March 14, 2016 By Christopher Burgess 3 min read

Today’s information security professional has never been in greater demand. Employers hunt for the best in hopes of luring them away from their current position. Oftentimes, the individual being sought has no idea that he or she is on another entity’s radar until a recruiter makes contact.

But how do organizations identify these candidates? Security certification is often the keyword used to sort the presumed wheat from the chaff. The collection of acronyms — or the alphabet soup — after their names serve to indicate the security certifications achieved.

Value in Security Certifications?

There is value in achieving certification, just as there is value in obtaining experience. One does not substitute for the other. Security certifications serves as a barometer of commonality across the industry for both employees and employers. If an individual has received a given certification, it stands to reason the individual has acquired sufficient knowledge in a given subject area as defined by the certification criteria.

That’s not to say that life experience aligns perfectly or imperfectly with the given certification. But certifications are useful in demonstrating knowledge and are one of many criteria used in evaluating individuals within the information security and privacy arena.

Experience is equally important but may not bundle as nicely as one’s certification. With that said, there is no substitute for experience. Theoretical exercises as part of a certification process and practical experience derived from hands-on engagement are not equal in any sense of the word, especially when a company’s assets are in play.

Where to Start?

The challenge facing the information security professional is which security certification program to pursue. There are many from which to choose, some offered by manufacturers — Cisco, for example, offers a series of Cisco Certifications — and more agnostic certifications offered by a variety of organizations.

The following is an overview of those nonspecific certifications, which by no means should be considered all-inclusive.


The International Information System Security Certification Consortium, also called (ISC)², is a global organization that has bestowed thousands of certifications throughout its many years of existence. While it offers a selection of security certification options, three stand out:

Why pursue one of these certifications? According to (ISC)², “Your (ISC)² credential validates your expertise and knowledge and gives you (ISC)² membership, which provides you with networking opportunities, industry resources and the career support that you need in today’s information security industry.”


The Information Systems Audit and Control Association (ISACA) is a global organization whose focus is on measuring cybersecurity readiness in its security certification programs. Four of its programs are:

Why invest in an ISACA certification? Using ISACA’s own words, “ISACA certifications are globally accepted and recognized. They combine the achievement of passing an exam with credit for your work and educational experience, giving you the credibility you need to move ahead in your career.”


Another organization focused on privacy and certifications is the International Association of Privacy Professionals (IAPP). It also has globally recognized certifications, which include:

“Skilled privacy pros are in high demand, and IAPP certification is what employers want,” the IAPP states. “When you earn an IAPP credential, you earn the right to be recognized as part of an elite group of knowledgeable, capable and dedicated privacy professionals.”


The Global Information Assurance Certification (GIAC) is yet another organization designed specifically to provide a global point of reference in information assurance certification. It offers a plethora of certifications and adds new certification programs regularly. The GIAC divides its offerings by topical area:

GIAC prides itself on its global applicability and makes the case for certification. “A certification is proof an individual meets a minimum standard,” the organization argues. “The mission of GIAC is to provide assurance to employers their people and prospective hires can actually do the job.”

Compensation for Certification

If you deduced that there appears to be a security certification for every nuance of the information security landscape, you would not be wrong — there are, and more are on the way. According to the research conducted by ISACA and separate research by GIAC, total compensation packages are greater for those with security certifications as compared to those without. That answers a question every individual asks when trying to determine whether a given certification will make a difference.

That said, sometimes the difference is more subtle, especially among employers who generously (and wisely) offer to pick up 100 percent of the security certification costs for their employees.

Let us close with two questions, one for employers and one for employees: What security certifications do you require of your employees and why? What security certifications do you have, and how have they made a difference in your career?

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today