As a facet of the broader IT industry certification process, cybersecurity certifications are an important step for people interested in advancing in an information security career and a guide for employers when they look to hire new employees or promote from within.
Cybersecurity certifications offer a variety of advantages for employees and businesses. Employers believe that IT certifications give workers an edge, according to a study by CompTIA. Not only is certification something that 91% of employers seek out during the hiring process, it’s also an indication of a candidate’s success. With certification, you can stand out in a competitive job market and open up more career opportunities.
Many, but not all, cybersecurity certifications require years of technology, business or undergraduate college experience as a prerequisite. While technical knowledge is important, especially for the more advanced certificates, in recent years the field has opened up to certifying and hiring people who don’t come with a traditional background in computer science or programming, says Casey Marks, chief product officer for the International Information System Security Certification Consortium, or ISC2, in Clearwater, Florida.
“You need people from legal. You need people from human factors. You just really need a lot of creative people to think the way criminals think, to protect ourselves in advance,” Marks says.
As a profession, cybersecurity consists of many different specializations, including penetration testing, cybercrime investigators, auditors and cybersecurity architects. Because there is no one single path, people can enter the field at many points. You can pursue cybersecurity immediately after college or high school, or shift from a different IT specialty into this field. You may move into cybersecurity with no previous experience after deciding it’s time for a career change. Regardless of your background, there are certifications designed to meet you where you are.
Cybersecurity certifications are provided by accredited organizations that follow and maintain a certain level of industry accepted standards. Certifications are valued because they are accepted by IT industry accrediting bodies and government agencies that set standards, such as the National Institute of Standards and Technology.
There are specific and general cybersecurity certifications. You can earn certification to perform a certain job, to work with a specific product or hold a job title. Broader certifications are relevant across jobs and industries and are usually designed to enhance a person’s existing career, such as programming or program management. Most certifications require regular updates, such as the Certified Information Systems Security Professional certificate, which must be renewed every three years by obtaining continuing professional education credits before the expiration date.
Getting certified can be expensive, although many employers pay for their employees’ certifications. The cost is often offset by the potential for promotion and better earnings.
As for difficulty level, certification exams range from moderate to challenging, depending on the material and type of certificate. For example, the highly technical Certified Ethical Hacker certification requires months of study and years of cybersecurity experience, while an entry-level certificate like Microsoft’s Technology Associate Security Fundamentals might only call for a good general knowledge of computing and how programs and computer networks operate.
Like the field itself, cybersecurity certifications cover a range of skills and topics. Here is a list of popular certifications ranging from entry level to the highly technical.
Microsoft Technology Associate Security Fundamentals
This is an entry-level cybersecurity certification geared toward high school and college students and people seeking to change careers. The MTA Security Fundamentals certification acknowledges that the recipient knows core security principles and the basics of operating system, software and network security.
This certification can be a step toward the Microsoft Certified Solutions Associate exams and certificate. If you’re interested in getting the MTA Security Fundamentals, Microsoft suggests first taking training courses to familiarize yourself with basic concepts as well as get experience with Windows Server, Windows-based networking and Active Directory. You should also have a working knowledge of anti-malware products, firewalls, network topologies and devices, as well as network ports.
Candidates must take a single exam, which costs $127, for the certification.
Preparing for the MTA Security Fundamentals Certification
The MTA Security Fundamentals Certification exam is 45 minutes long and varies between 40 and 60 questions. A passing score is 700 on a 1,000 point scale.
Online test preparation resources include:
One of the best-known entry level security certifications is CompTIA’s Security+. It is a generalist certificate, covering a range of security and information assurance subjects including network security, threats and vulnerabilities, access controls, cryptography, and risk management principles.
This certification also meets the U.S. Department of Defense Directive 8570.01-M requirements – important for anyone interested in working in IT security for the federal government – and complies with the Federal Information Security Modernization Act.
The Security+ certificate sets its recipients on the path to intermediate-level cybersecurity jobs such as security administrator, security specialist/analyst and network administrator. CompTIA recommends that candidates have two years of relevant experience with a security focus before taking the Security+ exam.
The certification exam costs $349.
Preparing for the Security+ Exam
The Security+ exam consists of up to 90 questions and is 90 minutes long. Grading is on a 100 to 900 point scale, with 750 as the passing score.
CompTIA offers online test preparation and study through its CertMaster Learn service. You choose how quickly you move through the lessons, which include videos. Prepare for the exam by completing questions that will indicate how you are performing.
Other online test preparations resources include:
- Udemy offers a practice exam package consisting of six 65-question practice exams, each timed at 60 minutes to help pace students for the exam, for $94.99.
- Pluralsight offers a learning path to help students prepare for the Security+ exam. If you take these courses, you’ll learn more about cybersecurity topics ranging from threats to risk management and cryptography. A Pluralsight subscription costs $299 per year.
- CompTIA Security+ Practice Tests is a book providing 1,000 practice questions across all of the test’s subject areas. It’s available from Amazon, priced at $24 for Kindle and about $30 for a hard copy.
Certified Information Systems Security Professional
The Certified Information Systems Security Professional certification is for security analysts who make up the majority of most organizations’ cybersecurity teams. Created by the ISC2, it is designed to teach cybersecurity professionals industry standards.
Although a popular certification, the CISSP isn’t for beginners because passing the exam requires extensive cybersecurity knowledge and field experience. It is intended for experienced cybersecurity administrators, managers and executives. One key benefit of the certification is that it’s vendor neutral, so you can get experience managing and launching security programs without being tied to a single product or platform.
The CISSP certification exam usually costs $699, but costs may vary depending on what entity is administering the test.
Because it is an advanced certification, test-takers need to have at least five years of full-time work experience in at least two of the following cybersecurity domains:
- Security and risk management
- Security engineering
- Identity and access management
- Asset security
- Security operations
- Communications and network security
- Software development security
- Security assessment and testing
Those without the work experience may be able to get a waiver from ISC2 if they have a relevant college degree or additional industry-approved credentials. Another option is to become an Associate of ISC2 and earn the CISSP after you meet the professional experience requirements.
Preparing for the CISSP Exam
The six-hour CISSP exam has 250 multiple choice and advanced questions. It is a difficult test, and to pass you have to score at least 700 out of 1,000 points.
ISC2 offers a study guide, available via Amazon. It costs $45.67 for a hard copy and $42 for the Kindle version.
Online test preparation resources include:
CISM: Certified Information Security Manager
The Certified Information Security Manager credential is designed for management-focused IT professionals. It is an advanced certification demonstrating that the recipient has the all-around knowledge and experience to manage security teams and enterprise level applications, or help develop an organization’s best practices for security operations.
Developed and introduced by the ISACA, formerly the Information Systems Audit and Control Association, a CISM certification costs $760. ISACA members can take the course for $575; an ISACA membership runs $130 per year.
This is an advanced level certification. Those interested in obtaining it must have a minimum of five years of information security experience, with at least three years of information security management experience in three or more of the following CISM areas:
- Information security management
- Information risk management and compliance
- Information security program development and management
- Information security incident management
The certification requires you to gain this experience 10 years or fewer before filing an application or five years after passing the exam. This means you don’t need to have all of the professional experience when you take the exam, but you must get it within the set time period to earn the certification.
The CISM certification costs $50 for the one-time application processing fee. Once achieved, the CISM certification requires regular upkeep, so you have to earn at least 120 hours of continuing professional education hours every three years, with a minimum of 20 hours per year.
Preparing for the CISM Certification Exam
The CISM exam is available in both online and in-person versions and consists of 200 multiple choice questions. Scores can range from 200 to 800, and 450 is the minimum passing score. Those who don’t pass the exam can retake it up to four times per year.
There are a number of online training courses and resources for CISM, including:
- ISACA offers a CISM Online Review Course consisting of 17 hours of instruction for $795 for ISACA members and $895 for nonmembers.
- Certified Information Security’s CISM course costs $666.60 and includes direct phone support with a designated mentor.
- Udemy offers several CISM courses for various prices.
EC-Council: Certified Ethical Hacker
To earn this certificate, you must take a course to learn the fundamentals of ethical hacking. During the course, you’ll learn how to evaluate vulnerabilities within organizations’ network and system infrastructures.
This certification is the first in a series of three courses designed to help security professionals master penetration testing.
The purpose of the CEH credential is to immerse students in the hacker mindset so you can better defend networks against cyberattacks. According to the EC-Council, the courses expose candidates to how hackers test organizations’ security. The course teaches five phases of ethical hacking: reconnaissance, gaining access, enumeration, maintaining access and hiding their presence from network security teams.
The CEH exam costs $1,199 and retakes cost $450.
Preparing for the CEH exam
Test-takers may need up to four hours to complete the CEH exam’s 125 multiple choice questions. This is considered one of the most challenging tests in the IT industry because of the depth of cybersecurity information that is covered. Ultimately, studying for this certification exposes you to everything you need to know to hack an organization so you can become a “white hat” hacker.
The EC-Council provides a free online CEH assessment consisting of 50 questions to give individuals a taste of the test and to gauge their qualifications before they commit. The EC-Council also has a comprehensive exam blueprint of the subjects it covers, how they are weighted and how many questions are devoted to each topic.
There are also a number of online training courses and resources, including:
Individuals without an undergraduate degree in cybersecurity or an IT-related field may want to consider one of U.S. News & World Report’s top 15 schools with undergraduate cybersecurity programs. See the full list of schools here.
|Carnegie Mellon University||Pittsburgh||1 (tie)||7,022|
|Georgia Institute of Technology||Atlanta||1 (tie)||15,964|
|University of California—Berkeley||Berkeley, California||3||31,780|
|Massachusetts Institute of Technology||Cambridge, Massachusetts||4||4,530|
|University of Illinois—Urbana-Champaign||Champaign, Illinois||5||34,120|
|Cornell University||Ithaca, New York||6 (tie)||15,043|
|Purdue University—West Lafayette||West Lafayette, Indiana||6 (tie)||33,646|
|Stanford University||Stanford, California||6 (tie)||6,696|
|University of California—San Diego||La Jolla, California||9 (tie)||30,794|
|University of Maryland—College Park||College Park, Maryland||9 (tie)||30,511|
|University of Michigan—Ann Arbor||Ann Arbor, Michigan||11||31,266|
|Columbia University||New York||12 (tie)||6,245|
|University of Washington||Seattle||12 (tie)||32,046|
|California Institute of Technology||Pasadena, California||14 (tie)||938|
|Northeastern University||Boston||14 (tie)||14,202|
When choosing a cybersecurity certification after college, or even without a college degree, you should figure out what best fits your career goals. Are you starting a cybersecurity career, seeking promotion, or enhancing existing skills?
Some certifications, like CompTIA’s Security+, require some knowledge and background, but no college education is necessary and experience in an IT work environment will suffice. Other certificates, like the Certified Information Security Manager, are more complex and are geared toward managerial and other high-ranking jobs. But a certificate can help augment someone’s job by allowing them to better communicate with cybersecurity staff, Marks says.
Certifications such as the EC-Council’s Certified Ethical Hacker can be expensive and time-consuming. Depending on an individual’s job and role, employers often pay for the certification. This goes beyond IT-related businesses and extends to retail and other jobs. Federal government agencies are major supporters of certifications, such as Security+, which is widely used across the U.S. Department of Defense, says James Stanger, CompTIA’s chief technology evangelist.
When possible, seek out industry-backed certifications and look for free or low-cost training courses, study guides and other educational material online. Once you feel confident that you can pass the exam, take the test.
A number of IT industry organizations offer cybersecurity certifications. These certificate providers offer a range of credentials, from entry level to highly specialized.
The Computing Technology Industry Association, or CompTIA, is a nonprofit IT industry trade association. Considered a major organization in the tech industry, it provides a variety of certification programs and research programs, and it sets industry standards.
Its cybersecurity certifications are:
- Cybersecurity Analyst, known as CySA+
- Advanced Security Practitioner, known as CASP+
- Penetration Testing, known as PenTest+
An international, nonprofit membership association for information security professionals, ISC2’s focus is on professional education and providing standardization and certification in the cybersecurity industry.
Its cybersecurity certifications include:
- Certified Information Systems Security Professional, known as CISSP
- Systems Security Certified Practitioner, known as SSCP
- Certified Cloud Security Professional, known as CCSP
- Certified Authorization Professional, known as CAP
The International Council of E-Commerce Consultants, or EC-Council, is the world’s largest cybersecurity technical certification body. It operates in 145 nations around the world and certifies individuals in a range of e-business and information security skills.
Its cybersecurity certifications include:
- Certified Ethical Hacker, known as CEH
- Computer Hacking Forensics Investigator, known as CHFI
- Certified Security Analyst, known as ECSA
ISACA is a global nonprofit organization focused on leadership, governance and advocacy. Its mission is to promote the benefits of technology, especially auditing.
Its cybersecurity certifications are:
- Certified Information Systems Auditor, known as CISA
- Certified in Risk and Information Systems Control, known as CRISC
- Certified Information Security Manager, known as CISM
- Certified in Governance of Enterprise IT, known as CGEIT
Global Information Assurance Certification
GIAC’s mission is to use certifications as a means of validating security professionals’ and developers’ skills to employers. When individuals earn GIAC certifications, employers know they have the training and knowledge to fulfill their roles.
Its cybersecurity certifications are:
- Information Security Fundamentals, known as GISF
- Security Essentials, known as GSEC
- Information Security Professional, known as GISP
- Certified Web Application Defender, known as GWEB
- Cloud Security Automation, known as GCSA
It’s not easy to measure the value of a cybersecurity certification because its impact ranges from helping you start a new job to advancing your career. The types of people getting certifications has also changed in recent years, Marks says. Previously, certificate candidates primarily came from traditional IT and security backgrounds. But now, people seeking certificates are increasingly coming from different fields, which indicates a growing interest in cybersecurity certifications and the perceived payoff a certificate delivers.
“It’s become enough for people to understand that you don’t need to be a newer network engineer to understand the principles of cybersecurity and to be a contributor on a team at entry level as you progress in your career path,” Marks says.
While certifications help establish a skills baseline, they represent more than just a means to get a job or a promotion, says Jonathan Katz, a professor at the University of Maryland who specializes in cryptography and cybersecurity.
“I think the idea of getting an education in cybersecurity, at whatever point in your career you’re at, is great and I would encourage that,” Katz says. “There’s a lot of resources for that, and whether you then go the next step and pay the money for the certification is kind of a secondary question. You can learn and advance yourself without necessarily going through the step of getting a certification.”
Cybersecurity Professionals Are in High Demand
One attraction of a cybersecurity career is the high demand for trained professionals.
Even during the COVID-19 pandemic, there continues to be a strong demand for cybersecurity jobs, Stanger says.
This growth is across the IT industry as people upskill for promotions or to meet the security demands of a homebound workforce.
“When it comes to cybersecurity, we’re seeing a lot of developers and even IT managers getting certified. And that doesn’t mean they’re getting real high-end certifications,” Stanger says.
Cybersecurity Certification Could Help You Land a Job
A cybersecurity certification is both a key and the icing on the cake for a resume. It helps provide a guide for employers, and it makes individuals stand out for promotions and new positions.
“Certification helps indicate that this person understands the process, which is really important for a security person,” Stanger says.
Besides helping you stand out to managers or prospective employers, certifications show that you are part of a larger professional community, which offers increased contacts and room for professional growth.
“Because they’re part of a larger community, that means you’re bringing somebody into your network environment that probably has other people they can reach out to and communicate with,” Stanger says. “So it’s somebody who has connections, but also has that fundamental understanding of the technology that’s so important to move forward.”