Here’s what to know about the best cyber security certifications and how they’ll benefit your career
As a cyber security professional, you’ve likely found yourself pondering the benefits of cyber security certifications a time or two. Heck, you’re likely doing so right now since you’re here reading this article. But what are considered the top cyber security certifications? And are they worth the time, effort, and money that you put into them?
Considering that last week was National Cybersecurity Career Awareness Week, and because we’re all for educating about cyber security throughout the rest of the year, it’s only fitting that we address this question head-on. We’ll break down some of the best options for cyber security experts who want to get certifications. This list includes advanced certifications as well as cyber security certifications for beginners. We’ll also share insights from industry experts and hiring managers about how cyber security certifications impact hiring considerations and job opportunities.
Let’s hash it out.
Do I Need a Cyber Security Certification?
Well, I personally can’t speak for you in terms of determining your individual goals or what the needs of your organization are. But what I can tell you is that a whopping 85% of IT professionals report having at least one certification. That means that more than four out of five job applicants hold at least one certification, according to Global Knowledge’s 2019 IT Skills and Salary Report, a survey of 12,271 completed responses from companies around the world.
That’s a whole lot of high-level competition. But what makes this even more challenging is that many pros actually hold multiple certifications — and these certifications can equate to big money in terms of salaries. After all, not all professionals stay within the same niche area. Many cyber security experts transition from one specialty to another to meet the skills gaps that exist within their organizations. To do this, they often seek out cyber security certification programs to bolster their expertise and resumes.
So, what types of cyber security certifications would help keep you on par with or a step ahead of your peers?
The Best Cyber Security Certifications — According to the Experts
Since I’m no cybersecurity certification expert — nor am I an IT hiring manager (although I’d sure love the paycheck that goes with that type of role) — I thought it best to leave these types of decisions to the experts. So, I asked some industry pros for their thoughts.
Michael Wylie serves as director of cybersecurity services at Richey May Technology Solutions in the United States. Wylie, the winner of the SANS Continuous Monitoring and Security Operations challenge coin, developed and taught a variety of courses for the U.S. Department of Defense, DEFCON, California State Universities, and for other institutions and clients around the world. He holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GPEN, GMON, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, as well as others.
Andrew Jenkinson serves as group chief executive officer at Cybersec Innovation Partners in the United Kingdom. In his role, Jenkinson leads a team of cybersecurity consultants and industry experts who help businesses and organizations with risk mitigation through next-gen public key infrastructure identity and certificate management solutions. He has more than 25 years of experience in the technology and risk management, and has served as an entrepreneur, founder, and consultant for several businesses.
Edward Hart is a senior certificate engineer at a major financial institution. As a retired U.S. Marine Corps Information Assurance and Management Officer, he is a seasoned information security and cyber security automation professional with more than 20 years of deep automation experience. Prior to working at his current institution, Hart worked for Cigna as a PKI automation subject matter expert and VMware as their contract vApp security consultant.
Ross Thomas serves as IT Manager at The SSL Store. In his role, Thomas monitors and maintains the store’s IT infrastructure, network, technologies, and cyber security defenses to ensure up time and smooth operations. He has more than 20 years of experience in the tech industry and has served in IT Administrator roles for about 15 years.
What Cyber Security Certifications Do You Consider the Most Valuable and Why?
The general consensus across the board is that the most valuable cyber security certifications depend on the particular job and its area(s) of specialty.
Jenkinson says that as far as cyber security certificates go, a CISSP is ideal for many applicants because it’s simply more accepted than many other certifications.
Wylie takes it a step further:
Cybersecurity is a general term. Within Cybersecurity, we have many different roles and unique skills. Depending on the role of an employee, some Cybersecurity certifications would be expected while others would add little to no value. For example, if I was looking for a Penetration Tester and they had Security+, CCNA CyberOps, CISA, CySA+, etc., none of those certifications would add substantial value or make me think they were a good fit for the role. It would actually raise a red flag of why they were obtaining certifications in completely different subsets of Cybersecurity. I’d want to see OSCP, GPEN, PenTest+, GXPEN, and CISSP or CISM from a Penetration Tester. Conversely, if I had an opening for a Junior Cybersecurity Analyst or Engineer, I’d want to see certifications such as Security+, CCNA CyberOps, CEH, CySA+, CASP, etc. According to the certifying bodies, a junior security person cannot obtain a CISSP or CISM without extensive experience and being vouched for by other active certification holders. The industry has become so segmented and the market is flooded with certifications that employees need to be strategic with which certifications they get and what combination makes sense for their ideal role.”— Michael Wylie
CISSP. Yeah, it’s good and all… but takes a long time. True value. Best? Maybe… In the PKI world, if that’s the space you want to be in, VSA19 [Venafi Security Administrator] gets you attention and might, maybe get you an interview. Low cost; high value… So, that’s why and where I went.”— Edward Hart
There are a lot of different parts of the security related IT field, so it really depends on what position you are hiring for. When you talk about general IT administrator, things like the CompTIA A+, Net+, and Security+ would be a good baseline set of certifications to help understand near most of all facets within the IT world. Understanding how things work on a fundamental level allows a person to have great insight into those things concerning strengths and weaknesses (security related, too). If the hiring position is for a network engineer, Cisco Certifications of CCNA, CCNP or the highly coveted CCIE would attractive as Cisco is sort of the (arguably) de facto standard for TCP/IP communication. The Cisco certs as well as CISSP (Certified Internet System Security Professional), CISM (Certified Information Security Manager) and CISA (Certified Information Systems Auditor) would be highly touted for any professional’s resume.”— Ross Thomas
Does Having One or More Certifications Make an Applicant More Desirable Than Candidates Who Lack Them?
The cybersecurity industry is flooded with certifications and it’s often confusing for newcomers to navigate the sea of options. As a hiring manager, seeing a single cybersecurity certification doesn’t give me confidence that the applicant is a subject matter expert. Seeing multiple certifications helps paint a picture of the applicant’s base level of knowledge and what I can expect out of him/her if hired.”
Certifications also tell me the applicant is invested and driven in his/her job as the studying and test taking can be grueling. The cybersecurity industry is quickly evolving and I need to know an applicant is willing/able to digest new information.”— Michael Wylie
It would always be better to have them than not — they really can’t hurt your chances, but certifications are not necessarily an overall advantage. If a 50-year network engineer with 30+ years in the industry with no certifications is applying versus a 21-year-old with two certifications, the experience will likely win out here. This is not a hard-and-fast rule, but experience is worth A LOT in this industry — moreso than education, in my opinion, and I have plenty of education within this industry (I also have experience, too).”— Ross Thomas
Is There a Time When Experience is More Important Than Certifications, or Vice Versa?
Experience is always more important, in my opinion.”— Andrew Jenkinson
Depends on the experience and depends on the certifications, really. I would say there is no 1:1 relation. Experience is often best but for those that are not experienced, certifications would be the way to stay competitive in the job market. Certifications, in a sense, are experience as many of the processes to get a certification have lab-like processes and aim to get hands dirty. They just often comb over all features and facets, but applying that knowledge through production experience is another valuable thing altogether.”— Ross Thomas
Have Any Certifications Helped You Get a Job or Move Up in Your Career? If So, Which Certification(s) and Why?
While certifications are not mandatory, they help prove that the basics are understood. I have taken and passed the following cybersecurity certifications in the past six years: CISSP, CCENT, CCNA R&S, CCNA CyberOps, GPEN, GMON, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, Splunk user, Sumo Logic Security Analytics, and more. These certifications have given me a roadmap to learning new skills and allowed me to market myself to customer, employers, and colleagues. Having certifications also allow me to benchmark salary, title, and expectations for myself.”— Michael Wylie
Most of my professional education has come in the form of schooling, graduate schooling and, of course, experience. That usually turns heads. I have had a CCNA at one point and that is usually pointed out when talking to hiring managers. That, coupled with experience, usually will make me a contender.”— Ross Thomas
I am just an in-the-trenches kinda guy. I cannot tell you what an HR person might want in terms of creds. But I can give my best guess as to why Cigna was attracted to bring me into certs, why [my current institution] was DEFINITELY interested in me, and what I am doing for the next job.”— Edward Hart
Some of the things that Hart says he believes helped him is that he has:
- a (now-lapsed) Sec+ credential that was helpful for working on cybersecurity automation for a DoD contract.
- experience with the Venafi platform, both at the sysadmin and coding levels.
- a VSA19 certification.
When Evaluating Applicants, Is It a Deal Breaker When Someone Who Applies for a Cyber Security Job Doesn’t Have a Cybersec Certification?
In short, probably not but may depend on individual philosophy. Professionals who are confident in their abilities may feel that their processes and knowledge are worth passing on. Entry level jobs, for example, will obviously come with a lot of training so it may just depend if both sides are up to the task (teaching and learning). If someone is applying for an advanced position, having the experience is easily replaceable for lack of certifications.”— Ross Thomas
What Certifications Do You Look for When Hiring Experts for Your Own Teams?
We have a small team of security professionals at Richey May Technology Solutions that help a wide variety of customers from Mortgage to Entertainment, which makes it challenging finding the right candidates that can pivot as needed. Seeing a candidate with certifications around tools our customers use or challenges they are facing is definitely a plus. The top certifications we get excited about seeing at Richey May Technology Solutions are: CISSP, CEH, AWS-CSA, TPN, and Microsoft Azure Admin.”— Michael Wylie
Within an IT/systems administrator purview, Microsoft related certifications would be an advantage. Whether it would be MCSE or MCSA. Since we do a lot of cloud computing, AWS or Azure certs, SysOps Admin or Cloud Practitioner would certainly be a leg up.”— Ross Thomas
What Advice Would You Give Someone Who is Looking to Start a Career in the Cyber Security Industry or Transition from Another IT-Related Specialty?
For those starting off, I usually do recommend trying to focus on an aspect of the industry and, yes, go for certs. Experience = work x time. It’s probably a more complicated formula than that, heh. As a 38-year-old with 20+ years in the industry, I have more experience than, say, a 20-year-old breaking into the industry. If you get the certs and understand the content, or express willingness to learn, and you get a job, you will eventually be a certified and experienced professional. That’s the best path to high level success assuming that is the goal.”— Ross Thomas
“Decide which area you want to go into, immerse yourself, ensure you can add value and if you are looking for a 9-5, don’t do it!”— Andrew Jenkinson
Niche Specialties Are Among the Most Popular Cyber Security Certifications
Unsurprisingly, the most popular certification category for IT professionals worldwide is Cybersecurity, Governance, Compliance, and Policy, according to Global Knowledge’s skills and salary report. Following this, the most popular certifications after cyber security for IT experts in North America come from:
- Cisco — Cisco provides an assortment of certifications to match your level of experience. The CCMA Security and CCNA Cyber Ops programs help to build a solid foundation for those with little to no experience in the industry. Those who are further along can engage in Cisco’s CCNP Security and CCIE Security training and certifications.
- CompTIA — Among the best-known cyber security certifications CompTIA offers is the Security+. Although not quite for beginners, it’s best that candidates have at least two years’ experience as an IT admin and complete their CompTIA Network+ certification before attempting this exam.
- Microsoft — Microsoft offers certifications for varying levels of professionals, including their Microsoft Technology Associate (MTA) Security Fundamentals. It’s a great entry-level certification for those who are new to cybersecurity or are looking to switch careers.
What’s nice to see is that specialized certifications are also becoming increasingly popular among IT professionals. Brad Puckett, global product director for cybersecurity at Global Knowledge, shared in a Forbes article the following list of the most sought-after cyber security certifications:
But what if these certifications aren’t for you, or you don’t yet feel ready to pursue them? Don’t worry — you have many other options. It’s just a matter of knowing where to look.
Other Organizations and Institutions Offering Cyber Security Certifications and Training
There are a variety of organizations offering cyber security certifications. But aside from the big names — companies and industry organizations like CompTIA, Microsoft, (ISC)2, ISACA, EC-Council, Cisco, etc. — how do you know who’s reputable? Here are a few worth noting:
Global Information Assurance Certification
The Global Information Assurance Certification (GIAC) is a global agency that’s dedicated to teaching professionals about cyber security best practices. For their certification exam prep, and since they are an affiliate of the SANS Institute (more on them shortly), GIAC partners with the institute for training. They also offer a variety of cyber security resources for federal employees and human resources (HR) professionals.
Offensive Security is a well-known training resource for many leading technology companies and government organizations. With their offensive rather than defensive approach to cyber security, their training focuses on teaching users to use the same techniques and tools as hackers. Their goal is to help level the playing field between your organization’s defenders and its assailants with trainings like:
- Penetration Testing with Kali Linux (PWK)
- Advanced Web Attacks & Exploitation (AWAE)
- Cracking the Perimeter (CTP)
- Advanced Windows Exploitation (AWE)
- Wireless Attacks (WIFU)
One of the biggest benefits? No continuing education credits are required for Offensive Security students to maintain their certifications.
SANS Institute and SANS Technology Institute
While these sound like they’re the same — and, yes, they are related — these are actually two separate things. Let me explain:
The SANS Institute is an information security training and certification preparation institute for IT professionals. Highly trusted by pros and industry experts worldwide, the institute offers a variety of trainings in various formats, although, as I mentioned earlier, the certification exams themselves are offered through GIAC.
SANS Technology Institute
The SANS Technology Institute takes the SANS Institute/GIAC cyber security certifications for professionals and goes the academic route. Their certifications are actually college and university certificate programs. For example, they offer undergraduate and master’s degree certificates.
The U.S. Government
For U.S. cyber security professionals, Uncle Sam offers cyber security training for you as well. The National Initiative for Cybersecurity Careers and Studies (NICCS) offers a robust catalog of more than 3,000 cyber security and cyber security-related courses. The courses align with specialty areas within the National Cybersecurity Workforce Framework.
There are many other organizations that offer cyber security certifications. And what makes many of these industry certifications attractive is that you can get most cyber security certifications online.
Why Are Cyber Security Certifications Important?
The answer to this question depends on whom you talk to. For some, it comes down to being able to find qualified staff who have the necessary knowledge and skills to meet daily organizational and client needs. For others, it comes down to helping their organization increase productivity and reduce downtime when excrement hits the proverbial fan.
Cyber Security Certifications are Profitable — Both for You and Your Employer
It’s no secret that job candidates who have both experience and expertise are going to excel in their careers. But did you know that cyber security pros frequently make more than their colleagues who work in other IT professions? Nine percent more, in fact, according to research. The average salaries of cyber security pros differs depending on the source. For example, Glassdoor currently reports the national average annual base pay as $92,767, whereas ZipRecruiter lists it as $107,172 per year.
Data from Global Knowledge’s report indicates that certifications matter because “certified personnel are better at their jobs, and the value is undeniable.” Just how valuable are we talking about here? Sixty-three percent of survey respondents said the annual economic benefit of having employees with certifications exceeds $10,000 — 22% of that group say it’s more than $30,000.
The Cyber Security Skills Gap is Growing
According to the 2019 (ISC)2 Cybersecurity Workforce Study, a lack of skilled or experienced cyber security personnel is a major concern among cyber security professionals. There may be as many as 3.5 million unfilled cyber security positions by 2021, according to research from Cybersecurity Ventures. The cyber security research organization estimates that “the number of unfilled cybersecurity jobs is expected to grow by 350 percent, from one million positions in 2013 to 3.5 million in 2021.”
And of those who are applying for jobs within the industry? Fewer than 25% are even qualified for the positions they’re trying to get, according to MIT Technology Review. Which leads me to my final point…
Cybersec Certifications May Give You a Leg Up Over Other Job Applicants
A cybersecurity certification is something that helps you stand out from other experts who share similar levels of knowledge and experience. Although, the overall job outlook in the cybersec industry, as a whole, is very promising right now.
In its 2019 cyber security workforce study report, (ISC)2 estimates that the cybersec workforce — which is thought to include about 805,000 experts in the U.S. and a total of 2.8 million people globally — is enjoying a 0% unemployment rate. That’s definitely a plus considering that the most recent national unemployment rate (across all industries) reported in the U.S. for October 2019 is 3.6%, and the most recent World Economic Outlook data from October 2019 from the International Monetary Fund (IMF) puts Australia at 5.1%, France at 8.6%, and the United Kingdom at 3.8%.