cso spotlight: certifications

Top cyber security certifications: Who they're for, what they cost, and which you need

Expand your skills, know-how, and career horizons with these highly respected cybersecurity certs

Essential certifications for smart security pros
KTSimage / Getty Images

cso spotlight: certifications

Show More

Two of the most common questions I’m asked are, "Is having a computer security certification helpful in getting a job or starting a career in computer security?” and, "Which certification should someone get?" The answer to the first question is a definite yes. Getting a certification, while not a cumulative showing of your entire experience and knowledge in a particular area, can only help you. That’s true not only in getting a new job, but in improving your knowledge and experience overall, even in your current job.

Critics often say a certification means nothing, and that acumen and experience are the only true differentiators. As a holder of dozens of IT certifications, I beg to differ. More importantly, most employers agree with me. While a computer certification doesn’t tell the whole story, to say it doesn’t say anything about a person is an error.

Every certification I’ve gained took focused, goal-oriented study, which employers view favorably, as they do with college degrees. More important, I picked up many new skills and insights into IT security while studying for each certification test. I learned about new things, and I also gained new perspectives on subjects I thought I had already mastered. I became a better employee and thinker because of all the certifications I have studied for and obtained. You will too.

Sometimes, a particular certification is the minimum hurdle to getting an in-person job interview. If you don’t have the cert, you don’t get invited. Other times, having a particular certification can give you a leg up on competing job candidates who have similar skill sets and experience, but don’t have the desired certification.

Security is more important to computing and the internet than ever before, and the following, well-respected security certs will not only help you stand out from the crowd, but also make you a more valuable member of the IT security community.

IT security certifications

Here is a summary of some of the most desired IT security certifications.

Certified Information Systems Security Professional (CISSP), (ISC)2

The International Information Systems Security Certifications Consortium’s (ISC2) Certified Information Systems Security Professional (CISSP) certification is the most coveted and accepted computer security certification around. This general computer security knowledge certification exam covers eight Common Body of Knowledge (CBK) domains, including access control, operations security and cryptography.

The test used to consist of 250 multiple-choice questions that had to be answered in under six hours, but since December 2017, it now uses adaptive testing, which reduces the number of questions and time to take to a maximum of three hours. Candidates must already have four to five years of professional experience in two or more of the CBK domains, and they must be endorsed by a current CISSP certificate holder. Those who pass the certification must also sign and agree to follow a set of ethics, and each certification holder must periodically resubmit proof of continuing education, along with a fee, to keep the CISSP designation. Initial exam cost is $699.

I used to be an unofficial CISSP exam instructor and have taught hundreds of students how to take and pass the exam. In my experience, candidates should buy at least two CISSP exam prep books and take at least 1,000 practice questions. Every student I had who followed this advice passed on the first attempt. If you don’t have the requisite five years of experience, even if you pass the CISSP exam, you’ll only be able to call yourself an (ISC)2 Professional and not a CISSP. If you don’t think you’ll ever have the five years’ experience, consider taking one of (ISC)2’s easier, cheaper exams (you’ll get the same title), or simply another exam from another testing vendor.

I haven’t always been a big fan of the CISSP test questions themselves. Back when I took and passed the exam, test questions weren’t always well edited or even technically correct. When I contacted (ISC)2 to complain, I was told these were most likely “beta” test questions that didn’t count toward scoring. Furthermore, no matter how much you studied or how many practice questions you answered, a large part of the exam would seem unfamiliar. Back in the day, most CISSP test takers would walk out of the exam not knowing how they did.

Although I hear the overall quality of the test questions is now better, test takers still feel they don’t know how they did until they are scored, but they find out immediately how they did. Despite those significant criticisms, there isn’t a more respected security certification. Customers rarely ask what certifications I have, but if they do, they are almost always waiting to hear me say CISSP because the person asking usually has their CISSP. It’s a good club to be in.

Truth be told, you’ll be a lot better computer security person having studied for and taken the exam. It covers a wide range of computer security topics and if someone starts talking about the “CIA triad,” you’ll know what they are talking about. (ISC)2 has at least seven other certification exams, all of which are well respected.

Note: Keep up with your continuing education requirements. If you miss out on the CISSP continuing education requirements, you may be required to re-sit the exam and pay the same fee as a first-time test taker.

SysAdmin, Networking, and Security (SANS) Institute

The SysAdmin, Networking, and Security Institute (SANS) organization and website is a great resource for security pros. Training, research, education, books, certifications -- SANS does a lot and does it well. If you’re interested in being a respected technical expert, SANS offers the certs for you. It even offers at least one master-level accredited degree under the brand of the SANS Technology Institute, if you want the pinnacle technical achievement of our field.

SANS has a host of certifications, ranging from very niche security topics -- malware analysis, firewalls, host security, security controls, and so on -- to its hugely respected Global Information Assurance Certification (GIAC) Security Expert designation. I don’t think I’ve ever taken a SANS course that didn’t teach me more in a few hours than in weeks spent in classes offered by other training vendors, and I’ve yet to meet a GIAC holder that didn’t impress me.

GIAC offers over 30 certifications classified in one of five subject areas: security administration, forensics, management, auditing and software security. Most exams are open book (but not open internet) and have a time limit of two to five hours. The candidate must complete the certification within four months of attempting the exam. Unfortunately, according to the GIAC exam guide, some tests could include “unscored” test questions like the CISSP. My guess is there will be fewer beta test questions and what they have is better proctored. SANS exams may include simulated (but limited) real-world practical environments to show that the candidate really does understand the subject and know how to apply in real life.

Some of SANS’s most popular GIAC exams are GIAC Information Security Professional, GIAC Certified Incident Handler, and GIAC Reverse Engineering Malware, but it offers courses that run the gamut, including Windows, web servers, penetration testing, Unix security, wireless networking, programming, leadership and program management. GIAC testing is meant to be taken after attending SANS training, which usually lasts a week, but you can challenge (not take the official training) the exam for $1,899. All GIAC certification exams must be renewed every four years. If you want to learn a lot about computer security, how hackers hack, and how malware is made, start your SANS courseware now. The GIAC certifications are coveted, but expensive. Most students have their fees paid by their company.

Certified Ethical Hacker (CEH), the EC-Council

The EC-Council’s Certified Ethical Hacker (CEH) certification is well-respected way to learn how to be a white-hat hacker (or professional penetration tester). The CEH introduced me to some interesting hacking tools that I still use today. The four-hour exam includes 125 multiple-choice questions. The application eligibility fee is $100 and the example fee is $950 to $1199. CEH requires two years of relevant experience and official training exam costs $850.

You will sometimes hear long-time computer security professionals talking down about the CEH certification. I think that is from earlier versions when CEH was one of the first computer certifications for penetration testing, back when computer security exams, in general, were new and easier to pass. Today, the CEH holds its own for general toughness, and the EC-Council offers a number of other useful exams, including Computer Hacking Forensic Investigator, Licensed Penetration Tester, Certified Incident Handler, and Certified Disaster Recovery Professional. It even has an exam for a Chief Information Security Officer.

Offensive Security Certified Professional (OSCP)

If your hacking love is penetration testing and you don’t want to take the easy route, the Offensive Security Certified Professional (OSCP) course and certification has gained a well-earned reputation for toughness with a very hands-on learning structure and exam. The official online, self-paced $800 training course is called Penetration Testing with Kali Linux and includes 30 days of lab access. Because it relies on Kali Linux (the successor to pen testers' previous favorite Linux distro, BackTrack), participants need a basic understanding of how to use Linux, bash shells and scripts.

The OSCP is known for pushing its students and exam takers harder than other pen-testing paths. For example, the OSCP course teaches, and the exam requires, the ability to obtain, modify and use publicly obtained exploit code. For the “exam,” the participant is given instructions to remotely attach to a virtual environment where they are expected to compromise multiple operating systems and devices within 24 hours and thoroughly document how they did it.

Offensive Security offers more advanced pen testing courses and exams including web, wireless, and advanced Windows exploitation. Readers might want to take advantage of their free (or for a donation), online basic Metasploit tool course .

Security+, CompTIA

CompTIA offers entry-level, comprehensive certification exams in PC repair (A+), networking (Network+), and security (Security+). Because a CompTIA exam is often the first test taken by many people new to the computer industry, it unfortunately has the reputation for being too basic a certification.

In my opinion, and by the standards of many employers, this is not true. The exams might not be as respected as other certification leaders, but they are comprehensive, and you must study hard to pass. CompTIA Security+ certification covers network security, cryptography, identity management, compliance, operation security, threats, and host security, among other topics. You get 90 minutes to complete 90 questions. I took the Security+ exam a long time ago, but it was tougher than expected for an exam that covers the basics. It even includes some simulated environments where the test taker has to select the right options. Price is $399.

CompTIA offers a new cybersecurity exam known as the CompTIA Advanced Security Practitioner (CASP+) exam. As it might sound, it covers more advanced cybersecurity topics, including how to implement more complex solutions, over 90 questions over 165 minutes. The extended time over the Security+ tells you about the type of questions you will get. The CASP+ exam costs $439.


ISACA, formerly known by its full name, Information Systems Audit and Control Association, offers a range of respected certifications focusing mainly on auditing, management and compliance. Its major certifications include the following: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC).

While the titles might not blow you away with excitement, it’s precisely their professional staidness that sells the value of these certifications. If you are interested in computer systems auditing or computer security management, these are the certifications to get. ISACA exams are frequently earned by top moneymakers.

One of the first and hardest exams I ever took and passed was a state-level Certified Public Accountant (CPA) exam, which has nothing to do with computer security, of course. The type and structure of the ISACA exam questions remind me the CPA exam. I’ve earned both the CISA and CISM, and I have found both to be good tests of security knowledge. Exam fees are $575 to $760, and they require five years of relevant experience for you to be eligible to take the tests. Buying a preparation book and taking a few hundred practice test questions, on top of your experience, should be all you need to earn these certs.


1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)