Eighty percent of security leaders think their businesses will experience a cyberattack.
Whether you think cybersecurity panic is valid or unwarranted, there’s no denying that the cybersecurity industry is growing rapidly in response to companies’ calls for increased security measures to protect their data.
So if you’re already in IT or thinking about a career in the field, you might want to train your sights on specializing in a cybersecurity field, as it could make you a hot commodity in the tech world.
Below I’ll outline a few of the reasons you might want to seek industry certification (instead of just training in the field) and discuss 11 cybersecurity certifications that will help you prepare for the War of the World Wide Web.
Why get certified?
Obtaining a cybersecurity certification, rather than a more general IT or tech certification, indicates that you’ve specialized in a field. Think of it like majoring in microbiology instead of receiving a general biology degree.
In addition to specialization, certification can also show your dedication to and expertise in a field. Attempting certification means putting in hours of study, working in your given field for years, and sitting for long, difficult exams. A certification is an official way to demonstrate your knowledge. And, in some cases, it’s a standardized option that supports your request for a raise.
If you’re ready to take the next step in your IT security career, let’s get to the certifications that will help you in cyberwar combat. The certifications below are all vendor neutral and are ordered by:
- Perceived ease of obtaining certification—How many years of experience do you need in your field? How long is the exam, and how many questions are there? How many other prerequisites should you have before attempting certification?
- Average compensation for certified individuals—How much can you expect to earn after putting in all those hours of studying and testing?
1. GSEC (GIAC Security Essentials Certification)
Offered by: GIAC
If you want to prove your ability to complete IT system security tasks, then you should check out the GSEC. The certification will help you demonstrate your knowledge of IT security beyond simple memorization of cybersecurity buzzwords.
What it takes to get certified: Certification requires passing, with a score of 73%, a 180-question exam in the span of five hours. This exam costs $1,699, so you might need to save up for it or figure out how to pitch it to your boss.
Prerequisites: Although GIAC says there are no specific experience-level requirements, those hoping to put GSEC on their resumes must first apply to attempt certification.
Average salary after certification: Though it depends on factors such as job title, years of experience, and location, those with GSEC certifications can expect to earn, on average, salaries ranging between $67,000 and $108,000 per year.
Offered by: CompTIA
Security+ is another foundational-level cyber security certification. Those who want to demonstrate a baseline knowledge of security best practices should look into getting this certification from CompTIA. And for those who work for Uncle Sam—or want to—Security+ is approved by the U.S. Department of Defense as an acceptable cybersecurity certification.
What it takes to get certified: Certification requires passing a 90-question exam, with both multiple-choice and performance-based questions, in 90 minutes. A passing score is 750 or higher, out of 950 possible points. The exam is on the lower spectrum of cost, with a price tag of $320.
Prerequisites: Although there are no hard and fast prerequisites for a Security+ certification attempt, CompTIA recommends having Network+ certification and at least two years of experience in IT administration with a focus on security.
Average salary after certification: Depending on job title, those with a Security+ certification can expect to earn an average salary ranging from $42,000 to $95,000.
3. SSCP (Systems Security Certified Practitioner)
Offered by: (ISC)2
The SSCP markets itself as a way to gain “instant credibility” in the information security field and “expand your cybersecurity knowledge.”
If you’re just starting out in the InfoSec world, then the SSCP certification might help your resume stand out. Or it could help demonstrate your dedication to and skill at protecting data. Either way, the SSCP is a good foundational cybersecurity certification to prove your knowledge and prowess.
What it takes to get certified: The SSCP exam is three hours long and includes 125 questions. You must achieve a scaled score of 700 (out of 1,000) to pass. In addition to passing the exam, which costs $249, you must subscribe to the (ISC)2 Code of Ethics and get endorsed by an (ISC)2 certified professional.
Prerequisites: Before you sit for the SSCP test, you should have at least one year of cumulative work experience or a bachelor’s degree in cybersecurity. You should also make sure you’re familiar with the seven domains in the SSCP Common Body of Knowledge.
Average salary after certification: As this is a foundational certification, the salary range is more in line with entry-level IT positions. Depending on title and experience, SSCP-certified individuals earn an average salary ranging from $48,000 to $97,000 per year.
4. GPEN (GIAC Penetration Tester)
Offered by: GIAC
If you’re responsible for finding security vulnerabilities and assessing network stability, then you should think about adding GPEN certification to your list of accomplishments. The certification focuses specifically on the right way to run penetration tests, including related legal questions and other issues you might encounter along the way.
What it takes to get certified: The GPEN exam consists of 115 questions that must be answered in three hours. A passing score is 74%. The exam costs $1,699, but if you take a prep course through GIAC’s partner organization, SANS, it only costs $729.
Prerequisites: Like the GSEC, no specific training or experience is technically required to sit for the exam. But the GIAC specifies that the test is “for security personnel.” And since you have to apply for a certification attempt, you’ll probably want to have some level of work experience on your application.
Average salary after certification: The average annual salary in the United States for those with GPEN certification was a little over $120,000 in 2016, which might make up for the steep cost of the exam.
5. CEH (Certified Ethical Hacker)
Offered by: EC-Council
The idea of CEH is that, “To beat a hacker, you need to think like a hacker.”
Not only does this certification help you navigate the tools hackers use to bring down sites and companies, it also gives you the right to say you’re a Certified Good Guy™.
While most cybersecurity certifications teach you how different security measures, such as firewalls, should be configured to keep your organization safe, CEH helps you figure out how to attack system vulnerabilities. Ideally, that means that you can find weak spots before a Certified Unethical Hacker does.
What it takes to get certified: You have to apply for eligibility to sit for this four-hour, 125-question multiple choice exam. The exam fee is $950.
Prerequisites: Those applying to take the CEH exam must have two years of information security experience or take an $850 formal training course through the EC-Council.
Average salary after certification: Certified ethical hackers earn an average salary of about $70,000 per year, which makes the high cost of training and exam fees seem pretty worth it.
6. ECSA (EC-Council Certified Security Analyst)
Offered by: EC-Council
ECSA certification is the next step after the CEH in the EC-Council’s security learning track. Where the CEH demonstrates your knowledge of hacking, the ECSA exam demonstrates your skill in dealing with cybersecurity attacks. If you want to be a penetration tester—or if you already are one and want to hone your skill set—you might want to look into this certification.
What it takes to get certified: Those attempting ECSA certification must first submit a penetration test report to the EC-Council for assessment. If your report meets the council’s standards, you can sit for a four-hour, 150-question multiple-choice exam and pass with a score of 70% or higher to obtain certification.
Prerequisites: Before taking the ECSA exam, you should have two years of experience or take the EC-Council’s training course, which costs $850 but includes an exam voucher with purchase. You’re not required to have a CEH certification, but it’s strongly recommended. At the very least, you should possess “core hacking skills.”
Average salary after certification: Those with ECSA certification can expect to earn about $90,000 per year.
7. CSA+ (Cybersecurity Analyst+)
Offered by: CompTIA
If you’re interested in using behavioral analytics to combat hackers, you should definitely look into pursuing CSA+ certification. Because who doesn’t want to use data analysis and advanced threat detection skills to save the world… or your company’s network?
What it takes to get certified: To get CSA+ certified, you have to pass an 85-question multiple-choice and performance-based exam, earning 750 points (out of 900).
Prerequisites: Before sitting for your exam, you should have either a Network+ or Security+ certification or equivalent knowledge. In addition, CompTIA recommends having three to four years of experience in information security.
Average salary after certification: Like most of the other certifications on this list, salary is ultimately dependent on experience level. However, on average, those with CSA+ certification can expect to earn about $92,000 per year.
8. CRISC (Certified in Risk and Information Systems Control)
Offered by: ISACA
Unlike most of the other certifications on this list, which focus on technical security and cyber defense skills, the CRISC certification focuses on cybersecurity and how it relates to business. In fact, ISACA claims that it’s the “only certification with a business-risk focus.”
And given that most businesses think their security staff lacks basic business knowledge, you might want to look into CRISC if you’re trying to prove both your IT and cybersecurity chops.
What it takes to get certified: Certification requires passing the CRISC exam, which has 150 questions, in four hours. The exam costs $575 for ISACA members and $756 for non-members. You must also adhere to ISACA’s Code of Professional Ethics and their Continuing Professional Education program. Finally, after all that, you have to apply for certification.
Prerequisites: You should have at least three years of IT risk management experience through designing and implementing IS controls and experience in at least two of four CRISC domains before sitting for your exam. One of the domains you have knowledge in must be either IT risk management or IT risk assessment.
Average salary after certification: Depending on experience level, the average CRISC-certified employee earns anywhere from $88,000 to $150,000 per year. And according to a study from Global Knowledge, it’s the top-paying certification for 2017.
9. CISSP (Certified Information Systems Security Professional)
The goal of the CISSP certification is to demonstrate that “you have all it takes to design, engineer, implement, and run an information security program.” Basically, if you want to be large and in charge in the cybersecurity industry, CISSP can help you get there. For those in the public sector, this certification is approved by the U.S. Department of Defense for workers in the information security realm.
What it takes to get certified: Certification requires passing a six-hour, 250-question exam and achieving a scaled score of 700 out of 1,000. The exam costs $599. You must also subscribe to the (ISC)2 Code of Ethics and get endorsed by an (ISC)2 certified professional.
Prerequisites: You need at least five years of work experience in two or more domains of the (ISC)2 CISSP Common Body of Knowledge before attempting certification.
Average salary after certification: Depending on experience level, CISSP-certified individuals can expect to earn between $50,000 and $118,000 per year.
10. CISA (Certified Information Systems Auditor)
Offered by: ISACA
If you want to be an IS auditing professional, especially at the enterprise level, CISA certification might be what you need to get to the next level in your career. This certification will help you demonstrate your knowledge in areas such as IS acquisition, development, implementation, and information asset protection to employers.
What it takes to get certified: Passing the CISA exam requires earning a 450-point score on an 800-point scale. The exam consists of 150 questions, lasts four hours and is $575 for ISACA members and $760 for non-members. After passing the exam, you must apply for certification, adhere to ISACA’s Code of Professional Ethics and their Continuing Professional Education program. Finally, you have to comply with Information Systems Auditing Standards
Prerequisites: To sit for the exam, you should have at least five years of professional information systems auditing, control, or security work. You can use certain workplace or educational experiences to replace a maximum of three years’ experience.
Average salary after certification: Depending on your job title, the average starting salary for those with CISA certification is a little over $50,000 per year. But those with 10 or more years of experience in the field, in addition to CISA certification, can earn an average of $120,000 per year or more.
11. CISM (Certified Information Security Manager)
Offered by: ISACA
The CISM certification is management focused and qualifies you to oversee and assess information systems at an enterprise level. It helps demonstrate your knowledge of international security best practices. If you aspire to a management or C-level position in infosecurity, becoming CISM certified might be well worth the time and effort.
What it takes to get certified: To pass the CISM exam, you must score 450 points on an 800-point scale. You should be able to answer 150 questions in four hours. The exam costs $575 for ISACA members and $756 for non-members. You must apply for certification after passing the exam, as well as adhere to ISACA’s Code of Professional Ethics and their Continuing Professional Education program, and comply with Information Systems Auditing Standards.
Prerequisites: CISM certification requires five or more years of infosecurity management experience, but you can substitute up to two years with a variation of education, certification, and work experience. You can also use both CISA and CISSP certifications to substitute two years’ work experience.
Average salary after certification: No matter the location, CISM-certified employees easily earn six-figure salaries. The average salary nationwide falls between $94,000 and $162,000, depending on experience level and job title.
Go get certified!
Hopefully one of the certifications on this list can give your infosecurity career a boost or help your resume stand out when applying for jobs. If one of them stands out but the price of training or the exam seems cost-prohibitive, remember that you should always reach out to your employer to see if they’ll subsidize or completely fund your certification attempt.
If there’s another cyber security certification you think should be on this list, let me know in the comments below.
Looking for software? Check out Capterra's list of the best software solutions.