Cybersecurity certifications may not be required for the job, but they can really punch up the resumes of cyber leaders such as CISOs and CSOs, providing a career boost by showcasing expertise, enhancing credibility, and opening up advancement opportunities.
They can also help senior cybersecurity professionals stay current with evolving threats, facilitate networking, and demonstrate compliance and risk management capabilities. “Certifications run the gamut from being broad and covering all the cybersecurity domains and capabilities — i.e., physical, technical, administrative, and operational — as well as going deep into each domain to being very tightly scoped to a specific hardware vendor or type of technology such as ransomware,” says Rebecca Herold, an IEEE member and founder of The Privacy Professor consultancy.
However, before you start collecting certifications, take some time to determine what type of cybersecurity activities you want to work in, she advises. There’s no use pursuing a certification that covers activities and requires knowledge of skills you never plan to use during your career.
Herold says there are a number of ways in which certifications boost your career as a CISO, including:
- Validate your cybersecurity skills, as they relate to the associated certifications.
- Establish your professional credibility, showing that you’re committed to staying in the field and not just jumping around from one type of career to another. Employers like to invest their time and efforts in hiring and training employees who will be around for the long term, not until they change to a different career as soon as the next new thing comes along.
- Help you advance your career more quickly, as many organizations give preferences to those who have taken the time to earn such certifications.
- Provide recognition for your skills among others in the industry, which is important in maintaining a long and successful career.
- Create a way for more networking opportunities, where you can obtain even more knowledge and find other future work opportunities.
- Demonstrate that you know the standardized cybersecurity concepts that you learn through attaining each specific type of certification.
- Demonstrate your commitment to ongoing learning, staying current, and maintaining professional development.
- Help to support salary increases.
Five cybersecurity certifications that can boost a career
CISSP – Certified Information Systems Security Professional
The CISSP, offered by ISC2, an international nonprofit membership association, is the most widely recognized certification designed for professionals who want to demonstrate a comprehensive understanding of information security concepts and best practices, says William Wetherill, CISO at DefenseStorm.
“The certification covers a broad range of security topics, such as asset security, security engineering, and risk management,” Wetherill says. “The CISSP is held to a higher standard of certification because it requires security professionals to have extensive working experience with compensation and a recommendation from a reputable ISC2 CISSP holder.”
The knowledge and skills gained from earning a CISSP certification are instrumental in developing effective security strategies and implementing best practices in the role of a CISO, according to Wetherill.
“If you’re really looking to propel your career to the next level, the crème-de-la-crème certification would be the CISSP for those going the technical hands-on route,” says Jay Martin, security practice lead at Blue Mantis.
And Joe Evangelisto, CISO at NetSPI, says that the CISSP is still a de facto standard in the industry and is still listed on all CISO job descriptions.
Brian Neuhaus, Americas CTO at Vectra AI, agrees that earning the CISSP certification should be at the top of the list for CISOs. “Holding such a certificate indicates that a security professional is equipped with the knowledge and technical skills needed to implement and manage best-in-class security programs,” he says.
While not an easy certificate to obtain, the CISSP and others like it should be goals that security professionals steadily work toward achieving to effectively advance their careers, according to Neuhaus. “Additionally, the CISSP certification can help professionals attract the attention of employers during resume reviews – and for those already in the field – stand out among the pool of prospects who are being considered for promotions,” he says.
To earn this certification, you have to pass the exam and have a minimum of five years’ cumulative, paid work experience in two or more of the eight domains of the ISC2 CISSP Common Body of Knowledge (CBK). Substitutions are allowed for the five-year work experience requirement.
Cost: Varies based on location of exam administration. For example, Americas and Africa, $749; United Kingdom, £585; EMEA, €665.
CCSP – Certified Cloud Security Professional
A newer certification from ISC2 that is worth noting is the Certified Cloud Security Professional, which is vendor agnostic, says Sanjay Raja, VP of product solutions at Gurucul. The CCSP certification, recognized around the world, demonstrates that you possess advanced technical expertise and understanding for effectively designing, overseeing, and safeguarding data, applications, and infrastructure within the cloud.
Nick Harrahill, director of support at Spin AI, says that as CISOs get more specialized, they may want to consider the CCSP certification. “It’s similar to the CISSP but is more focused on cloud security — a good fit for CISOs that support or heavily utilize cloud technologies,” Raja says.
To qualify for this cybersecurity certification, you must pass the exam and have at least five years’ cumulative work experience in IT. Three years must be in information security and one year in one or more of the six domains of the ISC2 CCSP CBK. Substitutions are allowed for the five-year work experience requirement.
Cost: Varies based on location of exam administration. For example, Americas and Africa, $599; United Kingdom, £479; EMEA, €555.
Certified Information Security Manager (CISM)
The Certified Information Security Manager, offered by ISACA, is another important certification for CISOs because it is specifically designed for professionals who are responsible for managing and overseeing information security programs, making it an excellent way to demonstrate management and leadership, according to Wetherill.
“The CISM certification provides important information on how to develop and implement effective information security strategies that align with the overall objectives of your organization while covering a wide range of topics, such as risk management, incident management, and information security governance, all of which are critical to the CISO role,” Wetherill says.
The certification provides the necessary skills and knowledge to balance business operations and strong security measures and focuses more on management and leadership skills, while the CISSP is more technical. “For CISOs, ISACA also offers a lot of good certifications, including CISM,” says Raja. “This certification gives a solid set of tools and training to manage a program.
For CISOs heading more into the governance, risk and compliance or security management route, ISACA’s CISM is highly recommended, Martin says.
To earn this certification, you must pass the exam, apply for certification within five years after passing the exam, as well as have five years of information security work experience. You must have a minimum of three years of information security management work experience in three or more of the job practice analysis areas. Exceptions and substitutions are allowed for the five-year requirement.
Cost: Exam fee of $575 for ISACA members and $760 for non-members. After passing the exam, candidates pay a one-time $50 application processing fee for their CISM certification.
Certified Information Systems Auditor (CISA)
The Certified Information Systems Auditor is another essential certification offered by ISACA for professionals responsible for auditing, monitoring, and assessing their companies’ information security and business systems, according to Wetherill.
“The CISA certification is recognized globally and is highly regarded in the IT industry. It requires professionals to [validate] their knowledge and proficiency in information security auditing, control, and assurance,” Wetherill says “The CISA certification provides an in-depth understanding of how to identify, analyze, and evaluate information security vulnerabilities and risks. These skills are vital for a CISO to effectively perform their jobs and protect their organizations from cyberthreats.”
Some certifications, such as the CISA, are better for specialized security roles, such as an auditor, says Corey Nachreiner, CSO at WatchGuard Technologies. ISACA’s CISA helps if auditing a company’s cybersecurity is your job focus.
Martin concurs, saying for CISOs seeking professions as auditors or assessment experts, ISACA’s CISA is highly recommended.
In addition, risk-based certifications, such as the CISA, help CISOs in their primary roles, understanding and managing IT risks to businesses, adds Sohail Iqbal, CISO at Veracode.
To earn this certification, you must pass the exam and apply for certification within five years after you pass the exam. You must also have at least five years’ professional information systems auditing, control, or security work experience. A minimum of two years must be from within the CISA job practice areas. Exceptions and substitutions are allowed for the five-year requirement.
Cost: Exam fee of $575 for ISACA members and $760 for non-members. After passing the exam, candidates pay a one-time $50 application processing fee for their CISA certification.
GIAC Strategic Planning, Policy, and Leadership (GSTRT)
This GIAC Strategic Planning, Policy, and Leadership certification, offered by the SANS Institute, shows that you have the knowledge and skills to take the next step in your career with the ability to create strategic plans that resonate with the business, says Frank Kim, fellow at the Sans Institute.
“If you need to go beyond the technical details to more effectively communicate with senior leadership and the board, this certification shows that you know how to align with strategic objectives, create a roadmap, build a business case, create a security policy, and lead your team to success,” he says.
To earn this certification, you must pass the exam.
Cost: GIAC certification attempt, $979.
Not mandatory, certifications can take a career to the next level
It’s crucial to note that while certificates aren’t mandatory to achieve a career in cybersecurity, the information within them can be invaluable in helping navigate the industry, Neuhaus says. “With that said, sought-after cybersecurity talent is not limited to the number of certifications one may have,” he says. “Rather, professionals who are inventive thinkers and possess other skill sets, such as communication, multitasking, and management, that extend beyond the technical ones showcase that they have a well-rounded toolbox, especially in the constantly evolving landscape.”
It’s important that CISOs not lose sight of the other qualities, strengths, and attributes outside of certifications that are necessary for creating a holistic, robust workforce that has a multipronged approach to cybersecurity, Neuhaus adds.