Today’s information security professional has never been in greater demand. Employers hunt for the best in hopes of luring them away from their current position. Oftentimes, the individual being sought has no idea that he or she is on another entity’s radar until a recruiter makes contact.

But how do organizations identify these candidates? Security certification is often the keyword used to sort the presumed wheat from the chaff. The collection of acronyms — or the alphabet soup — after their names serve to indicate the security certifications achieved.

Value in Security Certifications?

There is value in achieving certification, just as there is value in obtaining experience. One does not substitute for the other. Security certifications serves as a barometer of commonality across the industry for both employees and employers. If an individual has received a given certification, it stands to reason the individual has acquired sufficient knowledge in a given subject area as defined by the certification criteria.

That’s not to say that life experience aligns perfectly or imperfectly with the given certification. But certifications are useful in demonstrating knowledge and are one of many criteria used in evaluating individuals within the information security and privacy arena.

Experience is equally important but may not bundle as nicely as one’s certification. With that said, there is no substitute for experience. Theoretical exercises as part of a certification process and practical experience derived from hands-on engagement are not equal in any sense of the word, especially when a company’s assets are in play.

Where to Start?

The challenge facing the information security professional is which security certification program to pursue. There are many from which to choose, some offered by manufacturers — Cisco, for example, offers a series of Cisco Certifications — and more agnostic certifications offered by a variety of organizations.

The following is an overview of those nonspecific certifications, which by no means should be considered all-inclusive.


The International Information System Security Certification Consortium, also called (ISC)², is a global organization that has bestowed thousands of certifications throughout its many years of existence. While it offers a selection of security certification options, three stand out:

Why pursue one of these certifications? According to (ISC)², “Your (ISC)² credential validates your expertise and knowledge and gives you (ISC)² membership, which provides you with networking opportunities, industry resources and the career support that you need in today’s information security industry.”


The Information Systems Audit and Control Association (ISACA) is a global organization whose focus is on measuring cybersecurity readiness in its security certification programs. Four of its programs are:

Why invest in an ISACA certification? Using ISACA’s own words, “ISACA certifications are globally accepted and recognized. They combine the achievement of passing an exam with credit for your work and educational experience, giving you the credibility you need to move ahead in your career.”


Another organization focused on privacy and certifications is the International Association of Privacy Professionals (IAPP). It also has globally recognized certifications, which include:

“Skilled privacy pros are in high demand, and IAPP certification is what employers want,” the IAPP states. “When you earn an IAPP credential, you earn the right to be recognized as part of an elite group of knowledgeable, capable and dedicated privacy professionals.”


The Global Information Assurance Certification (GIAC) is yet another organization designed specifically to provide a global point of reference in information assurance certification. It offers a plethora of certifications and adds new certification programs regularly. The GIAC divides its offerings by topical area:

GIAC prides itself on its global applicability and makes the case for certification. “A certification is proof an individual meets a minimum standard,” the organization argues. “The mission of GIAC is to provide assurance to employers their people and prospective hires can actually do the job.”

Compensation for Certification

If you deduced that there appears to be a security certification for every nuance of the information security landscape, you would not be wrong — there are, and more are on the way. According to the research conducted by ISACA and separate research by GIAC, total compensation packages are greater for those with security certifications as compared to those without. That answers a question every individual asks when trying to determine whether a given certification will make a difference.

That said, sometimes the difference is more subtle, especially among employers who generously (and wisely) offer to pick up 100 percent of the security certification costs for their employees.

Let us close with two questions, one for employers and one for employees: What security certifications do you require of your employees and why? What security certifications do you have, and how have they made a difference in your career?

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…