Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

The more you know, the more you grow. The Edge takes a fresh look at leading security certifications that can help advance your career.

Steve Zurier, Contributing Writer, Dark Reading

June 18, 2021

8 Min Read

(Image: Brownfalcon via Adobe Stock)

(Image: Brownfalcon via Adobe Stock)

Are security certifications worth the money? Which ones are really needed to enter and advance in the field? If we had a dime for every time we've heard those questions …

As to the first question, yes, says Candy Alexander, CISO and security practice lead at NeuEon who also is on the board of the Information Systems Security Association (ISSA).  

"Certifications work," she says. "I know people who are hiring managers and they will first hire people with certifications."

Tom Eston, practice director for application security at Bishop Fox, and a hiring manager, agrees. If 100 resumes for an entry-level job come in and 25 of them have CompTIA's Security+ certification, those 25 go into a group of people he will consider.

"For someone more junior, I like to know how passionate they are about learning," he says. "I'll ask them what they do in their off-time? Do they have a lab at home? What kind of drive and passion do they have for the field?"

What follows are short writeups of the leading certifications to give readers a sense of how best to allocate their time and money, especially since many companies tend not to pay for certifications as much today. And if you're still feeling overwhelmed at the end, Alexander suggests seeking out a mentor who can help you sort out a path.  

Offensive Security Certified Professional (OSCP)

Organization: Offensive Security

Exam price: PEN-200 course, 30 days lab access, OSXP exam fee, $999 (fees go up with increased lab access)

Basics: Considered a coveted certification for pen testers, PEN-200 serves as Offensive Security's foundational penetration testing course. Students learn the latest pen-testing tools and techniques and practice them in a virtual lab that includes recently retired OSCP exam machines. 

Certified Authorization Professional (CAP)

Organization: (ISC)²

Exam price: $599

Basics: To qualify for the CAP, a candidate must have a minimum of two years of cumulative paid work experience in one or more of the CAP's seven domains. Valid experience includes information systems security-related work performed in the pursuit of information system authorization or work that requires security risk management knowledge and requires direct application of that knowledge. A candidate who doesn't have the required experience to become a CAP may become an Associate of (ISC)² by successfully passing the CAP examination. The associate will then have three years to earn the two-year required experience. Part-time work and internships may also count toward experience

Certified Secure Software Lifecycle Professional (CSSLP)

Organization: (ISC)²

Exam price: $599

Basics: This course targets developers who want to learn more about building security into their organizations' products. A candidate must have a minimum of four years of cumulative paid software development life cycle (SDLC) professional work experience in one of more of the CSSLP's eight domain, or three years of cumulative paid SDLC professional work experience in one or more of the CSSLP's eight domains with a four-year degree leading to a bachelor's degree, or regional equivalent in computer science, information technology, or related fields. Those who don't have the required experience to become a CSSLP may become an Associate of (ISC)² by successfully passing the CSSLP examination. Students will then have five years to earn the four years of required experience. Part-time work and internships may also count toward experience.

Certified Cloud Security Specialist (CCSP)

Organization: (ISC)²

Exam price: $599

Basics: Candidates must have a minimum of five years cumulative paid work experience in information technology, including three years in information security and one year in one or more of the CCSP's six domains. Students can substitute one year of experience by earning the Cloud Security Alliance's CCSK certificate. They can also substitute the entire CCSP experience requirement by earning (ISC)²'s CISSP credential. A candidate who doesn't have the required experience to become a CCSP may become an Associate of (ISC)² by successfully passing the CCSP examination. The associate will then have six years to earn the five years of required experience. Part-time work and internships may also count toward the student's experience.

GIAC Security Essentials

Organization: GIAC/SANS

Exam price: $2,499

Basics: Covers at least 31 critical areas of security, from access control and password management to cryptography, endpoint security, incident response, and Linux security. Geared for anyone new to information security who has some background in information systems and networking. Also good for security professionals, operations personnel, IT engineers and supervisors, forensic analysts, penetration testers, auditors.

Certified in Risk and Information Systems Control (CRISC)

Organization: ISACA

Exam price: $575 members, $760 non-members, $50 application fee when applying for certification

Basics: Students will demonstrate expertise in identifying and managing enterprise IT risk and implementing and maintaining information systems controls. Also good for accountants and auditors looking to learn more about security. Typical career paths for certification holders include: risk and security manager, IS or business analyst, information control manager, and compliance officer.

Certified Information Systems Auditor (CISA)

Organization: ISACA

Exam price: $575, members, $760, non-members, $50 fee when applying for certification

Basics: Considered a strong standard of achievement for those who audit, control, monitor, and assess an organization's information technology and business systems. Typical career paths for certification holders include auditor, compliance analyst/program manager, risk analyst/program manager, data protection manager, security officer/security manager, and IT consultant.  

CompTIA Security+

Organization: CompTIA

Exam price: $349

Basics: Viewed as the entry-level certification for beginners, the Security+ exam certifies that the student has the knowledge and skills required to assess the security posture of an enterprise environment, recommend and implement appropriate security solutions, monitor and secure hybrid environments, operate with an awareness of applicable governance laws and policies, and identify, analyze, and respond to ongoing security events and incidents. Potential job opportunities include security administrator, systems administrator, helpdesk manager, and security analyst.

"Getting a Security+ certification shows your commitment to the security profession," says NeuEon's Alexander. "It's your initiation to the field."

Certified Information Security Manager (CISM)

Organization: ISACA

Exam price: $575, members, $760, non-members, $50 fee when applying for certification

Basics: The CISM certification indicates expertise in information security governance, program development and management, incident management, and risk management. Career paths include IT architect, security analyst, data security manager, security and compliance director, vice president, information security, and CIO/CISO/CTO.

Certified Information Systems Security Professional (CISSP)

Organization: (ISC)²

Exam price: $749

Basics: Industry people seek this certification to advance their careers by a margin of more than two-to-one. CISSPs go on to becomes CISOs but also can use this background to evolve in a more hands-on, technical direction. Candidates must have a minimum of five years of cumulative paid work experience in two or more of the CISSP's eight domains. Earning a four-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will satisfy one year of the required work experience. A candidate who doesn't have the required experience to become a CISSP may become an Associate of (ISC)² by successfully passing the CISSP examination. The associate will then have six years to earn the five years required experience.

"Overall, I like the CISSP because it's a 30,000-foot view of security and lets people then choose if they want a managerial or technical track," says Bishop Fox's Eston. "Plus they can become an ISC2 associate and work toward the CISSP."  

Health Care Information Security and Privacy Practitioner (HCISPP)

Organization: (ISC)²

Exam price: $749

(ISC)² also offers the Health Care Information Security and Privacy Practitioner (HCISPP) for those focused on the healthcare sector. Candidates must have a minimum of two years cumulative paid work experience in one or more knowledge areas of the HCISPP that includes security, compliance, and privacy. Students can substitute legal experience for compliance and information management experience for privacy. One of the two years of experience must be in the healthcare industry. A candidate who doesn't have the required experience to become a HCISPP may become an Associate of (ISC)² by successfully passing the HCISPP examination. The associate will then have three years to earn the two years required experience. Part-time work and internships may also count toward experience.

Certified Ethical Hacker (CEH)

Organization: EC-Council

Exam price: $950

Basics: Some experts say those looking to become pen testers should start with the CEH certification. Students will learn the latest commercial-grade hacking tools, techniques, and methodologies used by hackers and information security professionals to lawfully hack an organization. For those interested in government contracting, CEH maps to NIST's NICE 2.0 frameworks for specialty areas: protect and defend (PR), analyze (AN), and securely provision requirements (SP). Students can try 24 hacking challenges spread across four complexity levels.

About the Author(s)

Steve Zurier

Contributing Writer, Dark Reading

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights