Today’s information security professional has never been in greater demand. Employers hunt for the best in hopes of luring them away from their current position. Oftentimes, the individual being sought has no idea that he or she is on another entity’s radar until a recruiter makes contact.

But how do organizations identify these candidates? Security certification is often the keyword used to sort the presumed wheat from the chaff. The collection of acronyms — or the alphabet soup — after their names serve to indicate the security certifications achieved.

Value in Security Certifications?

There is value in achieving certification, just as there is value in obtaining experience. One does not substitute for the other. Security certifications serves as a barometer of commonality across the industry for both employees and employers. If an individual has received a given certification, it stands to reason the individual has acquired sufficient knowledge in a given subject area as defined by the certification criteria.

That’s not to say that life experience aligns perfectly or imperfectly with the given certification. But certifications are useful in demonstrating knowledge and are one of many criteria used in evaluating individuals within the information security and privacy arena.

Experience is equally important but may not bundle as nicely as one’s certification. With that said, there is no substitute for experience. Theoretical exercises as part of a certification process and practical experience derived from hands-on engagement are not equal in any sense of the word, especially when a company’s assets are in play.

Where to Start?

The challenge facing the information security professional is which security certification program to pursue. There are many from which to choose, some offered by manufacturers — Cisco, for example, offers a series of Cisco Certifications — and more agnostic certifications offered by a variety of organizations.

The following is an overview of those nonspecific certifications, which by no means should be considered all-inclusive.


The International Information System Security Certification Consortium, also called (ISC)², is a global organization that has bestowed thousands of certifications throughout its many years of existence. While it offers a selection of security certification options, three stand out:

Why pursue one of these certifications? According to (ISC)², “Your (ISC)² credential validates your expertise and knowledge and gives you (ISC)² membership, which provides you with networking opportunities, industry resources and the career support that you need in today’s information security industry.”


The Information Systems Audit and Control Association (ISACA) is a global organization whose focus is on measuring cybersecurity readiness in its security certification programs. Four of its programs are:

Why invest in an ISACA certification? Using ISACA’s own words, “ISACA certifications are globally accepted and recognized. They combine the achievement of passing an exam with credit for your work and educational experience, giving you the credibility you need to move ahead in your career.”


Another organization focused on privacy and certifications is the International Association of Privacy Professionals (IAPP). It also has globally recognized certifications, which include:

“Skilled privacy pros are in high demand, and IAPP certification is what employers want,” the IAPP states. “When you earn an IAPP credential, you earn the right to be recognized as part of an elite group of knowledgeable, capable and dedicated privacy professionals.”


The Global Information Assurance Certification (GIAC) is yet another organization designed specifically to provide a global point of reference in information assurance certification. It offers a plethora of certifications and adds new certification programs regularly. The GIAC divides its offerings by topical area:

GIAC prides itself on its global applicability and makes the case for certification. “A certification is proof an individual meets a minimum standard,” the organization argues. “The mission of GIAC is to provide assurance to employers their people and prospective hires can actually do the job.”

Compensation for Certification

If you deduced that there appears to be a security certification for every nuance of the information security landscape, you would not be wrong — there are, and more are on the way. According to the research conducted by ISACA and separate research by GIAC, total compensation packages are greater for those with security certifications as compared to those without. That answers a question every individual asks when trying to determine whether a given certification will make a difference.

That said, sometimes the difference is more subtle, especially among employers who generously (and wisely) offer to pick up 100 percent of the security certification costs for their employees.

Let us close with two questions, one for employers and one for employees: What security certifications do you require of your employees and why? What security certifications do you have, and how have they made a difference in your career?

more from CISO