The benefit to professionals when gaining industry certifications is huge. It can boost your knowledge of a certain subject, improve your confidence to complete your role and respect within a team whilst potentially giving you a sizeable salary bump.
So what is the best Cybersecurity certification to get?
There is no one size fits all answer to this. The certification which will benefit you the most will depend on your area of specialism and your interests. To help we’ve put together a summary of the most widely recognised security certifications below.
Certified Information Systems Security Professional (CISSP)
The chances are if you work in security or have any involvement in hiring security professionals then you’ll have heard of the CISSP as it is one of the most widely recognised certifications on the market. It is awarded by the International Information System Security Certification Consortium, or (ISC)² and is well known for being a standard of excellence in the security industry. Many senior positions request it from candidates as it provides proof that individuals have a broad and well-rounded ability to design, implement, and manage a cybersecurity program. We recommend it to anyone who intends to hold a management position within the security industry, or candidates who have a solid foundation knowledge and want to test themselves in multiple areas.
Unfortunately, it is not as simple as gaining the CISSP to jump ahead in the industry and secure a senior position early on! A requirement of all candidates is that they hold a minimum of 5 years industry experience in at least two of the eight CISSP Common Body of Knowledge areas. This can be reduced by one year by holding a 4-year degree or another certification on the (ISC)² approved list.
The CISSP exam costs $699 directly from (ISC)², and online training material can be purchased for $2,795. There are also a wide range of third parties who offer classroom and online courses depending on the level of training you require. There is an annual upkeep fee of $85 and holders must earn 120 CPE credits per three-year period.
Certified Information Security Manager (CISM)
The CISM is another highly regarded certification for professionals who want to signify competency in information and security governance, information risk management, security program development and management, and security incident management. Awarded by ISACA, the CISM is world-renowned, and organisations rely on it heavily when hiring candidates with the knowledge and ability to handle enterprise level security management responsibilities.
Similarly, the CISSP it requires a minimum of 5 years experience in the field, but can open doors to senior, high paying security positions. Candidates looking to pursue roles such as Information Security manager, CISO, Heads of Information Security or Security Architect would benefit from achieving the CISM.
ISACA charges $575 for members ($760 for non-members) for the exam consisting of 150 questions. The certification is valid for three years, during which you’re required to obtain 120 CPE credits.
CompiTIA Security+
The Security+ from CompTIA is the perfect certification for any aspiring Cybersecurity professional. It is particularly useful for people already working in the IT field who want to transition into security. Many companies even put their IT teams through the training to give a solid base understanding of threats and how to mitigate against them. The Security+ teaches the fundamentals and gives a strong platform of knowledge covering threats and vulnerabilities, architecture and design, security implementation, operations and incident response and GRC.
The exam costs $370 and you can purchase training material directly from CompTIA to help prepare. The Complete bundle costs $1,049 and includes all their labs and training, a practice exam, the exam itself plus one retake.
CompTIA offer a whole range of other courses to develop your skills in other areas like penetration testing, security monitoring, infrastructure, and cloud computing.
Offensive Security Certified Professional (OSCP)
The OSCP commands respect. It is a 24hour hour exam (plus 24 hours for reporting) and many offensive security professionals aspire to hold it. The exam simulates a live network and private VPN, containing several virtual machines to exploit. It is a tough exam designed to assess a wide variety of hacking skills and many candidates take more than one attempt to pass but become significantly better penetration testers along the way. The PEN-200 is a self-paced online training course to train the skills and mindset required to successfully sit the OSCP exam. Following a recent update, the course allows you work on five retired exam machines to really hone your skills and prepare for the real thing.
There are a few different pricing models available depending on how much training you need. They range from $999 for 30 days lab access and the exam to $2148 for a whole years lab access and two exam attempts.
We only advise experienced penetration testers attempt the OSCP. If you are early on in your ethical hacking career, then taking the CompTIA PenTest+ or the Certified Ethical Hacker (CERH) would be much more suitable options.
For advanced candidates who want to test themselves even further, Offensive Security offer a range of other certifications. These include the Offensive Security Wireless Professional (OSWP), Offensive Security Experienced Penetration Tester (OSEP), Offensive Security Web Expert (OSWE), and the Offensive Security Exploitation Expert (OSEE).
Certified Cloud Security Professional (CCSP)
Now more than ever companies are looking for IT and security professionals who have a solid understanding of cloud computing. The CCSP is a great way to demonstrate you have this highly sought-after knowledge. It was developed by (ISC)² in conjunction with the Cloud Security Alliance (CSA). The CCSP shows that candidates have the skills required to design, manage and secure data, applications and infrastructure in the cloud using best practices, policies and procedures. Any mid to senior level professional who wants to increase their value to an organisation would benefit from having this certification.
There is a requirement to hold a minimum of 5 years relevant experience to sit the exam, although this can be waived for professionals who already hold the CISSP. The exam costs $599 and like other certifications there are lots of third parties who provide online and classroom training.
SANS Institute
Although not a stand-alone certification, it would be hard not to include SANS on this list. They provide more than 60 separate courses and over 30 GIAC certifications, many of which our clients hold in very high regard. Candidates are often extremely sought after if they hold one or more SANS certifications. The courses cover the whole security spectrum from Blue Team (GCIH, GCIA or GCFA) to Offensive Security (GCPN, GPEN, GWAPT), whilst also having range of highly specialist courses with a focus on areas such as Industrial Control Systems (GICSP) and purple teaming (GDAT).
The time required for an individual SANS course can range from 16 hour to 6 months with prices anywhere from $4000 to $9000 for a full course and exam.
If you intend to gain multiple certifications then a cost, and time, effective method is the SANS Workforce Academy which is essentially an intense program to accelerate training.
There are of course lots more certifications not on this page, and our best advice before booking yourself on a course is to define your goals and what skills you want to improve. The time and monetary commitment required to hold any one of these is significant, so make sure you do your research and then spend it wisely. It is always worth asking your current employer whether they will pay for all or some of the cost.
As always, if you want more advise on what would help you achieve your goals then feel free to contact us on oliver.legg@aspironsearch.com
Oliver Legg