Today’s information security professional has never been in greater demand. Employers hunt for the best in hopes of luring them away from their current position. Oftentimes, the individual being sought has no idea that he or she is on another entity’s radar until a recruiter makes contact.

But how do organizations identify these candidates? Security certification is often the keyword used to sort the presumed wheat from the chaff. The collection of acronyms — or the alphabet soup — after their names serve to indicate the security certifications achieved.

Value in Security Certifications?

There is value in achieving certification, just as there is value in obtaining experience. One does not substitute for the other. Security certifications serves as a barometer of commonality across the industry for both employees and employers. If an individual has received a given certification, it stands to reason the individual has acquired sufficient knowledge in a given subject area as defined by the certification criteria.

That’s not to say that life experience aligns perfectly or imperfectly with the given certification. But certifications are useful in demonstrating knowledge and are one of many criteria used in evaluating individuals within the information security and privacy arena.

Experience is equally important but may not bundle as nicely as one’s certification. With that said, there is no substitute for experience. Theoretical exercises as part of a certification process and practical experience derived from hands-on engagement are not equal in any sense of the word, especially when a company’s assets are in play.

Where to Start?

The challenge facing the information security professional is which security certification program to pursue. There are many from which to choose, some offered by manufacturers — Cisco, for example, offers a series of Cisco Certifications — and more agnostic certifications offered by a variety of organizations.

The following is an overview of those nonspecific certifications, which by no means should be considered all-inclusive.


The International Information System Security Certification Consortium, also called (ISC)², is a global organization that has bestowed thousands of certifications throughout its many years of existence. While it offers a selection of security certification options, three stand out:

Why pursue one of these certifications? According to (ISC)², “Your (ISC)² credential validates your expertise and knowledge and gives you (ISC)² membership, which provides you with networking opportunities, industry resources and the career support that you need in today’s information security industry.”


The Information Systems Audit and Control Association (ISACA) is a global organization whose focus is on measuring cybersecurity readiness in its security certification programs. Four of its programs are:

Why invest in an ISACA certification? Using ISACA’s own words, “ISACA certifications are globally accepted and recognized. They combine the achievement of passing an exam with credit for your work and educational experience, giving you the credibility you need to move ahead in your career.”


Another organization focused on privacy and certifications is the International Association of Privacy Professionals (IAPP). It also has globally recognized certifications, which include:

“Skilled privacy pros are in high demand, and IAPP certification is what employers want,” the IAPP states. “When you earn an IAPP credential, you earn the right to be recognized as part of an elite group of knowledgeable, capable and dedicated privacy professionals.”


The Global Information Assurance Certification (GIAC) is yet another organization designed specifically to provide a global point of reference in information assurance certification. It offers a plethora of certifications and adds new certification programs regularly. The GIAC divides its offerings by topical area:

GIAC prides itself on its global applicability and makes the case for certification. “A certification is proof an individual meets a minimum standard,” the organization argues. “The mission of GIAC is to provide assurance to employers their people and prospective hires can actually do the job.”

Compensation for Certification

If you deduced that there appears to be a security certification for every nuance of the information security landscape, you would not be wrong — there are, and more are on the way. According to the research conducted by ISACA and separate research by GIAC, total compensation packages are greater for those with security certifications as compared to those without. That answers a question every individual asks when trying to determine whether a given certification will make a difference.

That said, sometimes the difference is more subtle, especially among employers who generously (and wisely) offer to pick up 100 percent of the security certification costs for their employees.

Let us close with two questions, one for employers and one for employees: What security certifications do you require of your employees and why? What security certifications do you have, and how have they made a difference in your career?

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read