The original title of this post was The Definitive Guide to Information Security Certifications. Then I started doing research on what employers were looking for.
Why focus on what employers are looking for? My focus is about making you marketable, not credible.
There are a few reasons to get a certification: 1) get a raise/promotion, 2) get a new job, 3) prove you have the skills (which likely ties back to 1 and 2).
For this analysis, I discarded Option 1 — if you just want a raise, it’s generally easy to figure out which certification your employer values. As for Option 2, my evaluation is tied back to what are employers actively recruiting for. Don’t confuse my analysis on the value and knowledge required to pass any certification.
In the world of job searches, Indeed.com is the leader. They scour the internet for every job opening and aggregate it into a neat interface. Why is that important here? They also document trends in job searches through their Job Trends service.
To do my research, I started off with Wikipedia’s list of information security certifications. Is it exhaustive? No. I actually found a better and more thorough list. After doing the research, I figured out that there are only a few certifications that show up in job requirements.
Security+ was created in 2002 but didn’t show up in Indeed’s data until 2009. In the past five years, its had its peaks and valleys but hovers just below .1 percent of all jobs on Indeed. I personally don’t know too many companies looking for the Security+ certification.
It’s funny, the last time I taught a CISA prep course was at it’s peak in 2006. It still routinely scores above .1%. It’s a great certification for security people in the audit field.
This was the biggest surprise for me. Don’t forget to look at the scale before looking at the curve. I know a huge number of professionals who have pursued one of the GIAC certifications. As a whole, they barely reach the number of companies looking for Security+ certification. Do I think this is accurate? Kind of. Since this is a suite of certifications, some companies skip the GIAC and just go for the specific cert (such as GCIH). No single GIAC cert scores as high as GIAC itself. I also just think there aren’t as many openings requiring the specialized skills GIAC certifies.
The Certified Ethical Hacker cert has been around for a while but as you can see from the graph, it’s just starting to take off. It’s still **way **below any certification I’ve looked at.
The CISSP is the grand-daddy of all security certifications (at least statistically here). Today, it clearly stands among the most looked for certification. Even then, it’s down almost half over it’s 2010 peak. I received my certification back in 2001 when it was less well known than it is today.
While using the term “information security” to create our baseline isn’t perfect, it was the best I could do. Interestingly, there is a pretty strong correlation between information security jobs and the CISSP.
The Only Certifications You Need
The numbers speak for themselves.
For most security professionals, the CISSP is a very beneficial certification. It’s important to note that most big companies use basic searching algorithms to eliminate candidates. Don’t have the CISSP? You’re not qualified. (You’re probably incredibly qualified but unfortunately it’s too hard for them to figure that out.)
The only other certification that I would recommend is if you’re in the auditing space. The CISA is still a very common certification (representing likely half of security jobs posted). Given its auditing slant, it’s not for everyone.
This analysis is for people who are looking to make themselves more marketable to future employers. There are some great certifications that are not only valuable but incredibly difficult to pass. The truth though is that not a lot of employers are looking for people with a particular certification. That said, they are likely looking for people with those skill sets. A particular certification might make it easier for you to prove you have that skill.
If you’ve been reading my blog for a while, you probably know I’m an active proponent of having a broad security skill set and not focusing too deeply in one area as you grow. The CISSP is a great broad security certification. The CISA is the same type of certification in the auditing component of security.
Finally, no certification replaces actual on the ground knowledge you learn day-to-day. While these certifications are good checkboxes, ultimately it’s how you communicate your knowledge during various interview processes.
Disclosure: I am an active CISSP and while I taught hundreds of students how to pass the CISA exam, I never actually sat for the exam myself. Additionally, while I have considered many of the certifications here as well as others, the only other certification I took during my 20 year career was the CCNA in 1998.