• United States




Top cyber security certifications: Who they’re for, what they cost, and which you need

Aug 01, 201916 mins

Expand your skills, know-how, and career horizons with these highly respected cybersecurity certs

Columns of checkmarks and stars.
Credit: KTSimage / Getty Images

Two of the most common questions I’m asked are, “Is having a computer security certification helpful in getting a job or starting a career in computer security?” and, “Which certification should someone get?” The answer to the first question is a definite yes. Getting a certification, while not a cumulative showing of your entire experience and knowledge in a particular area, can only help you. That’s true not only in getting a new job, but in improving your knowledge and experience overall, even in your current job.

Critics often say a certification means nothing, and that acumen and experience are the only true differentiators. As a holder of dozens of IT certifications, I beg to differ. More importantly, most employers agree with me. While a computer certification doesn’t tell the whole story, to say it doesn’t say anything about a person is an error.

Every certification I’ve gained took focused, goal-oriented study, which employers view favorably, as they do with college degrees. More important, I picked up many new skills and insights into IT security while studying for each certification test. I learned about new things, and I also gained new perspectives on subjects I thought I had already mastered. I became a better employee and thinker because of all the certifications I have studied for and obtained. You will too.

Sometimes, a particular certification is the minimum hurdle to getting an in-person job interview. If you don’t have the cert, you don’t get invited. Other times, having a particular certification can give you a leg up on competing job candidates who have similar skill sets and experience, but don’t have the desired certification.

Security is more important to computing and the internet than ever before, and the following, well-respected security certs will not only help you stand out from the crowd, but also make you a more valuable member of the IT security community.

IT security certifications

Here is a summary of some of the most desired IT security certifications.

Certified Information Systems Security Professional (CISSP), (ISC)2

The International Information Systems Security Certifications Consortium’s (ISC2) Certified Information Systems Security Professional (CISSP) certification is the most coveted and accepted computer security certification around. This general computer security knowledge certification exam covers eight Common Body of Knowledge (CBK) domains, including access control, operations security and cryptography.

The test used to consist of 250 multiple-choice questions that had to be answered in under six hours, but since December 2017, it now uses adaptive testing, which reduces the number of questions and time to take to a maximum of three hours. Candidates must already have four to five years of professional experience in two or more of the CBK domains, and they must be endorsed by a current CISSP certificate holder. Those who pass the certification must also sign and agree to follow a set of ethics, and each certification holder must periodically resubmit proof of continuing education, along with a fee, to keep the CISSP designation. Initial exam cost is $699.

I used to be an unofficial CISSP exam instructor and have taught hundreds of students how to take and pass the exam. In my experience, candidates should buy at least two CISSP exam prep books and take at least 1,000 practice questions. Every student I had who followed this advice passed on the first attempt. If you don’t have the requisite five years of experience, even if you pass the CISSP exam, you’ll only be able to call yourself an (ISC)2 Professional and not a CISSP. If you don’t think you’ll ever have the five years’ experience, consider taking one of (ISC)2’s easier, cheaper exams (you’ll get the same title), or simply another exam from another testing vendor.

I haven’t always been a big fan of the CISSP test questions themselves. Back when I took and passed the exam, test questions weren’t always well edited or even technically correct. When I contacted (ISC)2 to complain, I was told these were most likely “beta” test questions that didn’t count toward scoring. Furthermore, no matter how much you studied or how many practice questions you answered, a large part of the exam would seem unfamiliar. Back in the day, most CISSP test takers would walk out of the exam not knowing how they did.

Although I hear the overall quality of the test questions is now better, test takers still feel they don’t know how they did until they are scored, but they find out immediately how they did. Despite those significant criticisms, there isn’t a more respected security certification. Customers rarely ask what certifications I have, but if they do, they are almost always waiting to hear me say CISSP because the person asking usually has their CISSP. It’s a good club to be in.

Truth be told, you’ll be a lot better computer security person having studied for and taken the exam. It covers a wide range of computer security topics and if someone starts talking about the “CIA triad,” you’ll know what they are talking about. (ISC)2 has at least seven other certification exams, all of which are well respected.

Note: Keep up with your continuing education requirements. If you miss out on the CISSP continuing education requirements, you may be required to re-sit the exam and pay the same fee as a first-time test taker.

SysAdmin, Networking, and Security (SANS) Institute

The SysAdmin, Networking, and Security Institute (SANS) organization and website is a great resource for security pros. Training, research, education, books, certifications — SANS does a lot and does it well. If you’re interested in being a respected technical expert, SANS offers the certs for you. It even offers at least one master-level accredited degree under the brand of the SANS Technology Institute, if you want the pinnacle technical achievement of our field.

SANS has a host of certifications, ranging from very niche security topics — malware analysis, firewalls, host security, security controls, and so on — to its hugely respected Global Information Assurance Certification (GIAC) Security Expert designation. I don’t think I’ve ever taken a SANS course that didn’t teach me more in a few hours than in weeks spent in classes offered by other training vendors, and I’ve yet to meet a GIAC holder that didn’t impress me.

GIAC offers over 30 certifications classified in one of five subject areas: security administration, forensics, management, auditing and software security. Most exams are open book (but not open internet) and have a time limit of two to five hours. The candidate must complete the certification within four months of attempting the exam. Unfortunately, according to the GIAC exam guide, some tests could include “unscored” test questions like the CISSP. My guess is there will be fewer beta test questions and what they have is better proctored. SANS exams may include simulated (but limited) real-world practical environments to show that the candidate really does understand the subject and know how to apply in real life.

Some of SANS’s most popular GIAC exams are GIAC Information Security Professional, GIAC Certified Incident Handler, and GIAC Reverse Engineering Malware, but it offers courses that run the gamut, including Windows, web servers, penetration testing, Unix security, wireless networking, programming, leadership and program management. GIAC testing is meant to be taken after attending SANS training, which usually lasts a week, but you can challenge (not take the official training) the exam for $1,899. All GIAC certification exams must be renewed every four years. If you want to learn a lot about computer security, how hackers hack, and how malware is made, start your SANS courseware now. The GIAC certifications are coveted, but expensive. Most students have their fees paid by their company.

Certified Ethical Hacker (CEH), the EC-Council

The EC-Council’s Certified Ethical Hacker (CEH) certification is well-respected way to learn how to be a white-hat hacker (or professional penetration tester). The CEH introduced me to some interesting hacking tools that I still use today. The four-hour exam includes 125 multiple-choice questions. The application eligibility fee is $100 and the example fee is $950 to $1199. CEH requires two years of relevant experience and official training exam costs $850.

You will sometimes hear long-time computer security professionals talking down about the CEH certification. I think that is from earlier versions when CEH was one of the first computer certifications for penetration testing, back when computer security exams, in general, were new and easier to pass. Today, the CEH holds its own for general toughness, and the EC-Council offers a number of other useful exams, including Computer Hacking Forensic Investigator, Licensed Penetration Tester, Certified Incident Handler, and Certified Disaster Recovery Professional. It even has an exam for a Chief Information Security Officer.

Offensive Security Certified Professional (OSCP)

If your hacking love is penetration testing and you don’t want to take the easy route, the Offensive Security Certified Professional (OSCP) course and certification has gained a well-earned reputation for toughness with a very hands-on learning structure and exam. The official online, self-paced $800 training course is called Penetration Testing with Kali Linux and includes 30 days of lab access. Because it relies on Kali Linux (the successor to pen testers’ previous favorite Linux distro, BackTrack), participants need a basic understanding of how to use Linux, bash shells and scripts.

The OSCP is known for pushing its students and exam takers harder than other pen-testing paths. For example, the OSCP course teaches, and the exam requires, the ability to obtain, modify and use publicly obtained exploit code. For the “exam,” the participant is given instructions to remotely attach to a virtual environment where they are expected to compromise multiple operating systems and devices within 24 hours and thoroughly document how they did it.

Offensive Security offers more advanced pen testing courses and exams including web, wireless, and advanced Windows exploitation. Readers might want to take advantage of their free (or for a donation), online basic Metasploit tool course .

Security+, CompTIA

CompTIA offers entry-level, comprehensive certification exams in PC repair (A+), networking (Network+), and security (Security+). Because a CompTIA exam is often the first test taken by many people new to the computer industry, it unfortunately has the reputation for being too basic a certification.

In my opinion, and by the standards of many employers, this is not true. The exams might not be as respected as other certification leaders, but they are comprehensive, and you must study hard to pass. CompTIA Security+ certification covers network security, cryptography, identity management, compliance, operation security, threats, and host security, among other topics. You get 90 minutes to complete 90 questions. I took the Security+ exam a long time ago, but it was tougher than expected for an exam that covers the basics. It even includes some simulated environments where the test taker has to select the right options. Price is $399.

CompTIA offers a new cybersecurity exam known as the CompTIA Advanced Security Practitioner (CASP+) exam. As it might sound, it covers more advanced cybersecurity topics, including how to implement more complex solutions, over 90 questions over 165 minutes. The extended time over the Security+ tells you about the type of questions you will get. The CASP+ exam costs $439.


ISACA, formerly known by its full name, Information Systems Audit and Control Association, offers a range of respected certifications focusing mainly on auditing, management and compliance. Its major certifications include the following: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC).

While the titles might not blow you away with excitement, it’s precisely their professional staidness that sells the value of these certifications. If you are interested in computer systems auditing or computer security management, these are the certifications to get. ISACA exams are frequently earned by top moneymakers.

One of the first and hardest exams I ever took and passed was a state-level Certified Public Accountant (CPA) exam, which has nothing to do with computer security, of course. The type and structure of the ISACA exam questions remind me the CPA exam. I’ve earned both the CISA and CISM, and I have found both to be good tests of security knowledge. Exam fees are $575 to $760, and they require five years of relevant experience for you to be eligible to take the tests. Buying a preparation book and taking a few hundred practice test questions, on top of your experience, should be all you need to earn these certs.


Internationally, the not-for-profit CREST information assurance accreditation and certification body’s courses and exams are commonly accepted in many countries, including the United Kingdom, Australia, Europe and Asia. CREST’s mission is to educate and certify quality computer security professionals. All CREST-approved exams have been reviewed and approved by the UK’s Government Communication Headquarters (GCHQ), which is analogous to the United States’ NSA.

CREST’s basic information security exam is known as the CREST Practitioner Security Analyst (CPSA) and there is a pen testing exam called the CREST Registered Tester (or CRT). Exams and costs vary by country, but in Australia, for example, the CRT exam cost $1,000 AU.

Vendor-specific certifications

Many vendors, such as Microsoft and Cisco, offer security-specific exams that are worth pursuing. Years ago, Microsoft had several security-specialist exams, such as MCSE: Security. Security has become a general concern for all platforms and technologies, and for years Microsoft has put more and more security questions and testing into all its exams.

However, there are still a few security-specific Microsoft exams, including the $165 Securing Windows Server 2016 exam. As can be expected, the certification focuses on the new security features in Microsoft Windows Server 2016, but goes far beyond just technically securing a server product. It covers red/green forest design, Just-in-Time Admin, Just Enough Admin, and Microsoft’s latest security technologies such as Advance Threat Analytics (ATA). Microsoft security techs might also want to take Microsoft’s Security Fundamentals test for $127.

Cisco’s certifications have always had industry pedigree and are considered tough to pass. The Cisco Certified Internetwork Expert (CCIE) certification is considered the hardest exam to pass in the industry. According to Cisco, less than 3% of CCIE exam students will obtain the certification, even after paying thousands of dollars, creating home labs, and spending an average of 18 months studying for it.

Cisco’s Certified Network Associate (CCNA) Security certificate is easier to obtain and still very well respected. You must first hold another valid Cisco certification to take the CCNA Security exam. After you have your CCNA Security (or any passed CCIE certification), you can take the Cisco Certified Network Professional (CCNP) Security.

The CCIE-Security is the mac-daddy Cisco security exam. It consists of a two-hour written exam (which must be passed first), then an eight-hour lab portion. All Cisco certification exams are hard, but if you get your CCIE Security, you’ll be able to earn a very good living almost anywhere in the world.

Apple doesn’t appear to a have a security-specific exam, but its traditional MacOS exams include some security components.

Red Hat and other Linux security certs

Red Hat offers dozens of certification exams, and like other major vendors, it offers at least one security specialty exam: Red Hat Certificate of Expertise in Server Security and Hardening. Besides normal Linux server-hardening information, successful candidates must be prepared to handle Common Vulnerabilities and Exposure (CVE) and Red Hat Security Advisory Reports. The price is $600.

The Linux Professional Institute (LPI) offers a vendor-neutral Linux security exam (LPIC-3 303) that covers a host of security topics. Candidates must have successfully passed four other lower-level LPI exams to qualify for the LPIC-3 303, although take exams in different order combinations. LPI Level 3 exams, which LPIC-3 303 is, costs $299.99 to take. SANS also offers a GIAC Unix security certification that applies to Linux.

Which certifications to pursue first

I’m a big believer in taking what you know the best first. Use your first exam and certification to get back into good study habits, and once you pass it, build confidence. If you fail, identify your weaknesses and get back on the horse. I once taught a guy who failed the same test two dozen times over the course of a year. He kept coming back and eventually eked out a passing score. I’ll hire a honey badger any day of the week.

If your experience qualifies you for taking the CISSP, that would be a great certification to start with. The breath of the exam (not the depth of material) is what makes the CISSP challenging. Most people who take the exam pass it, and once you’ve earned the certification you can be prepared to share your success with anyone who asks.

If you want to acquire new technical skills, start with the SANS GIAC, CEH or OCSP. People already in auditing or management or those interested in doing so should consider the ISACA exams. Compliance folks should look to SANS and ISACA. Proof of expertise in a vendor’s suite of products can quickly be shared when you have that vendor’s own certification.

I’m also a big believer in taking as many certification exams as you can while you can. It’s easier to study and pass certification exams when you’re in “study mode,” so once you get in that mindset, keep going and try to pass a few exams successively. Many times, people who decide to take a break from pursuing certifications after passing one or two never go back.

I would be proud to have any of the computer security certifications on this list. Each one will broaden your security knowledge and make you a better computer security professional. Each of these certification entities have broadened to become a complete community of like-minded individuals. You’ll not only get help understanding computer security knowledge, but a discussion list where you can ask questions about any difficult subject or scenario and get help. I’ve made online friendships that have lasted decades, and even though I haven’t met them in person, I feel like they really are my mentors and friends. Certifications and the online ecosystems they spawn can only help you and your career.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author