It seems that not a day goes by without another major cybersecurity breach making headlines.
A whopping 80 percent of companies expect a critical breach in 2019, according to Trend Micro’s Cyber Risk Index. Due to many factors, including increased awareness of the threat of security breaches, companies are taking a hard look at the protective structures they have in place. Many are increasing security budgets and scrambling to ramp up their internal security measures. It’s no wonder, then, that according to a report by Global Market Insights, Inc., the enterprise cybersecurity market will be worth an estimated $300 billion by 2024.
A Cybersecurity Talent Shortage
While it’s certainly true that qualified cybersecurity candidates are in high demand, it’s not the whole story. The struggle to find candidates with necessary cybersecurity skills has left many organizations unable to find the qualified talent to fill critical roles. This cybersecurity skills shortage has impacted 74 percent of organizations, according to a study by ISSA and ESG. ISACA’s 2019 State of Cybersecurity study found that hiring managers say it can take more than six months to find qualified cybersecurity candidates.
For job seekers, this talent shortage is a wake-up call. If you’re not actively working to grow your skill set, you’re likely getting passed over by other job candidates who are. Cybersecurity certifications are important for a number of reasons, including the potential for salary increases and a more marketable resume.
According to CompTIA,9 out of 10 employers agree that certifications are critical in finding the right person for the job. Earning new certifications is an excellent way to show potential employers that you’re up to speed on the latest industry threats and technologies, particularly if you’re in the earlier stages of your career.
“In general, the value of the certification is based upon the current phase in your career. For example, if you are new to an industry, holding a certification will establish a baseline of capability and knowledge,” says Christopher Gerg, Vice President of Risk Management at Gillware.
6 In-Demand Cybersecurity Certifications
Figuring out what to focus on in a sea of ever-changing cybersecurity acronyms can be overwhelming, so we’ve broken it down for you. Read below for the who, what, how, and why of a selection of the top cybersecurity certifications that are on employers’ wish lists right now:
1. CompTIA Security+
This is the perhaps the first certification IT professionals should earn. Security+ establishes the core knowledge required of any cybersecurity role, and provides a springboard to intermediate-level security jobs. It focuses on the latest trends and techniques in risk management, risk mitigation, threat management, and intrusion detection. CompTIA(the Computing Technology Industry Association) offers the certification.
Why you need it: Security+ will give you a solid foundation on which to start building your cybersecurity career.This certification also provides best practices in hands-on troubleshooting to ensure that you have practical security problem-solving skills you can use in real-life work situations.
Who it’s for:IT professionals who want to know how to address security incidents.
Skills it covers:Detection of threats, attacks, and vulnerabilities; identity and access management; installing, configuring, and deploying network components; risk management; architecture and design; cryptography & PKI. See more details here.
Jobs that use Security+:Systems administrator; network administrator; security administrator; security specialist; security engineer; junior IT auditor/penetration tester; security consultant.
How to get certified:The exam is comprised of a maximum of 90 multiple-choice and performance-based questions. Recommended experience to take the exam: CompTIA Network+ and two years of experience in IT administration with a security focus. Get more certification details here.
Accreditation & compliance details:Security+ is compliant with ISO 17024 standards and approved by the US DoD to meet directive 8140/8570.01-M requirements.
What others are saying:“The Security+ is a good foundational entry into cybersecurity, then from there, how the individual’s career goes will dictate if they go on a more technical journey or more managerial path. With that said, certifications for those with little to no practical work experience are definitely a plus,“ says Terence Jackson, CISO of Thycotic.
“Security+ demonstrates that the certified individual has a basic understanding of security principles,” says Erich Kron, Security Awareness Evangelist for KnowBe4.
2.CISA(Certified Information Systems Auditor)
This globally recognized certification, offered by ISACA (formerly known as the Information Systems Audit and Control Association), involves the auditing, control, and security of information technology and business systems.
Why you need it: In ISACA’s words: “Being CISA-certified showcases your audit experience, skills, and knowledge, and demonstrates you are capable to assess vulnerabilities, report on compliance and institute controls within the enterprise.”
Who it’sfor:IS audit control, assurance, and security professionals. Some business and governmental agency roles require CISA. ISACA says CISA is considered the “gold standard” for IS/IT certifications. Learn more about CISA here.
Skills it covers:Auditing information systems; governance and management of IT; information systems acquisition, development, and implementation; information systems operations, maintenance and service management; protection of information assets.
Jobs that use CISA: Information systems (IS) auditor; IT auditor; IS analyst; public accounting auditor; network operation security engineer; IT risk and assurance manager; internal auditor.
How to get certified:A minimum of five years of professional information systems auditing, control, or security work experience is required to become certified (substitutions and waivers are available). See the requirements for CISA certification.
Accreditation & compliance details:The American National Standards Institute (ANSI) has accredited the CISA certification program under ISO/IEC 17024:2012.
What others are saying:“For someone with an established career in information security, I would recommend the two advanced certifications— CISA and CISSP. Both require a great deal of experience in the industry and are very difficult examinations that cover a very wide range of knowledge,” says Gerg.
3. CISSP (Certified Information Systems Security Professional)
Offered by the cybersecurity and IT security professional organization (ISC)², CISSP certifies that you have the knowledge and expertise to design, develop, and manage a best-in-class cybersecurity program.
Why you need it: CISSP is arguably one of the most popular cybersecurity certifications out there. The majority of cybersecurity professionals in a survey conducted by ISCN, the Information Security Careers Network, said it was the best cybersecurity certification to have; it enabled them to perform their jobs better and it gave them real-world skills.
Who it’s for:According to (ISC)², the CISSP isn’t for everyone. It’s ideal for “experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles.”
As Kron says, “The CISSP is designed to demonstrate that the certified individual has five or more years of information security experience.” Find out if CISSP is right for you.
Skills it covers:Security and risk management; asset security; security engineering; communications and network security; identity and access management; security assessment and testing; security operations; software development security.
The CISSP exam evaluates your expertise across eight security domains, or “topics,” that you must master based on your professional experience and education. (ISC)² has an “Ultimate Guide to CISSP”with more details about the path to certification.
Jobs that use CISSP: CISO, CIO, director of security, IT director/manager, security systems engineer, security analyst, security manager, security auditor, security architect, security consultant, network architect.
How to get certified:To qualify for this cybersecurity certification, you must pass the exam and have at least five years of cumulative, paid work experience in two or more of the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK). Some exceptions may apply, and if you don’t have the required experience yet, you can pass the exam and become an Associate of Associate of (ISC)² while you earn the required work experience.
Accreditation & compliance details:CISSP is formally approved by the U.S. Department of Defense in both their Information Assurance Technical (IAT) and Managerial (IAM) categories for their DoCC 8570 certification requirement.
What others are saying:“The (ISC)2 CISSP is still a top certification when looking for people in management or senior information security positions,” says Kron.
4. CISM (Certified Information Security Manager)
Why you need it: Security failures can result in significant loss of trust from customers, clients, employees, and other stakeholders, as well as damage to an enterprise’s bottom line as well as its reputation. Demand for skilled information security management professionals continues to rise. According to ISACA, “The uniquely management-focused CISM certification is the globally accepted standard of achievement in this area.”
Who it’s for:Information security managers and those with information security management responsibilities. CISM is a management-focused certification for those who design, build, and manage enterprise information security programs.Get a detailed overview of CISM here.
Skills it covers:The exam covers four job practice domains: information security governance; information risk management; information security program development and management; and information security incident management. Those who certify demonstrate technical competence, as well as a deep understanding of the relationship between information security programs and broader business goals and objectives.
Jobs that use CISM: Information security manager; IS/IT consultant; CIO; information risk compliance specialist; and other risk management professionals. ISACA notes that earning a CISM is considered a good path from security technologist to security manager.
How to get certified:The first step to becoming CISM certified is to take and pass the CISM certification exam, which consists of 150 questions covering four job practice domains. Exam experience substitutions may apply for CISAs and CISSPs in good standing.
Accreditation & compliance details:The American National Standards Institute (ANSI) has accredited the CISM certification program under ISO/IEC 17024:2003.
What others are saying:“If you’re not intending to perform auditing work, and instead intending to manage the information security of an organization, consider the CISM. If you’re doing the work to pass the CISA, you will likely be ready to sit for the CISM without much additional work,” says Gerg.
5.CEH (Certified Ethical Hacker)
“To beat a hacker, you need to think like a hacker.” Wise words from EC-Council(the International Council of Electronic Commerce Consultants), the professional organization that offers the CEH certification.
Why you need it:CEH is used as a hiring standard and is a core sought-after certification by many Fortune 500 organizations, governments, and cybersecurity practices. While the demand for skilled cybersecurity professionals continues to grow, it’s evolving, and the sophistication of threats requires a higher level of skill and ability—which is often where CEH certification shines. Get a detailed look at CEH here.
Who it’s for:Professional information security specialists who are interested in ethical hacking on behalf of an organization. EC-Council describes the Certified Ethical Hacker as “a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s).”
Skills it covers:Advanced hacking tools and techniques used by hackers and information security professionals.
Jobs that use CEH: Security officers; auditors; ethical hackers; web managers; site administrators; network administrators and engineers; security professionals; any professionals concerned with network infrastructure.
Accreditation & compliance details:The C|EH exam is ANSI compliant.
How to get certified:EC-Council’s training course for certification is a good place to start. It includes over 140 labs that mimic real scenarios you might encounter in a work environment, as well as over 2,200 commonly used hacking tools to immerse participants in the hacker world. The goal of this course, in their words, is “to help you master an ethical hacking methodology that can be used in a penetration testing or ethical hacking situation.”
What others are saying:“There are a ton of cybersecurity certifications that one can go after. CEH, Security +, CISM, CISSP are among some of the most popular ones,” says Jackson.
6. OSCP (Offensive Security Certified Professional)
Who it’s for:Information security professionals interested in ethical hacking technologies, gaining real-world skills, and mastering a comprehensive and practical understanding of the penetration testing process.
Skills it covers:Write basic scripts and tools to aid in the penetration testing process; analyze, correct, modify, cross-compile, and port public exploit code; successfully conduct both remote and client-side attacks; and more.
Jobs that use OSCP: Penetration tester; security engineer; security consultant; information security analyst.
How to get certified:The only way to become certified is to complete Offensive Security’s Penetration Testing with Kali Linux (PwK) course and pass the 24-hour hands-on exam, which consists of a virtual network containing targets of varying configurations and operating systems. Get more details about OSCP here.
Why you need it:Earning your OSCP shows that you have mastered an understanding of the penetration testing process, and that you can think both outside the box and laterally. In the words of Offensive Security,“An OSCP, by definition, is able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner, write simple Bash or Python scripts, modify existing exploit code to their advantage, perform network pivoting and data ex-filtration, and compromise poorly written PHP web applications.”
What others are saying:“For penetration testers, the Offensive Security OSCP certification really tops the charts,” says Kron. He adds that some certification exams can be vulnerable to cheating, but that “because the OSCP requires hands-on demonstrations of skill in a virtual lab, and because the CISSP is governed by ISO/IEC Standard 17024, neither of these exams are easy to cheat. This means if a person holds these credentials, they genuinely have the knowledge that is expected.”
Deciding which certifications are valuable for you
Getting certified isn’t just a matter of picking them out of a hat—or earning as many as you possibly can (not to mention that that would get rather expensive). Rather, think of certifications in terms of 1) where you are in your career, and 2) the specific job roles you’re interested in or are actively applying for. Focusing on these certifications will be better aligned with your career path and help you market yourself for the jobs you really want.
As Gerg says, “There is obvious value in matching the certification to the type of work you are trying to do— the Certified Ethical Hacker and Offensive Security Certified professional certifications would be of limited value if I am trying to hire a penetration tester or security analyst for a CISO office to perform risk assessment work.”
Certifications are a piece of the puzzle
Certifications can give job candidates, particularly those starting out in the cybersecurity field, an edge when it comes to getting hired in an increasingly sophisticated field. As Kron points out, however, certification isn’t a substitute for hands-on experience. “Just because a person holds a certification, it does not automatically make them a fit for a job. That is where the resume and interview process takes over and ensures you have the right person for the job,” he says.
Certifications, while important, aren’t the be-all and end-all, so if you aren’t currently able to get certified due to financial or logistical constraints, focus on other ways to stand apart. Regardless of where you are in your career, taking advantage of learning opportunities—whether through certifications, trainings, conferences, networking events— is always going to add value to your professional career. “Cybersecurity changes at such a rapid pace that we all must be lifelong students. The moment you top being teachable, is the moment your skills will begin to atrophy,” says Jackson.
We believe the future belongs to innovators and problem-solvers. It’s our job to create connections that inspire success. That’s why we’ve spent 20+ years building strong relationships and bringing together top tech talent and forward-thinking companies. Signature Consultants joined forces with DISYS to offer a more diversified portfolio of services. Through IT staffing, consulting, managed solutions and direct placement services, we deploy thousands of consultants each year to support client’s tech needs across the U.S. Signature Consultants is also parent company to Hunter Hollis and Madison Gunn. Learn more at sigconsult.com.