6 security analyst certifications to advance your career

Whether you're just starting out in your security career or you're on your way to the top, these certs can give you a leg up.

A woman considers a career opportunity. [ woman / abstract light bursts / career ladder ]
Metamorworks / Dmitry Larichev / Дмитрий Ларичев / Getty Images

The security analyst is the backbone of a company’s day-to-day IT security. Whether they're monitoring network infrastructure for breaches and intrusions as part of a security operations center, performing internal security audits, or analyzing past breaches to find the root causes of network vulnerability, they work to keep the company's infrastructure locked down tight.

If you're looking to get into this line of work, you may be wondering if a professional certification can help you stand out from the crowd—and if you're looking to hire a security analyst, you may be wondering what certs are a good signal of a great candidate.

"As an experienced hiring manager, certificates are important to me, for they show a candidate's potential for retaining knowledge," says Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct Shares. Lucia Milică, Global Resident CISO at Proofpoint, agrees: "Security leaders rely heavily on certifications for entry level security roles as a high-level barometer of one’s level of knowledge in a particular area of expertise," she says.

Of course, certs aren’t everything. Far from it. "The totality of a person’s experience and eagerness to learn are equally critical, says Milică. Everette agrees: "What certificates don't clearly reflect is the candidate's ability to apply that knowledge to real-world applications. Having knowledge is one part, being able to apply the knowledge properly and effectively is a critical skill that certificates can’t always measure."

Still, both Everette and Milică cited several certifications that they felt reflected well on candidates, as did other IT pros we spoke with. We've highlighted here the six that our experts brought up most often. They can be broken down into two broad groups: three that might be useful at the beginning of a security analyst's career, and then three more that could help an analyst as they gain experience and climb the ladder or start specializing in a particular corner of infosec.

Top security analyst certifications

  1. Security+
  2. CySA+
  3. Certified Ethical Hacker (CEH)
  4. Certified in Risk and Information Systems Control (CRISC)
  5. Certified Information Systems Auditor (CISA)
  6. Certified Information Systems Security Professional (CISSP)

Security+
CompTIA's Security+ certification is, in CompTIA's opinion, "the first security certification a candidate should earn." It aims to establish a baseline of security skills, including the ability to understand specific attacks and to conduct operations and incident response. Candidates will also come away with some understanding of security architecture, design, and governance.

"For entry level candidates, I don’t expect to see a laundry list of certifications, but if an individual has a CompTIA certification like Security+, that’s a benefit," says Tim Bandos, CISO at Digital Guardian. "It demonstrates the candidate’s drive to want to learn the fundamentals of the industry."

There are no prerequisites for CompTIA Security+. However, CompTIA recommends that a candidate have at least two years of IT administration experience with a security focus before seeking certification. In addition, candidates may want to aim for the CompTIA Network+ certification before moving on to Security+, as networking basics are an important element of security knowledge.

Offered by: CompTIA
Prerequisites: None
Test format: 90 questions, including a combination of multiple-choice questions, drag and drop activities, and performance-based items, which test your ability to solve problems in a simulated environment
Cost: $370 for an exam voucher only; CompTIA sells bundles at higher prices that include study material
Official website: https://www.comptia.org/certifications/security

CySA+
If you want to be a security analyst, CompTIA's CySA+ wants very much to be your certification: the name itself is short for CyberSecurity Analyst, after all. If you're following CompTIA's track, CySA+ is the next logical step after Security+, and starts to go beyond the basics of infosec to get into the nitty gritty of the analyst's craft. As Keatron Evans, Principal Security Researcher at the Infosec Institute puts it, a CySA+ cert "helps security professionals know how to be an analyst."

The CySA+ exam features interactive performance-based questions meant to simulate real-world situations. Candidates should know how to leverage intelligence and threat detection techniques, identify vulnerabilities, and suggest preventative measures and strategies to respond to successful breaches. CompTIA+ recommends a minimum of three to four years of hands-on security or related experience before taking the exam.

Offered by: CompTIA
Prerequisites: None
Test format: 85 multiple choice and performance-based questions
Cost: $370 for an exam voucher only; CompTIA sells bundles at higher prices that include study material
Official website: https://www.comptia.org/certifications/cybersecurity-analyst

Certified Ethical Hacker (CEH)
The Certified Ethical Hacker certification is another early-career cert, but it has a very different flavor from the two CompTIA certifications we've discussed. Rather than focusing on the "defensive" side of things, the CEH exam covers offense—reconnaissance techniques, network and perimeter hacking, web application hacking, and more.

As the name of the certification implies, it's aimed at "ethical hackers"—a fancy name for folks otherwise called penetration testers or offensive security experts, who launch simulated attacks on clients or employers to probe defenses for weaknesses. This is a fun line of work to get into, but the EC-Council, the organization that offers the cert, includes analysts in its target audience. The Infosec Institute's Evans says that a CEH certification "helps security analysts know the enemy," and the knowledge of how to breach a network can certainly help you better understand how to defend it.

Offered by: EC-Council
Prerequisites: You must either have two years of infosec work experience or attend an official EC-Council training
Test format: 125 multiple choice questions
Cost: $100 application fee, plus $1,199 to take the exam
Official website: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/ 

Certified in Risk and Information Systems Control (CRISC)
With CRISC, we enter a more specific realm of cybersecurity specialization. Proofpoint's Milică cites it as a certification that signals a candidate's serious interest in a more specific specialty—risk analysis and management, in this case. Candidates need to know how to balance the likelihood of a risk happening against the potential damage that would ensue if it does. Overall, the goal is to help understand an organization's tolerance for risk, categorize it, and quantify it.

As ISACA, the organization that offers the cert, puts it, you'll be aiming for a career where you "build a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks." This is an area of security analysis that offers a promotion path to the top of the org chart—but it's not for beginners, and you'll need some work experience in this specific field before you can be certified.

Offered by: ISACA
Prerequisites: Three years of cumulative work experience performing the tasks of a CRISC professional across at least two of the four CRISC subject domains
Test format: 150 multiple choice questions
Cost: $50 application fee, $575 (ISACA members)/$760 (non-members) exam fee
Official website: https://www.isaca.org/credentialing/crisc

Certified Information Systems Auditor (CISA)
If you're in the middle of your career path and are leaning towards the auditing side of the infosec world, CISA may be a promising certification for you. Security auditors use their analytic skills to assess internal auditing processes, IT governance, business resilience, and compliance. It's another career path that points upwards. "For candidates with five or more years of experience, I place value in seeing certifications like CISA," says Digital Guardian's Bandos. And in fact, five years of relevant industry experience is a hard requirement for getting this certification.

Offered by: ISACA
Prerequisites: A minimum of five years of professional information systems auditing, control, or security work experience
Test format: 150 multiple choice questions
Cost: $50 application fee, $575 (ISACA members)/$760 (non-members) exam fee
Official website: https://www.isaca.org/credentialing/cisa

Certified Information Systems Security Professional (CISSP)
If CRISC and CISA represent specialty certifications for the mid-career analyst, CISSP is a generalist cert, a logical progression from Security+ for someone who's been around for a while. And as you might imagine, it's in demand. "The certification I get questions about the most is the CISSP," says Bandos. "I do believe this certification is a hot one, given its reputation in the cybersecurity industry."

Advanced-level analysts interested in getting CISSP certified will need to know all the ins and outs of security and risk management, asset security, operations, security assessment and testing, and more.

Offered by: (ISC)2
Prerequisites: Five years of full-time work experience in two of the eight CISSP domains
Test format: An adaptive exam of 100 to 150 questions, including multiple choice and drag-and-drop
Cost: $749
Official website: https://www.isc2.org/Certifications/CISSP

Beyond cert smarts

Feeling overwhelmed, like you suddenly have a lot of homework to do? Maybe you're determined to get started earning these certifications and climbing the ladder. But remember what our experts said up front: certs only demonstrate one aspect of a potential candidate's readiness for a job. And some candidates may not need them at all.

"Some of the best, highest performing security practitioners we’ve hired have no professional certifications," says Matt Georgy, CTO at Redacted. "What is much more important is an aptitude for critical thinking, ability to multitask and prioritize, ability to learn and apply new skills, and a passionate, self-driven work ethic that includes continual curiosity and constant learning. With this, we can mold them into a force that no certification can match."

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline