills and knowledge needed for real-world jobs in security operations centers (SOCs). SOC analysts are the front line of defense against cybersecurity threats – preventing and detecting threats to defend an organization. Certification as a cybersecurity operations associate validates the holder’s skills in this vital function.
Cisco Certified Network Associate (CCNA Security) – The CCNA Security certification validates skills and knowledge in network fundamentals, network access, IP connectivity, IP services, security fundamentals, automation, and programmability.
Cisco Certified Network Professional (CCNP Security) – The CCNP Security certification program is aligned precisely to the role of a Cisco Network Security Engineer who is responsible for security in networking devices and appliances, as well as selecting, deploying, supporting, and troubleshooting firewalls, VPNs, and IDS/IPS solutions for their networking environments.
CompTIA Advanced Security Practitioner (CASP+) – CASP+ is a hands-on, performance-based certification for practitioners at the advanced skill level. Cybersecurity managers identify what cybersecurity policies and frameworks should be implemented, and CASP+ certified professionals find a way to implement solutions within those policies and frameworks.
CompTIA Cybersecurity Analyst (CySA+) – CompTIA Cybersecurity Analyst (CySA+) is an IT workforce certification that uses behavioral analytics with networks and devices to prevent, detect and mitigate cybersecurity threats through continuous security monitoring.
CompTIA PenTest+ – CompTIA PenTest+ is designed for cybersecurity professionals tasked with penetration testing and vulnerability management.
CompTIA Security+ – CompTIA Security+ is a worldwide certification that validates the baseline skills necessary to carry out core security functions and successfully pursue an IT security career.
GIAC Certified Web Application Defender (GWEB) – The GIAC Web Application Defender (GWEB) certification demonstrates mastery of the knowledge and skills needed to handle common web application errors that lead to most security problems. GIAC Certified GWEB holders have the knowledge and abilities to secure web applications and recognize and mitigate security weaknesses in existing web applications.
GIAC Security Essentials (GSEC) – The GIAC Security Essentials (GSEC) certification proves a security professional’s understanding of data security beyond simple terminology and concepts. GSEC holders demonstrate that they are qualified for hands-on IT systems roles concerning security tasks.
Licensed Penetration Tester (LPT) – The EC-Council Licensed Penetration Tester (Master) Credential holders are among the very few industry experts that can test some of the most hardened systems in the world.
Once a practitioner has decided which certification will help them reach their next career goal, they often ask, “should I get my certification now, or should I get it later?” The answer is, “yes.” Some certifications are designed to indicate the holder possesses the basic knowledge needed to break into cybersecurity. Others demonstrate that the professional has mastered the industry’s most complex and challenging aspects.
Ideally, certifications will be added to their resume along with a security practitioner’s career path. They can be thought of as career path signposts. They are designed to indicate to prospective employers which forks the candidate’s career path has taken. While there is some hierarchy among the various options, they mainly identify the specialty areas within security that the holder has chosen as their career progresses.
Professional certifications allow an employer to evaluate how a candidate might best fit the organization’s needs. That’s not to say that one certification is better than another because they’re not. One certification, or a combination of certifications, could be a better fit for a specific job within a particular company. Still, a different set of certifications might be what the next employer is looking for. Choosing a certification depends entirely on the chosen career path. Even then, there can be multiple paths to the same destination.
A security professional aspiring to be a CISO for a large enterprise could come up through the ranks along a path that includes any number of parallel certifications. She could have begun her career as a pen tester or a network administrator.
Some have likened professional certifications, cybersecurity or otherwise, to the youth scouting merit badge program. One merit badge is not necessarily better than another, although having more is better than having fewer. Some are considered more difficult than others, depending on the direction life takes them.
The bottom line is that professional cybersecurity certifications are essential, and holders are becoming more sought after by employers. Not everyone needs a certification to succeed in the field, but having one or more will increase a practitioner’s employability and pave the path for advancement.