A host of new cyberthreats (many targeting the software supply chain, for example) and burgeoning technologies (AI, anyone?) have increased organizations' cyberattack risks — and spurred the creation of new professional certifications to foster the skills needed to meet those challenges. But which skills are in the most demand?
The right certifications can be a boon to security professionals looking to get a raise or move on to greener pastures. A CSO Online report based on numbers gathered by Foote Partners identified 12 IT security certifications that are peaking in value, with average pay premiums ranging from 10% to 15% and average market premiums running as high as 43%. Top performers include Certified Cloud Security Professional (ISC2-CCSP), Certified Data Privacy Solutions Engineer, Global Information Assurance Certification (GIAC), and GIAC Certified Incident Handler.
Here's what top experts say are the best certifications to go after today.
Highest risk equals higher reward
Tim Freestone, chief strategy officer for the secure content communications firm Kiteworks, cited several hot areas.
"People are focusing on anything to do with the cloud. Certifications around AI and compliance certifications are also big. Data privacy is something that is driving a lot of interest, too."
—Tim Freestone
Deidre Diamond, founder and CEO of CyberSN, a cybersecurity recruiting and career resources firm, recommended pursuing certifications in cloud security architecture and identity access management.
"Identity access and sound foundational architectures are critical components to zero-trust principles and ongoing sustainable cyber resilience."
—Deidre Diamond
However, traditional certifications still dominate the cybersecurity job landscape for both professionals and employers, Diamond said. "We are seeing more companies seeking certifications in specific cloud platforms, specifically the Google Cloud Platform Architect and AWS Certified Security certifications."
A framework for cyber-job seekers
One of the largest growth areas in IT security now is the use and implementation of the NIST Cybersecurity Framework (NICE) and the concept of cyber resilience. Jason Dion, chief product officer for the cybersecurity certifications company Akylade, said the shift from traditional perimeter security to cyber resilience is driving a change in demand.
"With information assurance and cybersecurity, we are focused on protecting everything from every kind of threat, but with cyber resilience, we are implementing techniques to prioritize our risks and our limited resources by focusing on how we can continue to operate our business when an eventual cyberattack occurs.”
—Jason Dion
Derek Fisher, executive director of product security at JPMorgan Chase & Co., wrote in a recent post on LinkedIn that the NICE framework was key to defining modern roles focused on cyber resilience:
“The benefit of the NICE framework is that it provides a set of work roles that can be used to guide new entrants to security, or those looking to make a change in the field.”
—Derek Fisher
The NICE framework is composed of a cascading set of categories, roles, and tasks that define how work is accomplished in cybersecurity by a practitioner. “This can be extremely useful for those who are looking to fill roles on their teams and build out meaningful job descriptions,” Fisher noted. “We have a problem in our space where job descriptions rarely match the expectations of the actual role. NICE can help.”
Putting certifications to work: A hurdle for many
Despite the rewards some certifications can bestow on a cybersecurity professional, many balk at obtaining them, said Alyson Laderman, CEO of Akylade. Some may procrastinate, she said, because they don't see a direct impact on their daily responsibilities. And some may question the relevance of certifications that focus more on theory or broad concepts than on specialized, job-specific skills, Laderman added, noting that most security pros are already maxed out.
“In a fast-paced industry like cybersecurity, professionals are often more focused on hands-on problem-solving and real-time threat mitigation than on re-certifying or pursuing new credentials that they don't feel provide immediate value, especially in relation to the time and financial costs.”
—Alyson Laderman
Nonetheless, certifications can serve as a critical benchmark for keeping knowledge current and demonstrating a commitment to lifelong learning. They also help professionals remain competitive in an evolving job market, as organizations increasingly look for candidates who can prove they have an up-to-date, broad understanding of cybersecurity principles, Laderman said.
“While upgrading one’s certification portfolio may not always feel urgent, the long-term career benefits can outweigh the immediate inconvenience — as long as certifications are focused on practical, hands-on-type skills."
—Alyson Laderman
Time can be another barrier to adding to a security pro’s certification portfolio, said CyberSN's Diamond. She said many employers support continuous learning through training budgets and overlook the time to prepare, complete, and remain current.
"Having the dedicated, uninterrupted time for certification completion is one of the most-mentioned areas of improvement we hear from cyber-professionals.”
—Deidre Diamond
Kiteworks' Freestone said it all boils down to the fact that there are more threats and fewer security people to address them.
“So the stress is incredibly high and there isn't time to keep up with the demands of the business and run after all of these certifications.”
—Tim Freestone
Cost and ROI remain key
Cost can also be a deterrent to seeking a certification. Akylade's Dion said most certifications providers seem to raise their prices without changing the quality or content over the years. “Many certification companies operate on a for-profit basis, and even those that are not-for-profit are operating much like a for-profit business. This has caused prices to continually rise higher and higher to increase their profitability without the underlying cost of delivering these certifications rising at the same rate,” Dion said.
“Having trained over 2 million students to pass their IT and cybersecurity certifications as a corporate trainer, I can tell you that when the student has to pay for the certifications and they reach into the $500, $1,000, or higher levels, the number of candidates willing to take a certification decreases. Additionally, there are so many certifications on the market that many candidates simply procrastinate because they are afraid they will select the wrong certification, so they opt to select none and procrastinate instead."
—Jason Dion
The alphabet soup of certifications can also water down their importance, Freestone said. On LinkedIn, for example, security engineers and security architects might have as many as 10 certifications listed after their name, one acronym after another. He recommended that cybersecurity pros choose wisely and weigh the time committed to obtaining a certification with the career value of it.
"Stay on top of not only the trends of today, but what's happening in the next five to 10 years. ... You want to get ahead of the curve. You don't want to be reacting to the curve, so pay attention to what analyst firms like Gartner and Forrester are predicting."
—Tim Freestone
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.