Cyber Security Certifications: The Guide for Future InfoSec Pros
There are plenty of good reasons to consider a career in cyber security. Businesses and organizations depend heavily on information technology (IT) and know it’s critical to keep their data secure—and out of the news. Because of this, the prospects for cyber security professionals are likely to remain strong. In fact, the Bureau of Labor Statistics (BLS) projects employment of information security analysts to grow 28 percent from 2016 to 2026, and reports a 2018 median annual salary of $98,350.1
That’s music to the ears of any aspiring IT security professional, but figuring out the path to pursuing one of these positions is far from clear-cut. While obviously a college education and hands-on IT experience are a good place to start, there’s also a wide array of cyber security certifications you may want to obtain throughout the course of your career. Unfortunately, these certification options can be a dizzying mess to make sense of for someone just getting started.
Your guide to cyber security certifications
While there’s likely no universally agreed-upon “perfect mix” of certifications for information security professionals, we’re here to help you make sense of your options. In this article, you’ll get a feel for how the industry views these credentials, explore some of the top InfoSec certifications and help you map out your potential IT security certification path from the beginner level on up.
Things to consider before pursuing cyber security certifications
Prior to diving in, there are a few major points raised by information security professionals you should keep in mind:
You don’t need to be a “collector” to succeed: Earning a relevant certification is good. So obviously that means you should earn every IT security certification and credential you lay your eyes on, right? Not so fast! Aaron Birnbaum, chief security officer at Seron Security, believes some people put a little too much stock into the value of certifications.
“This is not an industry where you can say you have a lot of certificates and that would be grounds for hiring,” Birnbaum expains. “You must have real, hands-on experience, using tools and methods to achieve your IT security goals.”
Sort of like spending hours upon hours chasing a 100 percent completion score in an open-ended video game, at a certain point the returns diminish beyond your own personal satisfaction. With this in mind, it’s better to narrow your focus to certifications that realistically fit your career goals.
Time is on your side: Earning certifications in this industry is not a race and you’re likely better served taking a more deliberate approach. Marty Puranek, CEO of Atlantic.net, says it’s better to be sure than to pursue certifications haphazardly.
“I’ve always suggested avoiding certifications until you know it’s an area you want to devote time to and continue working and improving yourself on,” he advises.
There’s not a huge rush—many advanced certifications are designed for those with years of experience. Spend that time learning about the industry and identifying where you’d like to narrow in on career advancement.
Certifications work best as stepping-stones: Christopher Gerg, CISO and vice president of cyber risk management for Gillware, says a certification’s value can vary depending on where you’re at in your career.
“In general, the value of the certification is based upon the current phase in your career,” Gerg says.
To maximize the effectiveness and value of a certification, you’ll want to think a step ahead of where you currently are in your career. If you’re looking for your first information security-focused role, an entry-level certificate makes sense as it can help open doors and demonstrate that you understand the basics.
On the flip side, if you’re already established in a security role, an entry-level certification won’t be as valuable because you’ll have demonstrated work experience to highlight instead.
“I’ve found that as my career has progressed, my resume has provided the same value, and the need for certifications has diminished,” Gerg says.
For information security professionals who are more established in their roles, you’re better off pursuing certifications that branch out into an area you’d like to pursue, as advanced certifications tend to be more narrowly applicable.
“There is also obvious value in targeting the certification to the type of work you are trying to do,” Gerg says.
For instance, if you’d like to someday work as a chief information security officer or other high-level management role, a certification focused on ethical hacking or penetration testing probably won’t be your best use of time.
Cyber security certifications for beginners
Just getting started in IT security? You’ll want to consider these security certifications. The good news is that depending on your IT experience, you may already have some of these under your belt:
While not strictly focused on information security, this foundational certification sets the stage for IT professionals by confirming they know the ins and outs of networking. Cyber security requires a strong grasp of how networks operate and their potential vulnerabilities—and this certification proves you know how to walk before running.
This is a solid, vendor-neutral IT certification that can be useful for a variety of networking roles. It’s worth noting that this is not strictly an information security certification, so the subject matter will be somewhat broad.
Requirements: While open for anyone to take, CompTIA recommends applicants possess the CompTIA A+ certification and at least 9-12 months of experience working in networking.
The CCNA Routing and Switching credential is another foundational certification option for those looking to branch into information security. This Cisco-centric certification helps demonstrate candidates’ advanced knowledge of network fundamentals, LAN and WAN technologies and other key network infrastructure. Again—this is not a strictly security focused credential, but the topics covered provide a great springboard for future credentials. This credential can be earned by passing a single comprehensive test or by completing two separate tests (the first test corresponds to earning the entry-level Cisco Certified Entry Networking Technician (CCENT®) credential.)
The CCNA Routing and Switching certification is well-established and administered by a respected organization in the industry. “I have found the CCNA to be of very high value both personally as well as professionally,” Gerg says. “I learned a lot of fundamental knowledge about networking and IPV4 in general—which has paid great dividends in my career.”
Requirements: The CCNA Routing and Switching credential has no prerequisites and is open for anyone to take. That said, you’ll want to build networking experience and study diligently to be successful.
This credential from CompTIA is a common starting point for networking professionals seeking to bolster their information security resumes. This certification exam covers fundamental information security topics like common threats and vulnerabilities, technologies used, systems architecture, access management, cryptography and risk management.
For those seeking a credential to potentially open doors for them, the Security+ certification is sought after for many government IT and government contracting jobs. It requires a relatively small investment to complete, so it’s an attractive option for any IT professional looking to branch out into a more security-focused niche.
Requirements: There are no formal prerequisites for sitting to take this test, though CompTIA recommends completion of the Network+ credential and two years of IT experience focused on security. The test features a maximum of 90 questions and is administered over the course of 90 minutes.
The Systems Security Certified Practitioner (SSCP) credential from (ISC)2® is a great option for networking professionals looking to develop their hands-on security knowledge. The certification covers topics such as access controls, network structure, security operations, risk monitoring, response and recovery processes, cryptography and countering malicious code.
Requirements: To be eligible for this certification, the (ISC)2 says candidates must have a minimum of one year cumulative paid work experience in one of the seven “domains” covered in the test or a degree in cyber security or a related program. Alternatively, candidates who don’t meet these requirements can still sit for the test and, if they pass, enter a two-year “associate” period to fulfill the experience requirements.
Intermediate cyber security certifications and credentials
Looking for your next step after getting yourself established in an IT security role? The following information security certifications and credentials are a great fit for mid-level cyber security professionals and beyond.
Not all cyber security threats are easily thwarted by firewalls and simple security tools. Some require an analytical approach to truly defend against. CompTIA’s Cybersecurity Analyst (CySA+) credential focuses on the advanced skills needed to do this. Topics covered in this exam include threat management, addressing vulnerabilities, security architecture and incident response best practices.
Requirements: No required prerequisites, though CompTIA recommends applicants with Security+, Network+ or equivalent knowledge along with three to four years of hands-on information security experience. The test features a maximum of 85 questions and is administered over 165 minutes.
The next logical step for security professionals on the Cisco certification path, this CCNA variant is a popular option for those getting established on an information security track. This credential focuses on seven topics: security concepts, secure access, VPNs, secure routing and switching, Cisco firewall technologies, IPS, and content and endpoint security.
Requirements: The CCNA Security credential requires applicants to have a valid CCENT, CCNA Routing and Switching or any CCIE certification in order to sit for the test.
The CEH credential remains one of the most well-known credentials for information security professionals looking to focus their careers on penetration testing and other offensive security work. This credential focuses on the technologies and tactics used by hackers and the measures commonly used to counter them. This credential can be a solid entry-level option for would-be penetration testers and is relatively easy to obtain for experienced information security professionals.
Requirements: The CEH credential requires two years of work experience in information security or completion of an official training program.
Advanced cyber security certifications and credentials
The following certifications are some of the most demanding in the industry. They also provide an impressive feather in the cap of anyone seeking senior-level security roles or to break into highly specialized positions like systems auditing or penetration testing.
The CISA certification is a respected and popular choice for any IT security professional interested in focusing on audit work. The certification is earned by passing a test covering five “domains” that include topics like information systems auditing processes, IT governance, information systems acquisition development and implementation, and the protection of information assets.
This is a challenging and well-regarded certification for a specialized IT security focus area. The CISA is sought after by some large financial service firms as IT auditing plays an important role in financial auditing. The bar for requirements and “upkeep” of this credential is relatively high. Value may be limited outside of audit-focused roles.
Requirements: CISA applicants must have an equivalent of five years of professional experience working with information systems, though some requirements may be fulfilled by academic credentials. It should be noted that you can still sit for the exam prior to meeting these experience requirements—the CISA designation is just delayed until they are fulfilled. Additionally, CISA holders must adhere to a code of professional ethics and complete yearly continuing professional education hours to maintain their credential.
Designed for information security professionals aiming for upper-tier roles—think Chief Information Security Officer or director-level positions—the CISSP is considered one of the top comprehensive cyber security certifications. Those who possess this qualification have demonstrated their mastery of eight key “domains” including: Security and Risk Management, Asset Security, Security Architecture and Engineering, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.
“If you want to be the CISO … or are trying to get a higher level management position, then having the CISSP is probably a good idea,” Birnbaum says. He goes on to explain that for all other infosec professionals, obtaining this credential will likely not be relevant to their professional goals.
Requirements: Candidates for the CISSP must have a minimum of five years paid work experience in two or more of the eight domains covered by the test. College education and other select certifications can also be used to satisfy some of these experience requirements.
This rigorous offensive security-focused credential is a great way to demonstrate your mastery of this area. The certification requires applicants to complete a penetration testing course (complete with virtual lab practice time) and a 24-hour hands-on exam that mimics a real-world approach to offensive security. Candidates gather information about the virtual network, identify potential vulnerabilities and execute attacks or exploits—culminating in a comprehensive report on their finding.
“The Offensive Security Certified Professional (OSCP) certification is probably the most respected by other security practitioners,” Birnbaum says. The hands-on, applied nature of the exam closely aligns with actual work.
Requirements: The OSCP requires “a solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.”
Find the right cyber security certification for you
While this list is by no means comprehensive, you should now have a much better understanding of common cyber security certifications and where they can potentially fit into your career goals. With so many information security certifications out there, you might be wondering whether earning a Cyber Security degree is necessary.
Don’t be too quick to dismiss the idea—there are several good reasons for pursuing a degree as you get started in the field. Take a closer look in our article “Is a Cyber Security Degree Worth It? The Facts You Can’t Ignore.”
1Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, [accessed June, 2019] www.bls.gov/ooh/. Information represents national, averaged data for the occupations listed and includes workers at all levels of education and experience. Employment conditions in your area may vary.
CompTIA, CompTIA Network+, CompTIA Security+, and CompTIA Cybersecurity Analyst (CySA+) are registered trademarks of CompTIA Properties, LLC.
Cisco, Cisco Certified Network Associate (CCNA), and Cisco Certified Entry Networking Technician (CCENT) are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Certified Information Systems Auditor (CISA) is a registered trademark of ISACA.
Systems Security Certified Practitioner (SSCP) and Certified Information Systems Security Professional (CISSP) are registered certification marks of (ISC)², Inc.
Certified Ethical Hacker is a registered trademark of The International Council of E-Commerce Consultants (EC-Council).
Offensive Security Certified Professional (OSCP) is a registered trademark of Offensive Security, LLC.