The security analyst is the backbone of a company\u2019s day-to-day IT security. Whether they're monitoring network infrastructure for breaches and intrusions as part of a security operations center, performing internal security audits, or analyzing past breaches to find the root causes of network vulnerability, they work to keep the company's infrastructure locked down tight.If you're looking to get into this line of work, you may be wondering if a professional certification can help you stand out from the crowd\u2014and if you're looking to hire a security analyst, you may be wondering what certs are a good signal of a great candidate."As an experienced hiring manager, certificates are important to me, for they show a candidate's potential for retaining knowledge," says Chuck Everette, Director of Cybersecurity Advocacy at Deep Instinct Shares. Lucia Milic\u0103, Global Resident CISO at Proofpoint, agrees: "Security leaders rely heavily on certifications for entry level security roles as a high-level barometer of one\u2019s level of knowledge in a particular area of expertise," she says.Of course, certs aren\u2019t everything. Far from it. "The totality of a person\u2019s experience and eagerness to learn are equally critical, says Milic\u0103. Everette agrees: "What certificates don't clearly reflect is the candidate's ability to apply that knowledge to real-world applications. Having knowledge is one part, being able to apply the knowledge properly and effectively is a critical skill that certificates can\u2019t always measure."Still, both Everette and Milic\u0103 cited several certifications that they felt reflected well on candidates, as did other IT pros we spoke with. We've highlighted here the six that our experts brought up most often. They can be broken down into two broad groups: three that might be useful at the beginning of a security analyst's career, and then three more that could help an analyst as they gain experience and climb the ladder or start specializing in a particular corner of infosec.Top security analyst certificationsSecurity+CySA+Certified Ethical Hacker (CEH)Certified in Risk and Information Systems Control (CRISC)Certified Information Systems Auditor (CISA)Certified Information Systems Security Professional (CISSP)Security+CompTIA's Security+ certification is, in CompTIA's opinion, "the first security certification a candidate should earn." It aims to establish a baseline of security skills, including the ability to understand specific attacks and to conduct operations and incident response. Candidates will also come away with some understanding of security architecture, design, and governance."For entry level candidates, I don\u2019t expect to see a laundry list of certifications, but if an individual has a CompTIA certification like Security+, that\u2019s a benefit," says Tim Bandos, CISO at Digital Guardian. "It demonstrates the candidate\u2019s drive to want to learn the fundamentals of the industry."There are no prerequisites for CompTIA Security+. However, CompTIA recommends that a candidate have at least two years of IT administration experience with a security focus before seeking certification. In addition, candidates may want to aim for the CompTIA Network+ certification before moving on to Security+, as networking basics are an important element of security knowledge.Offered by: CompTIAPrerequisites: NoneTest format: 90 questions, including a combination of multiple-choice questions, drag and drop activities, and performance-based items, which test your ability to solve problems in a simulated environmentCost: $370 for an exam voucher only; CompTIA sells bundles at higher prices that include study materialOfficial website: https:\/\/www.comptia.org\/certifications\/securityCySA+If you want to be a security analyst, CompTIA's CySA+ wants very much to be your certification: the name itself is short for CyberSecurity Analyst, after all. If you're following CompTIA's track, CySA+ is the next logical step after Security+, and starts to go beyond the basics of infosec to get into the nitty gritty of the analyst's craft. As Keatron Evans, Principal Security Researcher at the Infosec Institute puts it, a CySA+ cert "helps security professionals know how to be an analyst."The CySA+ exam features interactive performance-based questions meant to simulate real-world situations. Candidates should know how to leverage intelligence and threat detection techniques, identify vulnerabilities, and suggest preventative measures and strategies to respond to successful breaches. CompTIA+ recommends a minimum of three to four years of hands-on security or related experience before taking the exam.Offered by: CompTIAPrerequisites: NoneTest format: 85 multiple choice and performance-based questionsCost: $370 for an exam voucher only; CompTIA sells bundles at higher prices that include study materialOfficial website: https:\/\/www.comptia.org\/certifications\/cybersecurity-analystCertified Ethical Hacker (CEH)The Certified Ethical Hacker certification is another early-career cert, but it has a very different flavor from the two CompTIA certifications we've discussed. Rather than focusing on the "defensive" side of things, the CEH exam covers offense\u2014reconnaissance techniques, network and perimeter hacking, web application hacking, and more.As the name of the certification implies, it's aimed at "ethical hackers"\u2014a fancy name for folks otherwise called penetration testers or offensive security experts, who launch simulated attacks on clients or employers to probe defenses for weaknesses. This is a fun line of work to get into, but the EC-Council, the organization that offers the cert, includes analysts in its target audience. The Infosec Institute's Evans says that a CEH certification "helps security analysts know the enemy," and the knowledge of how to breach a network can certainly help you better understand how to defend it.Offered by: EC-CouncilPrerequisites: You must either have two years of infosec work experience or attend an official EC-Council trainingTest format: 125 multiple choice questionsCost: $100 application fee, plus $1,199 to take the examOfficial website: https:\/\/www.eccouncil.org\/programs\/certified-ethical-hacker-ceh\/\u00a0Certified in Risk and Information Systems Control (CRISC)With CRISC, we enter a more specific realm of cybersecurity specialization. Proofpoint's Milic\u0103 cites it as a certification that signals a candidate's serious interest in a more specific specialty\u2014risk analysis and management, in this case. Candidates need to know how to balance the likelihood of a risk happening against the potential damage that would ensue if it does. Overall, the goal is to help understand an organization's tolerance for risk, categorize it, and quantify it.As ISACA, the organization that offers the cert, puts it, you'll be aiming for a career where you "build a well-defined, agile risk-management program, based on best practices to identify, analyze, evaluate, assess, prioritize and respond to risks." This is an area of security analysis that offers a promotion path to the top of the org chart\u2014but it's not for beginners, and you'll need some work experience in this specific field before you can be certified.Offered by: ISACAPrerequisites: Three years of cumulative work experience performing the tasks of a CRISC professional across at least two of the four CRISC subject domainsTest format: 150 multiple choice questionsCost: $50 application fee, $575 (ISACA members)\/$760 (non-members) exam feeOfficial website: https:\/\/www.isaca.org\/credentialing\/criscCertified Information Systems Auditor (CISA)If you're in the middle of your career path and are leaning towards the auditing side of the infosec world, CISA may be a promising certification for you. Security auditors use their analytic skills to assess internal auditing processes, IT governance, business resilience, and compliance. It's another career path that points upwards. "For candidates with five or more years of experience, I place value in seeing certifications like CISA," says Digital Guardian's Bandos. And in fact, five years of relevant industry experience is a hard requirement for getting this certification.Offered by: ISACAPrerequisites: A minimum of five years of professional information systems auditing, control, or security work experienceTest format: 150 multiple choice questionsCost: $50 application fee, $575 (ISACA members)\/$760 (non-members) exam feeOfficial website: https:\/\/www.isaca.org\/credentialing\/cisaCertified Information Systems Security Professional (CISSP)If CRISC and CISA represent specialty certifications for the mid-career analyst, CISSP is a generalist cert, a logical progression from Security+ for someone who's been around for a while. And as you might imagine, it's in demand. "The certification I get questions about the most is the CISSP," says Bandos. "I do believe this certification is a hot one, given its reputation in the cybersecurity industry."Advanced-level analysts interested in getting CISSP certified will need to know all the ins and outs of security and risk management, asset security, operations, security assessment and testing, and more.Offered by: (ISC)2Prerequisites: Five years of full-time work experience in two of the eight CISSP domainsTest format: An adaptive exam of 100 to 150 questions, including multiple choice and drag-and-dropCost: $749Official website: https:\/\/www.isc2.org\/Certifications\/CISSPBeyond cert smartsFeeling overwhelmed, like you suddenly have a lot of homework to do? Maybe you're determined to get started earning these certifications and climbing the ladder. But remember what our experts said up front: certs only demonstrate one aspect of a potential candidate's readiness for a job. And some candidates may not need them at all."Some of the best, highest performing security practitioners we\u2019ve hired have no professional certifications," says Matt Georgy, CTO at Redacted. "What is much more important is an aptitude for critical thinking, ability to multitask and prioritize, ability to learn and apply new skills, and a passionate, self-driven work ethic that includes continual curiosity and constant learning. With this, we can mold them into a force that no certification can match."