The critical talent gap for cybersecurity professionals, particularly certified professionals, is continuing to expand, especially as organizations shift more resources and services to the cloud to support remote workforces. As a result, opportunities in cybersecurity are greater than ever before.
Existing professionals can leverage their experience to take advantage of the current environment through certifications. Certifications provide a formal, objective verification of experience and demonstrate value to both current and potential employers.
Below we detail some of the most widely accepted and valuable certifications that can help existing professionals set themselves apart, move up the ladder to leadership positions, and increase their salaries:
See more: Data Storage Job Market Trends
1. Certified Information Systems Security Professional (CISSP)
The CISSP, offered by the International Information System Security Certification Consortium (ISC)2, is one of the most well-recognized and accepted cybersecurity certifications. The CISSP is for experienced professionals looking to design and lead corporate cybersecurity programs.
What skills will you learn?
The CISSP curriculum revolves around the (ISC)2 Common Body of Knowledge, which has eight areas of expertise:
- Security and risk management (15%)
- Asset security (10%)
- Security architecture and engineering (13%)
- Network and communication security (13%)
- Identity and access management (13%)
- Security assessment and testing (12%)
- Security operations (13%)
- Software development security (11%)
A CISSP certification is valid for three years, although there are yearly continuing education requirements to maintain it. Holders must re-certify after three years.
CISSP candidates must have at least five years of total work experience in paid positions that focus on two or more of the eight CISSP knowledge domains. They must also pass a three-hour, 100-150 question, computerized test (using computer-adaptive testing methodology) with a minimum score of 700 out of 1000.
Those interested in obtaining the CISSP but who do not have the necessary experience can gain an associate designation by passing the exam. They then have up to six years to gain the experience for the certification.
The amount of time needed to pass the CISSP depends on your experience entering the exam and your chosen training method. Many in-person and online courses are available, ranging from self-study to intensive five-day courses. Successful candidates who used self-study estimate completing 150-200 hours of study before the exam.
$749 exam fee
2. Certified Information Systems Auditor (CISA)
The CISA is offered by ISACA, formerly known as the Information Systems Audit and Control Association. Like the CISSP, CISA is valuable for experience professionals interested in moving up into leadership positions, although it also targets entry-level professionals looking to expand their skill set. CISA certifications focus on five cybersecurity areas:
- Information systems auditing processes (21%)
- Governance and management of IT (17%)
- Information systems acquisition, development and implementation (12%)
- Information systems operations and business resilience (23%)
- Protection of information assets (27%)
CISA certification is valid for three years, with continuing education credits required for recertification.
As with CISSP, CISA candidates must have five years of relevant, paid work experience. Qualified applicants may obtain waivers for up to three years of experience. Applicants must also receive a minimum of 450 out of 800 possible points to pass the exam.
There are numerous training courses, both online and in-person, with a range of time requirements. The test itself is four hours and contains 150 questions.
$575 exam fee for ISASA members and $760 for non-members, along with a $50 application fee.
3. Certified Information Security Manager (CISM)
- Information security governance (24%)
- Information risk management (30%)
- Information security program development, and management (27%)
- Information security incident management (19%)
CISM certification is valid for three years, with continuing education credits required for recertification
Applicants need five years of relevant, paid work experience, although they may obtain a waiver for a maximum of two years. A passing score of at least 450 out of 800 is also necessary.
The time necessary to prepare for the exam depends on the applicant’s experience and preparation method. Online courses and self-study may involve more time than intensive in-person training. The exam is four hours long and has 150 questions.
For ISACA members, $575; non-members $760. There is also a $50 application fee. Preparatory courses range widely in cost.
4. Certified Ethical Hacker (CEH)
The International Council of Electronic Commerce Consultants (EC-Council) offers the CEH certification.
CEH certification helps build robust security analysis skills and offensive and defensive security competence by training applicants in the latest hacking tactics, techniques, and procedures (TTPs), including ransomware attack trends.
The current version of CEH focuses on nine areas of competence and includes hacking challenges at the end of each section:
- System hacking phases
- Information security and ethical hacking
- Web application hacking
- Reconnaissance techniques
- Network and perimeter hacking
- Mobile platform, Internet of Things (IoT), and operational technology (OT) hacking
- Cloud computing security
- Wireless network hacking
CEH certification remains in force for three years. Continuing education is necessary for recertification.
EC-Council also offers CEH Practical and CEH Master certifications.
To sit for the current CEH, applicants must either have a prior CEH certification or a minimum of two years experience in an InfoSec domain. Alternatively, applicants can attend an official EC-Council training program. Depending on the form of the exam used, minimum passing scores range from 60-85%.
The official EC-Council training course is an intensive five-day, 40-hour program. The exam is four hours long and has 125 questions.
$1,199 exam fee with a non-refundable $100 application fee.
Security+, offered by CompTIA, is for security professionals looking to move into intermediate-level positions. Security+ covers the entire cybersecurity program lifecycle, broken down into five stages:
- Attacks, threats, and vulnerabilities
- Architecture and design
- Operations and incident response
- Governance, risk, and compliance
Security+ certification is valid for three years and is extendable in three-year increments through continuing education and training.
CompTIA recommends both CompTIA Network+ certification and two years of security-focused IT administration work experience before taking the Security+ exam.
The passing score for the exam is 750 out of 900.
CompTIA’s official online training contains more than 40 hours of content, along with a variety of practice exams. The exam itself is a maximum of 90 questions over 90 minutes.
See more: 10 Top Data Science Certifications
6. GIAC Security Essentials Certification (GSEC)
GIAC (formerly Global Information Assurance Certification) security essentials certification is available to professionals at all levels, from entry-level to experienced security administrators. GSEC covers eight primary security information areas:
- Active defense
- Defensible network architecture and network security
- Vulnerability scanning and Incident handling and response
- Linux security
- Security policy and risk management
- Web communication security
- Windows security
GSEC certification is good for four years and recertification requires continuing education and training.
There are no formal requirements to register for the exam, although relevant work experience is recommended. The minimum passing score for the exam is 73%.
GIAC’s recommended in-person training is a six-day intensive course. The GSEC exam is 4-5 hours, with a maximum of 180 questions.
7. Systems Security Certified Practitioner (SSCP)
Another (ISC)2 program, SSCP certification focuses on practical, hands-on operational security. Certification requires knowledge in seven knowledge domains:
- Access controls (15%)
- Security operations and administration (16%)
- Risk identification, monitoring, and analysis (15%)
- Incident response and recovery (14%)
- Cryptography (9%)
- Network and communications security (16%)
- Systems and application security (15%)
SSCP certification is valid for three years and recertification requires continuing education credits.
Applicants need a minimum of one year of relevant, paid work experience in at least one of the SSCP knowledge domains. The minimum exam passing score is 700/1000.
The official (ISC)2 training program is a five-day intensive in-person course.
8. CompTIA Advanced Security Practitioner (CASP+)
CASP+ is a hands-on, advanced-level certification for security practitioners rather than managers. Certification addresses four areas of technical and operational security skills:
- Security architecture
- Security operations
- Governance, risk, and compliance
- Security engineering and cryptography
CASP+ certification is valid for three years. Re-certification requires continuing education and training.
CompTIA recommends 10 years of general operational IT experience, with at least five years focused on security. The exam is pass/fail rather than having a minimum score.
CompTIA offers a self-paced e-learning preparation module. The exam is 165 minutes and has a maximum of 90 questions.
9. GIAC Certified Incident Handler (GCIH)
GCIH is another practical certification for professionals involved in day-to-day incident identification and response. GCIH certification focuses on three primary competencies:
- Incident handling and computer crime investigation
- Computer and network hacker exploits
- Hacker tools
GSEC certification is valid for four years and re-certification requires continuing education and training.
There are no formal requirements, although relevant work experience is recommended. The minimum passing score for the exam is 70%.
GIAC recommends a six-day intensive training course, although there are also self-paced e-learning options. The exam has 106 questions and lasts four hours.
10. Offensive Security Certified Professional (OSCP)
Offered by Offensive Security, OCSP certification is a variant of ethical hacking training that focuses on penetration testing. Among the practical competencies covered by OCSP certification are:
- Identifying and enumerating targets
- Writing penetration testing scripts and tools
- Analyzing and working with public explicit code
- Conducting various attacks
- Identifying web application exploits
- Tunneling between networks
- Creative problem solving
OCSP certification is valid indefinitely and does not require recertification or continuing education.
Applicants must have a good working knowledge of TCP/IP networking and Bash or Python scripting, along with Windows and Linux administration experience.
The supporting PEN-200 e-learning course includes more than 17 hours of video. Applicants should also spend a substantial amount of time working with available retired OCSP exam machines.
The exam is a 24-hour practical that includes the preparation of a lab report.
Depending on the length of access needed for self-study materials, costs range from $999-5,499.
See more: Top 5 Data Storage Companies Hiring