Cybersecurity certifications provide security professionals with relevant education for starting or growing in a career path, and can help meet compliance or cybersecurity insurance requirements. They typically involve taking an examination with a set number of questions and minimum passing requirements. Professionals might earn a certification to learn more about security for a career change, become an independent penetration tester or ethical hacker, or be more active in their organization’s cyber strategy as an executive. Enterprise Storage Forum recommends the following top 10 certifications as the best in the industry for security personnel.
Best Cybersecurity Certifications
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Ethical Hacker (CEH)
- GIAC Security Essentials Certification (GSEC)
- Systems Security Certified Practitioner (SSCP)
- CompTIA Advanced Security Practitioner (CASP+)
- GIAC Certified Incident Handler (GCIH)
- Offensive Security Certified Professional (OSCP)
- Bottom line: Best cybersecurity certifications
1. Certified Information Systems Security Professional (CISSP)
The CISSP, offered by the International Information System Security Certification Consortium (ISC)2, is one of the most well-recognized and accepted cybersecurity certifications. The CISSP is for experienced professionals looking to design and lead corporate cybersecurity programs.
The CISSP curriculum revolves around the (ISC)2 Common Body of Knowledge, which has eight areas of expertise:
- Security and risk management (15%)
- Asset security (10%)
- Security architecture and engineering (13%)
- Network and communication security (13%)
- Identity and access management (13%)
- Security assessment and testing (12%)
- Security operations (13%)
- Software development security (11%)
A CISSP certification is valid for three years, although there are yearly continuing education requirements to maintain it. Certification holders must recertify after three years.
Pricing for this course varies based on such factors as team size, but as of 2021 it cost $749. Contact the provider for more up-to-date pricing information.
CISSP candidates must have at least five years of total work experience in paid positions that focus on two or more of the eight CISSP knowledge domains. They must also pass a four-hour, 125 to 175 question test with a minimum score of 700 out of 1000. The exam uses computer-adaptive testing methodology.
Those interested in obtaining the CISSP but who do not have the necessary experience can earn an associate designation by passing the exam. They then have up to six years to gain the experience for the certification.
The amount of time needed to pass the CISSP depends on the tester’s level of experience entering the exam and their chosen training method. Many in-person and online courses are available, ranging from self-study to intensive five-day courses. Successful candidates who used self-study estimate completing 150-200 hours of study before the exam.
Best general certification for experienced professionals
The CISSP is a good choice for security administrators and analysts who want coverage on general security topics.
Are you looking to change jobs? Read about the top cybersecurity companies hiring.
2. Certified Information Systems Auditor (CISA)
The CISA is offered by ISACA, formerly known as the Information Systems Audit and Control Association. Like the CISSP, CISA is valuable for experienced professionals interested in moving up into leadership positions, although it also targets entry-level professionals looking to expand their skill sets. CISA certifications focus on five cybersecurity areas:
- Information systems auditing processes (21%)
- IT governance and management (17%)
- Information systems acquisition, development and implementation (12%)
- Information systems operations and business resilience (23%)
- Protection of information assets (27%)
CISA certification is valid for three years, with continuing education credits required for recertification. Certified professionals can earn education credits through such experiences as conferences, webinars, training courses and labs.
The exam fee is $575 for ISASA members and $760 for non-members, along with a $50 application fee.
As with CISSP, CISA candidates must have five years of relevant, paid work experience. Qualified applicants may obtain waivers for up to three years of experience. Applicants must also score a minimum of 450 out of 800 possible points to pass the exam.
There are numerous training courses, both online and in-person, with a range of time requirements. The test itself is four hours and contains 150 questions.
Best for emerging leaders
The CISA is a useful tool for potential security managers and senior engineers looking to further their experience in information system operations and security. Professionals who want more experience in auditing procedures may find it particularly useful.
Learn more about the cybersecurity job market.
3. Certified Information Security Manager (CISM)
Also offered by ISACA, the CISM focuses on cybersecurity program governance and incident response and remediation. It covers four security domains:
- Information security governance (17%)
- Information risk management (20%)
- Information security program development and management (33%)
- Information security incident management (30%)
CISM certification is valid for three years, with continuing education credits required for recertification. Like the CISA, these education credits can be earned through such experiences as online training courses, labs and volunteer opportunities.
For ISACA members, the exam fee is $575; for non-members it costs $760. There is also a $50 application fee. Preparatory courses range widely in cost.
Applicants need five years of relevant, paid work experience, although they may obtain a waiver for a maximum of two years. A passing score of at least 450 out of 800 is also necessary.
The time necessary to prepare for the exam depends on the applicant’s experience and preparation method. Online courses and self-study may involve more time than intensive in-person training—the recommendation is to study for at least three months. The exam is four hours long and has 150 questions.
Best for governance and risk management
Because the CISM focuses on governance and risk management procedures, it’s a good option for security professionals who want to improve their incident response skills and business continuity experience.
4. Certified Ethical Hacker (CEH)
The International Council of Electronic Commerce Consultants (EC-Council) offers the CEH certification. CEH certification helps build robust security analysis skills and offensive and defensive security competence by training applicants in the latest hacking tactics, techniques, and procedures (TTPs), including ransomware attack trends.
The current version of CEH has 20 total modules, including network scanning, vulnerability analysis, IoT and OT hacking and cryptography.
CEH certification remains valid for three years. Continuing education is necessary for recertification. EC-Council also offers CEH Practical and CEH Master certifications.
The CEH exam fee is $1,199, with a non-refundable $100 application fee.
To sit for the current CEH, applicants must either have a prior CEH certification or a minimum of two years experience in an InfoSec domain. Alternatively, applicants can attend an official EC-Council training program. Depending on the form of the exam used, minimum passing scores range from 60-85%.
The official EC-Council training course is an intensive five-day, 40-hour program. The 125-question exam is four hours long.
Best for ransomware protection experience
Because the CEH tests professionals’ knowledge of hacking techniques, it’s a good choice for security personnel in large organizations. This is particularly beneficial for security teams in healthcare and financial services, since these are such high-profile targets.
Security+, offered by CompTIA, is for security professionals looking to move into intermediate-level positions. Security+ covers the entire cybersecurity program lifecycle, broken down into five stages:
- Attacks, threats and vulnerabilities
- Architecture and design
- Operations and incident response
- Governance, risk and compliance
Security+ certification is valid for three years and is extendable in three-year increments through continuing education and training. Note that CompTIA’s official website has a listed retirement date of July 2024 for the Security+ exam, so this version of the certification test won’t be available after that date.
The Security+ exam costs $392.
CompTIA recommends both CompTIA Network+ certification and two years of security-focused IT administration work experience before taking the Security+ exam.
The passing score for the exam is 750 out of 900.
CompTIA’s official online training contains more than 40 hours of content, along with a variety of practice exams. The exam itself is a maximum of 90 questions over 90 minutes.
Best for junior security personnel
(ISC)2 only requires one year of relevant work experience, which makes it a good choice for security and IT professionals who don’t yet have a lot of industry experience. It’s also useful for more experienced security personnel looking to expand their knowledge.
Considering data management certifications? Learn about the top data science certifications.
6. GIAC Security Essentials Certification (GSEC)
GIAC (Global Information Assurance Certification) Security Essentials certification is available to professionals at all levels, from entry-level to experienced security administrators. GSEC covers eight primary security information areas:
- Active defense
- AWS and Microsoft cloud
- Defensible network architecture and network security
- Vulnerability scanning and incident response
- Linux security
- SIEM and exploit mitigation
- Web communication security
- Windows security
GSEC certification is good for four years and recertification requires continuing education and training.
The GSEC exam fee is $949.
There are no formal requirements to register for the exam, although relevant work experience is recommended. The minimum passing score for the exam is 73%.
GIAC’s recommended in-person training is an intensive six-day course. The GSEC exam is four to five hours, with a maximum of 180 questions.
Best security overview certification
GSEC is available for both junior and tenured security personnel and covers a wide range of topics, including security for different operating systems and cryptography. It’s a good choice for both employees new to the field and admins who want to broaden their knowledge.
7. Systems Security Certified Practitioner (SSCP)
Another (ISC)2 program, SSCP certification focuses on practical, hands-on operational security designed for networking and system security professionals. Certification requires knowledge in seven knowledge domains:
- Access controls (15%)
- Security operations and administration (16%)
- Risk identification, monitoring and analysis (15%)
- Incident response and recovery (14%)
- Cryptography (9%)
- Network and communications security (16%)
- Systems and application security (15%)
SSCP certification is valid for three years. Recertification requires continuing education credits.
The SSCP exam fee is $249.
Applicants need a minimum of one year of relevant, paid work experience in at least one of the SSCP knowledge domains. The minimum exam passing score is 700 out of 1,000.
The SSCP exam is a four-hour test with 150 items in multiple-choice format.
Best for network security professionals
Designed to test information and networking security skills, the SSCP covers a broad range of topics for junior professionals who want to increase their experience and move into more intermediate roles.
Considering a networking certification? Read about the best networking certifications for IT professionals.
8. CompTIA Advanced Security Practitioner (CASP+)
CASP+ is a hands-on, advanced-level certification for security practitioners rather than managers. It’s designed to help experienced individuals assess enterprise security posture and make implementation decisions. The certification addresses four areas of technical and operational security skills:
- Security architecture
- Security operations
- Governance, risk and compliance
- Security engineering and cryptography
CASP+ certification is valid for three years. Recertification requires continuing education and training.
The CASP+ exam fee is $494.
CompTIA recommends 10 years of general operational IT experience, with at least five years focused on security. The exam is pass/fail rather than a minimum score requirement.
CompTIA offers a self-paced e-learning preparation module. The exam is 165 minutes and has a maximum of 90 questions.
Best for security business leaders
CompTIA states that exam candidates should be security posture decision makers rather than just managers, so this certification is better suited to highly experienced leaders on a security or IT team. Examples of ideal candidates are security analysts and senior engineers.
9. GIAC Certified Incident Handler (GCIH)
GCIH is another practical certification for professionals involved in day-to-day incident identification and response. GCIH certification focuses on three primary competencies:
- Incident handling and computer crime investigation
- Computer and network hacker exploits
- Hacker tools
GCIH certification is valid for four years and re-certification requires continuing education and training.
The GCIH exam fee costs $949.
There are no formal requirements, although relevant work experience is recommended. The minimum passing score for the exam is 70%.
GIAC recommends a six-day intensive training course, although there are also self-paced e-learning options. The exam has 106 questions and lasts four hours.
Best for security incident responders
The GCIH is an ideal certification for incident handlers, system admins, and other security personnel tasked with immediate response to security events. It’s best for personnel who already have some experience in a cybersecurity function, even if that’s just a junior engineering or IT systems role.
10. Offensive Security Certified Professional (OSCP)
Offered by Offensive Security, OCSP certification is a variant of ethical hacking training that focuses on penetration testing. Among the practical competencies covered by OCSP certification are:
- Identifying and enumerating targets
- Writing penetration testing scripts and tools
- Analyzing and working with public explicit code
- Conducting various attacks
- Identifying web application exploits
- Tunneling between networks
- Creative problem solving
OCSP certification is valid indefinitely and does not require recertification or continuing education.
Depending on the length of access needed for self-study materials, costs range from $799 to $5,499.
Applicants must have a good working knowledge of TCP/IP networking and Bash or Python scripting, along with Windows and Linux administration experience.
The supporting PEN-200 e-learning course includes more than 17 hours of video. Applicants should also spend a substantial amount of time working with available retired OCSP exam machines.
The exam is a 24-hour practical that includes the preparation of a lab report.
Best for pentesting hopefuls
Since this course and certification focuses on ethical hacking methodologies, it’s a good fit for security personnel who want to perform penetration testing on business systems or transition into a pentesting role. It’s also a good choice for inexperienced individuals who want to pursue a hacking career or operate as a contract penetration tester (or “pentester”).
Learn more about the top data storage companies hiring.
Bottom line: Best cybersecurity certifications
Cybersecurity certifications are beneficial for both experienced administrators and would-be security professionals. To choose the right exam for you, consider the following steps:
- Look for a course that is the most practical for your role, needs and experience level. Some are suited for experienced professionals, while others are appropriate for people just dipping their toes into the security field.
- Ideal courses may vary based on your desired career path. Roles can include security analyst, contract pentester and IT manager, among other roles.
Although certifications require financial and time commitment, they can be a worthwhile investment for professionals.