March 14, 2016 By Christopher Burgess 3 min read

Today’s information security professional has never been in greater demand. Employers hunt for the best in hopes of luring them away from their current position. Oftentimes, the individual being sought has no idea that he or she is on another entity’s radar until a recruiter makes contact.

But how do organizations identify these candidates? Security certification is often the keyword used to sort the presumed wheat from the chaff. The collection of acronyms — or the alphabet soup — after their names serve to indicate the security certifications achieved.

Value in Security Certifications?

There is value in achieving certification, just as there is value in obtaining experience. One does not substitute for the other. Security certifications serves as a barometer of commonality across the industry for both employees and employers. If an individual has received a given certification, it stands to reason the individual has acquired sufficient knowledge in a given subject area as defined by the certification criteria.

That’s not to say that life experience aligns perfectly or imperfectly with the given certification. But certifications are useful in demonstrating knowledge and are one of many criteria used in evaluating individuals within the information security and privacy arena.

Experience is equally important but may not bundle as nicely as one’s certification. With that said, there is no substitute for experience. Theoretical exercises as part of a certification process and practical experience derived from hands-on engagement are not equal in any sense of the word, especially when a company’s assets are in play.

Where to Start?

The challenge facing the information security professional is which security certification program to pursue. There are many from which to choose, some offered by manufacturers — Cisco, for example, offers a series of Cisco Certifications — and more agnostic certifications offered by a variety of organizations.

The following is an overview of those nonspecific certifications, which by no means should be considered all-inclusive.


The International Information System Security Certification Consortium, also called (ISC)², is a global organization that has bestowed thousands of certifications throughout its many years of existence. While it offers a selection of security certification options, three stand out:

Why pursue one of these certifications? According to (ISC)², “Your (ISC)² credential validates your expertise and knowledge and gives you (ISC)² membership, which provides you with networking opportunities, industry resources and the career support that you need in today’s information security industry.”


The Information Systems Audit and Control Association (ISACA) is a global organization whose focus is on measuring cybersecurity readiness in its security certification programs. Four of its programs are:

Why invest in an ISACA certification? Using ISACA’s own words, “ISACA certifications are globally accepted and recognized. They combine the achievement of passing an exam with credit for your work and educational experience, giving you the credibility you need to move ahead in your career.”


Another organization focused on privacy and certifications is the International Association of Privacy Professionals (IAPP). It also has globally recognized certifications, which include:

“Skilled privacy pros are in high demand, and IAPP certification is what employers want,” the IAPP states. “When you earn an IAPP credential, you earn the right to be recognized as part of an elite group of knowledgeable, capable and dedicated privacy professionals.”


The Global Information Assurance Certification (GIAC) is yet another organization designed specifically to provide a global point of reference in information assurance certification. It offers a plethora of certifications and adds new certification programs regularly. The GIAC divides its offerings by topical area:

GIAC prides itself on its global applicability and makes the case for certification. “A certification is proof an individual meets a minimum standard,” the organization argues. “The mission of GIAC is to provide assurance to employers their people and prospective hires can actually do the job.”

Compensation for Certification

If you deduced that there appears to be a security certification for every nuance of the information security landscape, you would not be wrong — there are, and more are on the way. According to the research conducted by ISACA and separate research by GIAC, total compensation packages are greater for those with security certifications as compared to those without. That answers a question every individual asks when trying to determine whether a given certification will make a difference.

That said, sometimes the difference is more subtle, especially among employers who generously (and wisely) offer to pick up 100 percent of the security certification costs for their employees.

Let us close with two questions, one for employers and one for employees: What security certifications do you require of your employees and why? What security certifications do you have, and how have they made a difference in your career?

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today