The year 2017 marked another milestone for information security: more breaches, more significant losses, more coverage and more jobs opportunities for IT professionals. According to a Cyber Seek report the number of cybersecurity job openings in the USA stands at just over 286,000. Projections continue to be robust further out: CSO expects that number to hit 500,000 by 2022, with more than 3 million cybersecurity jobs open for the rest of the world that same year.
When evaluating prospective InfoSec candidates, employers frequently look to certification as an essential measure of excellence and commitment to quality. We examined five InfoSec certifications we consider to be leaders in the field of information security today:
This year's list contains entry-level credentials, such as Security+ and GIAC Security Essentials, as well as more advanced certifications, such as the CEH, CISSP, and CISM. We also offer some additional certification options in the last section that covers choices outside our top five, because the field of information security is both varied and broad, with lots of other options.
Security-related job roles cover a lot of ground, such as information security specialist, network security administrator, security analyst, the system administrator (with security as a responsibility) and security engineer, as well as specialized roles such as malware engineer, intrusion analyst, and penetration tester. Average salaries for information security specialists and security engineers – two of the most common job roles – vary broadly depending on the source. For example, Simply Hired reports USD124,000 for specialist positions, whereas Glassdoor's national average is just under USD78,000. For security engineers, Simply Hired reports USD96,000, with Glassdoor's average at USD86,000.
If you are serious about developing your career in the IT field and are interested in specializing in security, certification is an excellent choice. It I an effective way to validate your skills and show a current or prospective employer that you're qualified and adequately trained.
Before examining the details of the top five InfoSec certifications, check the results of our informal job board survey. The data shows the number of job posts nationwide in which our featured certifications were mentioned on a given day. The data should give you an idea of the relative popularity of each certification.
1) CEH: Certified Ethical Hacker
Hackers are innovators and continuously find new ways to attack information systems and exploit system vulnerabilities. Savvy businesses proactively protect their information systems by employing the services and expertise of IT professionals skilled in beating hackers at their own game. Such professionals use the very skills and techniques pirates themselves use to identify system vulnerabilities and access points for penetration to prevent hackers' unwanted access to network and information systems.
The Certified Ethical Hacker (CEH) is an intermediate-level credential offered by the International Council of E-Commerce Consultants (EC-Council). It's a must-have for IT professionals pursuing careers in ethical hacking. CEH credential holders possess skills and knowledge on hacking practices in areas such as footprinting and reconnaissance, scanning networks, enumeration, system hacking, Trojans, worms and viruses, sniffers, denial-of-service attacks, social engineering, session hijacking, hacking web servers, wireless networks and web applications, SQL injection, cryptography, penetration testing, evading IDS, firewalls, and honeypots.
To obtain the CEH certification, candidates must pass one exam. Candidates may self-study for the exam but must submit documentation of at least 2 years of experience in information security with employer verification. Self-study candidates are expected to pay an additional USD100 application fee. Education may be substituted for knowledge, but this is approved on a case-by-case basis.
Because technology in the field of hacking changes almost daily, CEH credential holders are expected to earn 120 continuing education credits for each three-year cycle.
2) CISM: Certified Information Security Manager The Certified Information Security Manager (CISM) is a top credential for IT professionals responsible for managing, developing and overseeing information security systems in enterprise-level applications, or for developing best organizational security practices. The CISM credential was introduced to security professionals in 2003 by the Information Systems Audit and Control Association (ISACA).
ISACA's organizational goals are specifically geared toward IT professionals interested in the highest quality standards concerning the audit, control, and security of information systems. The CISM credential targets the needs of IT security professionals with enterprise-level security management responsibilities. Credential holders possess proven and advanced skills in security risk management, program development and management, governance, and incident management and response.
Holders of the CISM credential, which is designed for experienced security professionals, must agree to ISACA's Code of Professional Ethics, pass a comprehensive examination, possess at least 5 years of security experience, comply with the Continuing Education Policy and submit a written application. Some combinations of education and experience may be substituted for the experience requirement.
ISACA members who register early pay USD500 for the exam; nonmembers pay USD710 for early registration. The regular registration fee for members is USD550 and USD760 for nonmembers. The CISM credential is valid for three years, and credential holders must pay an annual maintenance fee of USD45 (ISACA members) or USD85 (nonmembers). Credential holders are also needed to obtain a minimum of 120 continuing professional education (CPE) credits over the three-year term to maintain the credential. At least 20 CPEs must be received every year.
3) CompTIA Security+
CompTIA's Security+ is a well-respected, vendor-neutral security certification. CompTIA Security+ Certification holders are recognized as possessing superior technical skills, broad knowledge and expertise in multiple security-related disciplines.
While Security+ is an entry-level certification, successful candidates should possess at least 2 years of experience working in network security and should consider first getting the Network+ certification. IT pros who receive this certification possess expertise in areas such as threat management, cryptography, identity management, security systems, security risk identification and mitigation, network access control, and security infrastructure. The CompTIA Security+ credential is also approved by the U.S. Department of Defense to meet Directive 8570.01-M requirements.
The Security+ credential requires a single exam, currently priced at $320.
IT professionals who earned the Security+ certification before Jan. 1, 2011, remain certified for life. Those who certify after that date must renew the certification every 3 years to stay current. To renew, candidates are required to pass the most current CompTIA Security+ exam, pass a higher-level CompTIA exam or complete 50 continuing education units (CEUs) before the expiration of the three-year period. CEUs can be obtained by engaging in a variety of activities, such as teaching, blogging, publishing articles or white papers, and participating in professional conferences and similar activities.
4) CISSP: Certified Information Systems Security Professional The Certified Information Systems Security Professional (CISSP) is an advanced-level certification for IT pros serious about careers in information security. Offered by the International Information Systems Security Certification Consortium, known as (ISC)2 and pronounced ISC squared, this vendor-neutral credential is recognized worldwide for its standards of excellence.
CISSP credential holders are decision-makers who possess expert technical skills and knowledge necessary to develop, guide and then manage security standards, policies and procedures within their organizations. The CISSP continues to be highly sought after by IT professionals and well recognized by IT organizations. It is a regular fixture on most-wanted and must-have security certification surveys.
CISSP is designed for experienced security professionals. A minimum of 5 years of experience in at least two of (ISC)2's eight Common Body of Knowledge (CBK) domains, or four years of experience in at least two of (ISC)2's CBK domains and a college degree or an approved credential, is required for this certification. The CBK domains are Security and Risk Management, Asset Security, Security Engineering, Communications and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security.
(ISC)Two also offers three CISSP concentrations targeting specific areas of interest in IT security:
CISSP concentration exams are USD599 each, and credential seekers must currently possess a valid CISSP.
An annual fee of USD85 is required to maintain the CISSP credential. Recertification is required every three years. To recertify, candidates must earn 40 continuing professional education (CPE) credits each year for a total of 120 CPEs within the three-year cycle.
5) GSEC: SANS GIAC Security Essentials Another excellent entry-level credential is the GIAC Security Essentials (GSEC), designed for professionals seeking to prove that they not only understand information security terminology and concepts but also possess the skills and technical expertise necessary to occupy hands-on security roles. GSEC credential holders have technical skills and knowledge in areas such as identifying and preventing common and wireless attacks, access controls, authentication, password management, DNS, cryptography fundamentals, ICMP, IPv6, essential public infrastructure, Linux, network protocols and network mapping.
Currently priced at USD1,699, the GIAC Security Essentials exam is quite a bit more expensive than the Security+ exam.
GSEC certification must be renewed every 4 years. To repeat, candidates must accumulate 36 continuing professional experience credits (CPEs). GIAC gives several ways to meet the CPE requirement. Some options are passing the current certification exam (worth 36 CPEs), attending or teaching approved courses, and publishing books, articles or research papers. Also, credential holders must pay a certification maintenance fee of USD429 every four years.