This guide is all about how cybersecurity certifications work including how to get a cybersecurity certification, what kinds of cybersecurity certifications are required for various jobs in the industry, and how to prepare for cybersecurity certification exams.
Certifications are an important part of any technical career, and this holds true for careers in the cybersecurity field as well. While degrees show that an individual has studied a specific topic, certifications can help prove to employers that they are proficient in that subject. It’s important to note, however, that not all certifications are created equally.
When pursuing a career in cybersecurity, it’s critical that research is done on the organizing bodies that create the certifications before spending the money on taking them. This guide will provide information about some of the major organizations that provide certifications and the benefits of obtaining these certifications.
What is a cybersecurity certification?
A professional certification is a physical (or digital) document that states that an individual has passed an exam certifying that they are proficient in an area of study. Unlike a degree, a certification typically doesn’t require a professional to have gone through a specific amount of coursework.
Some certifications will have prerequisites, which we’ll talk a bit more about later. Certifications make it easier for those who have not attended a college or university to showcase their skills. It also allows those that do have a degree to show that they have practical knowledge along with their educational background. It never hurts to have certifications on your resume.
Prerequisites for cybersecurity certifications
Regarding certifications, a prerequisite is something that is required of an individual before they are permitted to take a specific certification exam. Prerequisites will vary depending on the certification.
Examples of prerequisites include requiring professionals to have a certain number of years’ experience or perhaps another certification that must be completed prior to the one they are trying to take. Another common prerequisite found in certifications is that the professional must take a specific course before being allowed to complete the certification exam. One example of a certification that has a prerequisite is the Certified Information Systems Security Professional (CISSP). Individuals wanting to become CISSP certified will be required to have at least five years of paid, full-time experience in at least two of the eight (ISC)2 domains or four years paid, full-time experience in at least two of the eight (ISC)2 domains and a college degree.
Another exam that has prerequisites is the Certified Ethical Hacker (CEH). In order to take the CEH, individuals should first complete a formal CEH training course offered by EC-Council. Without formal training, those hoping to take the CEH exam must have at least two years’ experience in an information security-related field and an educational background in information security. They must also pay a nonrefundable eligibility fee and submit an exam eligibility form. It’s important to note that there is a difference between a prerequisite and a recommendation.
Some certifications have recommendations for the order in which the certifications should be obtained. For example, CompTIA recommends that professionals take the CompTIA A+ and CompTIA Network+ before taking the CompTIA Security+, however, they do not require it. Therefore, if a professional felt confident in their abilities to pass the CompTIA Security+ without first taking the others, CompTIA would allow them to do so.
Major cybersecurity certification organizations
While it might seem like there are countless cybersecurity certifications there are certain programs and credentials that are better recognized and respected than others.
This doesn’t mean that there is no reason to get the less recognized certifications. Some organizations will require their employees to become certified in something that may not be as well known as other certifications.
However, for professionals that are new to the field and just looking to obtain certifications that will be easily acknowledged by any company, it’s best to pursue the certifications offered by major organizations. Here are some organizations that offer certifications which are well known and highly respected in the cybersecurity space:
- (ISC)2 – The International Information System Security Certification Consortium
- GIAC – Global Information Assurance Certification
The major organizations listed in the previous section all provide numerous certification options. It’s beneficial as a cybersecurity professional to understand each of these organizations and the certifications that they offer. The International Information Systems Security Certification Consortium, more commonly known as (ISC)2, is the organization behind the sought after CISSP certification. The (ISC)2 boasts itself on their website as “The World’s Leading Cybersecurity Professional Organization”. (ISC)2 is a non-profit with more than 140,000 certified members. Although (ISC)2 is most well known for the CISSP, they do offer other certifications as well. Here is a brief description of some of the certifications which can be obtained through (ISC)2:
- CISSP – Certified Information Systems Security Professional One of the most sought after and most esteemed certifications in the cybersecurity world, the CISSP should be on the list of anyone hoping to be successful in the industry. The CISSP is not a beginner certification, but rather for those who are already experienced, high achieving cybersecurity professionals. The CISSP can help individuals already working in the field progress their careers. As a prerequisite for the CISSP, candidates must have a minimum of five years of cumulative, paid, full-time experience. That experience must cover at least two of the eight domains of the CISSP Common Body of Knowledge (CBK). Individuals with a degree may be granted a one-year experience exemption bringing the required experience down to four years. Read more about the CISSP certification.
- SSCP – Systems Security Certified Practitioner Professionals lacking five years’ experience shouldn’t count themselves out from obtaining an (ISC)2 certification just yet. The SSCP is a great certification for professionals looking to bring growth to their careers. Unlike the CISSP, the SSCP only requires a minimum of one-year working experience in one or more of the seven domains of the SSCP Common Body of Knowledge (CBK). For professionals with a bachelor’s or master’s degree, that one year experience may be waived. Working to obtain the SSCP certification from (ISC)2 is ideal for professionals in any of the following positions: network security administrator, systems administrator, security analyst, and security administrator. Read more about the SSCP certification on the (ISC)2 website.
- CCSP – Certified Cloud Security Professional Another (ISC)2 certification worth mentioning is the CCSP. The CCSP is a globally recognized certification that allows professionals the ability to showcase their skills in designing, managing, and securing data, applications, and infrastructure hosted in the cloud. As more and more organizations move their entire infrastructure to the cloud, the need for qualified cloud security professionals continues to grow. Much like the CISSP, the CCSP is not a certification for those just beginning their career, but rather for those who have already established a firm foundation within the field. Prerequisites for the CCSP include five or more years in a paid full-time information technology role. It also requires at least three of those years be in information security and one year must be in one or more of the six domains of the CCSP Common Body of Knowledge (CBK). Earning the CISSP certification can be substituted for all of the other experience requirements. More information regarding the CCSP can be found on the (ISC)2 website.
Other (ISC)2 certifications include CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSMP, Associate of (ISC)2.
EC-Council is most well known for the Certified Ethical Hacker certification, which is more commonly known as the CEH. EC-Council, does, however, offer many other certifications besides the CEH. Rather than focusing on specific areas of knowledge, EC-Council markets more towards specific roles and titles. For example, when a professional looks at the certification programs on EC-Council’s website, they would see that the certifications look more like job titles: Licensed Penetration Tester, Certified Ethical Hacker, Security Analyst, Certified Chief Information Security Officer, and the list goes on. This can make it easy for those interested in a specific job to focus in on which certification they’d like to pursue. On the other hand, these certifications may be too specialized for individuals looking to cover a wide range of security skills. Here is a brief description of a few of the certifications which can be obtained with EC-Council:
- CEH – Certified Ethical Hacker This is by far the most well known of the EC-Council certifications. The CEH is widely recognized among security professionals. While the certification may include the word hacker in its title, it’s not just for those who work in offensive security. Anyone working within cybersecurity, whether offensive or defensive, can benefit from the CEH certification. EC-Council offers two main options for eligibility. First, individuals wishing to take the CEH exam can attend an official EC-Council CEH training. Attending an official training at an Accredited Training Center, via EC-Council’s iClass platform, or at an approved academic institution will make students eligible to take the CEH exam without any further eligibility application process. For those that wish to take the exam without going through official training, option two allows for professionals with at least two years of information security related experience to pay a nonrefundable eligibility application fee. After their application is approved, they may then take the exam. Read more about the Certified Ethical Hacker certification.
- ECSA – EC-Council Certified Security Analyst For those looking to pursue a career in penetration testing, the ECSA is often a good fit. While the CEH focuses on many different aspects of cybersecurity and offensive security, the ECSA focuses more on penetration testing. Penetration testing is a profession in which engineers attempt to offensively breach (legally and with permission) a target network or system. The prerequisites for the ECSA are similar to those of the CEH. Individuals can choose to take an official EC-Council ECSA training course making them immediately eligible for the exam or they can possess a minimum of two years’ experience in the cybersecurity field and go through the eligibility application process. To read more about the ECSA certification, visit the EC-Council.
- LPT – Licensed Penetration Tester Professionals looking to become a penetration tester (or progress their career as a penetration tester) may choose to continue onto the Licensed Penetration Tester certification after obtaining either the CEH, ECSA, or both. EC-Council’s website describes the Licensed Penetration Tester certification as their most challenging practical exam available. In order to pass the LPT exam, professionals must complete and document the entire process of a penetration test from start to finish. The penetration test completed must be in the format which is taught during the ECSA program. While there are no pre-defined prerequisites for the LPT, EC-Council suggests that this exam should be taken after completing the CEH and ECSA certifications as it builds off the knowledge learned and used during those exams. Learn more about the LPT certification here: https://cert.eccouncil.org/licensed-penetration-tester.html
Other certifications offered by EC-Council include (but are not limited to) CSCU, ECSS, EDRP, CHFI, CND
CompTIA certifications are some of the most highly recognized IT certifications available. CompTIA provides certifications in many different IT fields such as software development, computer networking, cloud computing, and of course, information security. CompTIA has four major “core” certifications which include CompTIA IT Fundamentals, CompTIA A+, CompTIA Network+, and CompTIA Security+. While it may seem that three of the four certifications listed are not security-related, these certifications are used to lay the groundwork that the information security certifications will build from.
- CompTIA Security+ The CompTIA Security+ is a great starting point for anyone looking to pursue a career in cybersecurity. The topics displayed within this certification provide broad coverage of general cybersecurity. The Security+ exam will cover items such as threats and attacks, architecture and design, risk management, and even cryptography. While there are no specific prerequisites for taking the Security+ exam, CompTIA recommends that professionals have their CompTIA Network+ certification and two years’ experience in IT administration with a focus on security. More information regarding the Security+ certification can be found here.
- CompTIA CySA+ The CompTIA Cybersecurity Analyst, more commonly known as the CySA+, is a more advanced cybersecurity certification than the Security+. The CySA+ takes a deeper dive into topics such as threat management, vulnerability management, cyber incident response, and security architecture and toolsets. The recommended experience for the CySA+ is holding a Network+ certification, a Security+ certification or having equivalent knowledge and having a minimum of 4 years of hands-on information security or related experience. Read more about the CySA+ certification.
Other CompTIA certifications include (but are not limited to) CASP+, PenTest+,Linux+, Cloud+
The Global Information Assurance Certification is an organization founded in 1999 to validate the skills of information security professionals. GIAC certifications are trusted by thousands of companies and government agencies, including the United States National Security Agency (NSA). GIAC certifications are based on SANS training. GIAC offers many different certifications in categories such as cyber defense, penetration testing, incident response, and forensics as well as a few others. Here are brief descriptions of a few GIAC certifications:
- GSEC – GIAC Security Essentials GSEC is one of the more entry-level certifications offered by GIAC. It certifies a practitioner’s knowledge of information security goes beyond simply knowing terminology and concepts. The goal of the GSEC is to validate an individual’s hands-on knowledge. There are no listed prerequisites for the GSEC, but those wishing to take the exam should have a working knowledge of IT security and networking. To find out more about the GSEC certification.
- GMOB – GIAC Mobile Device Security Analyst GMOB is one of the more interesting certifications offered by GIAC because it allows professionals to show their abilities as they relate to mobile device security. Mobile devices are a major part of both our personal and professional lives. It is important to have well-qualified individuals to protect these devices that connect us together. The GMOB certification validates that the holders of the certification have demonstrated knowledge with regards to assessing and managing mobile device and application security. Read more about the GMOB certification.
- GCFA – GIAC Certified Forensic Analyst Professionals interested in pursuing a forensic analyst career would certainly benefit from obtaining the GCFA certification. The GCFA is a widely recognized forensic analyst certification that covers a wide range of forensic topics such as advanced incident response and digital forensics, memory forensics, timeline analysis, anti-forensics detection, threat hunting, and APT intrusion incident response. More information can be found regarding the GCFA certification.
Other GIAC certifications include (but are not limited to): GCIH, GPEN, GCIA, GCFE, GNFA
Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only. According to their website, ISACA was incorporated in 1969 by a small group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer systems. Since then, thousands of IT professionals have gone on to obtain ISACA certifications. Here are brief descriptions of a couple of ISACA certifications:
- CISA – Certified Information Systems Auditor The CISA certification is a widely recognized certification that covers information security audit control, assurance and security. Holding a CISA certification proves that a professional is capable and knowledgeable enough to assess vulnerabilities, report on compliance issues, and institute security controls within an organization. Read more about the CISA certification.
- CISM – Certified Information Security Manager A step above the CISA is the certified information security manager (CISM). This certification is designed for those who would like to demonstrate their knowledge of information security management. According to the ISACA website, independent studies rank the CISM as one of the highest paying and sought-after IT certifications. As this is a management-focused certification, those looking to obtain it should have hands-on experience managing, designing, and overseeing an enterprise’s information security program. Learn more about the CISM.
Other ISACA certifications include CGEIT, CRISC.
Deciding which certification to pursue
With such a long list of certifications that exist, it can often be difficult to determine which one is the best to choose. This becomes especially difficult when two certifications seem very similar to each other. For example, EC-Council offers multiple certifications for those looking to start a career as a penetration tester (ECSA and LPT), but CompTIA and GIAC both also offer penetration testing certifications as well (PenTest+ and GPEN).
Unfortunately, in these scenarios, there is no definitive answer to which certification is better to pursue. If a professional has a company in mind that they would like to work for, it could be beneficial to see if that organization’s job descriptions list one certification over another. Aside from that, the best option is to simply research all of the organizations which offer the certifications and decide which one is the best fit. It also doesn’t hurt to pursue multiple certifications. If an individual held the ECSA, LPT, PenTest+ and GPEN certifications all at the same time, this would only help to show that they have the knowledge needed to a penetration tester.
Certifications are an awesome way for professionals to showcase their skills. There are plenty of options to choose from so professionals should review the options available and determine which certification is best for them based on the career path they’d like to pursue. Some organizations and certifications are more recognizable than others, but that doesn’t mean that there is no value in the lesser-known certifications. Prerequisites vary from certification to certification with some certifications have no prerequisites at all. Even if certification does not have a prerequisite, professionals should still review the recommended experience to ensure that they are not attempting to take an exam that is far above their knowledge and skill level.
Major players in the IT security certification realm include (ISC)2, EC-Council, CompTIA, GIAC, and ISACA. It’s important to note that while this list covers some of the major players, it’s not an exhaustive list and there are other certification providers that exist beyond these. Professionals should always do research to ensure they are pursuing the best certification to fit their needs.