Utility Of Cyber Security Certifications

The cyber security space is entangled in a long-term battle to retain talent – that means cultivating that talent early on and keeping key individuals in security roles within the enterprise. While some industry outlooks suggest perhaps millions of unfilled cyber security jobs in the coming years, more and more enterprises are hiring security professionals who have both practical experience and relevant certifications.

Here, Cyber Security Hub explores the landscape of these certifications and taps into the expertise of executives in the field to determine which are most useful. 

The Cyber Security Certifications Landscape

Security-related jobs cover a wide array of possibilities, and so too do the certifications that help potential employers determine fit and expertise for their various open roles. So, where should cyber security professionals (or aspiring professionals) start? Although just a small sampling and very brief description, here are some of the more common certifications that remain at the top of Google’s search list:

• CompTIA Security+: Requiring a minimum of two years experience in IT and network security, this is considered to be a core, entry-level certification that can act as a springboard for IT professionals looking for intermediate jobs.
  
  
• Certified Ethical Hacker: Requiring a five day EC Council approved training course or at least two years InfoSec experience, CEH is considered a must-have for a career in penetration testing or ethical hacking.
  
  
• Certified Information Systems Auditor (CISA): Requiring five years of work experience in the field, this certification is for those looking for information systems auditing, control and security positions.
  
  
• Certified Information Security Manager (CISM): Requiring five years in cyber security and three years in security management, this high-level credential is typically taken by those looking to work in the security or risk management sector.
  
  
• Certified Information Systems Security Professional (CISSP): Requiring at least five years of recent full-time work experience, in two or more of the eight domains of the CISSP common body of knowledge, CISSP is a high-level certification for those working in network security.
  
  
• GSEC: Practical experience is recommended, but no specific training is required making this entry-level certification proof that professionals have basic understanding of information security tech and concepts.

While this certainly is not an all-encompassing list, one thing is for certain: there is no shortage of certifications. Rather than just pull together a list of certifications by searching online, we also went to Andrew Aken, PhD, Senior Cyber Security Consultant for DocDrew, LLC — to examine certifications by looking at [more tangible] data. Aken is an established IT professional with 15+ years of executive leadership and consulting experience across multiple industries including oil/gas, telecommunications, IT, Department of Defense, transportation, and education.   

Since 2007, Aken has been scraping job ads looking for Computer Science, Management Information Systems, and Information Technology graduates. He then extracts the skills and certifications listed in the job ads (as well as other data) for subsequent analysis.

In the web content data mining application which has collected over 4.6 million job ads looking for CS, IT, or MIS graduates, the following certifications are the top 25 mentioned most frequently (frequencies are based upon the number of ads which mentioned any certifications):

What Certifications Are Most Useful?

In analyzing the data in the certifications table above, Aken observes, “For cyber security jobs specifically, the following certifications are the most useful for being considered for any position (based upon the frequency in which they are mentioned in the job ads): CISSP, CISA, PMP, CISM, Security+, GIAC, CEH, GSEC, CCSP, SSCP, and GCIH (in that order).”

However, according to Dr. Luis O. Noguerol, “All are equally useful, depending on the needs and the context.” Dr. Noguerol is the Information System Security Officer at the US Department of Commerce, NOAA Southeast Fisheries Center; and President & CEO of Advanced Division of Informatics and Technology, Inc. (ADITusa, Inc.).

He has over 33 years of experience in Information Security/Information Technology, including a very strong academic background, which comes from his enthusiasm about new technologies and their integration in our daily lives. “In my personal case, and after owning 78 IT certifications, I respect each subject alike. Minimizing or maximizing a particular certification is not of much help, but understanding the differences in between, from the technical point of view, is certainly a necessity,” he explains.

Cyber Security Hub Advisory Board member and CISO and Director of the Office of Cyber Security, University of Wisconsin-Madison, Bob Turner, adds, “CISSP or CISM are essential for mid-and senior-level professionals. GCIH, GCFA or GPEN for incident responders or CCSP for cloud-focused architects, and HCISPP for those working in or around healthcare, are others I would recommend.”

Turner leads the development and delivery of a comprehensive information security and privacy program at the University of Wisconsin-Madison. His team provides a full scope of information and cyber security services including risk management and compliance, a full service security operations center and security tools support, cyber intelligence analysis, security awareness, and information technology policy.

Aken, Noguerol and Turner come from various backgrounds and perspectives, all with a very different take on the role of certifications within the industry. In next week's roundtable interview, we dive into the details to see if there is truly a standard industry practice when it comes to cyber security certification in the hiring process.

See Related: "Utility Of Cyber Security Certifications Part 2: A Roundtable Discussion"