If you’re just getting into the world of cybersecurity, the matter of certifications can seem deep and confusing. Sec+? Net+? CySA+? CISSP? CCSP? CIPA? CISA? CCNA? How about WTH (what the heck)?
So, what are certifications?
Basically, a certification is a form of institutional validation of a skill that you’ve mastered. In order to get a certification, you take a test, and if you pass, you get the certification. Certain certifications also have prerequisites for professional experience, while others don’t.
There’s a whole world of competing certifications within cybersecurity, each managed by a different certifying body, each with its own set of skills and its own method of testing those skills. With so many different competing standards for proficiency in cybersecurity, it can be easy to get totally lost, especially as a beginner.
Not to worry. In fact, these things can be confusingly complex even for cybersecurity professionals. While a newbie might find their head swimming with a million different acronyms, cybersecurity professionals are engaged in a different controversy: to what extent do certifications actually indicate some sort of competence? Should cybersecurity companies rely on certifications as a measure of competence when hiring? And which certifications do the best job of proving that certification-holders are good at their jobs?
Do you need certifications?
Philosophical quandaries aside, the fact is that as of right now, hiring managers typically do rely on certifications, to an extent, to narrow down their choices while hiring. In entry-level roles, especially, certifications serve as an indicator of not only competence, but also motivation. Those who went out of their way to get certifications took the time to expand their knowledge base and challenge themselves, while those with no certifications didn’t.
But, of course, certifications are not a replacement for real, applied experience. Employers know that certifications are not enough to prove that a prospective employee will necessarily be good at their job. Even those with certifications should be prepared to demonstrate their knowledge of and experience in cybersecurity in an interview.
On the other hand, without a certification, you may not even land the interview in the first place. Certifications are essential tools that can dramatically increase the likelihood for applicants to get past the initial resume review stage. They can even, in certain roles, serve as a substitute for a more specialized undergraduate degree.
In other words, while certifications are not necessarily an absolute, hard-and-fast requirement to be hired in the cybersecurity industry, having a few will greatly assist you in the job search. We absolutely recommend bringing at least a few entry-level certifications along with you when you begin applying.
Which certifications should you consider?
In part, it depends on what roles you’re considering. Certain certifications are more specialized than others. In fact, if you’re a complete beginner, many of the entry-level certifications you might find yourself obtaining are every bit as applicable to an ordinary IT job as they are to cybersecurity-related positions.
Below, we’ve listed some of the most common cyber-security-related certifications. This is by no means an exhaustive list–for a more detailed overview of all possible certifications, see our Cybersecurity Courses & Certifications Guide. Instead, the purpose of the list is to provide you with a general idea of what different certifications are out there.
Some of the certifications on this list are quite advanced, and if you’re a beginner, you won’t need to worry about them quite yet; still, we’ve included them because they’re names that, should you go into cybersecurity, you’ll hear again and again.
In addition, you should be aware of how certifications can impact your eligibility for DoD-related jobs. Check out our guide to DoDD 8140 for more information on DoD-related qualifications.
The Computer Technology Industry Association, or CompTIA, is a non-profit trade association for professionals in the information technology industry. They issue what are called vendor-neutral certifications–unlike vendor-specific certifications, which cover expertise in specific software or other tools, certifications issued by CompTIA cover broader areas of expertise. CompTIA is widely considered to be one of the most trusted certifying bodies in information technology.
The most basic certification issued by CompTIA is CompTIA A+, which covers basic IT-related concepts: the basics of IT hardware and software, operating systems, various forms of troubleshooting, operational procedures, cloud computing, and other similar topics. If you’re looking to get started with your training for a cybersecurity career, studying for CompTIA A+ is a great way to pick up fundamental concepts. It can help you to land an entry-level IT position, but it’ll rarely be sufficient for a fully specialized job in cybersecurity. The CompTIA A+ is a very large exam. The concepts taught in the A+ provide a ton of foundation for students, but there is some consensus in the industry actually having your A+ certification is not necessary.
After A+ comes CompTIA Network+, which focuses on the specific skills necessary to manage and operate a network. Like A+, Network+ is an entry-level certification that won’t be sufficient to demonstrate expertise in cybersecurity; but also like A+, Network+ tests many of the skills that are fundamental to cybersecurity, so having this certification is definitely a good idea.
Then there’s CompTIA Security+, which is CompTIA’s entry-level cybersecurity certification. It is one of the most popular cybersecurity certifications, and aims to ensure candidates have skills in areas like attacks, threats and vulnerabilities, incident response, architecture and design, and governance and compliance, among other areas. Security+ is a great certification for job seekers to have.
After that, CompTIA offers a number of more specialized cybersecurity certifications. There’s CySA+ (standing for cybersecurity analyst), which is a highly popular intermediate-level certification that resembles Security+ but places heavier emphasis on troubleshooting and responding to specific incidents.
Further along, there’s PenTest+, which covers skills necessary to be a penetration tester, and CASP+ (CompTIA Advanced Security Practitioner), which is a highly advanced certification that covers the skills necessary to fully assess a security system.
ISACA, originally known as the Information Systems Audit and Control Association, is an international trade association that focuses on IT systems. Founded in 1967, it is one of the most important regulating bodies in IT today.
One of its most fundamental certifications is the Certified Information Systems Auditor, or CISA. This certification was first introduced in 1978, so it’s safe to say it’s been around for long enough to gain a solid reputation. This is another great entry-level cybersecurity certification because it focuses on a critical skill for cybersecurity professionals to have. An information system audit is an evaluation of a system’s effectiveness at properly storing and safeguarding data, and it’s an essential skill for a cybersecurity professional to have.
Another popular certification from ISACA is the Certified Information Systems Manager, or CISM. Compared to the CISA certification, this one is more advanced, preparing candidates to step into a managerial role. CISM covers topics like information security and incident response, making it a perfect certification for intermediate-level cybersecurity professionals to get when aiming slightly higher.
For cybersecurity professionals, the certifications offered by the International Information System Security Certification Consortium, or (ISC)2, are some of the most popular and coveted certifications available to professionals. They’re also some of the most rigorous.
Of these, the one with the largest profile and the most demand (perhaps the most demand of all security-related certifications) is the Certified Information Systems Security Professional certification, or CISSP. Not only does CISSP require extensive experience, it also requires certification-holders to continue their education after initial obtaining the certification. The exam itself is divided into eight “domains,” ensuring a body of certification holders with a knowledge base that is both versatile and deep.
While CISSP is effectively the “gold standard” for cybersecurity professionals, (ISC)2 offers a few other certifications to meet other needs. Their entry-level certification is CC, or Certified in Cybersecurity. It aims to cover very fundamental topics, and is aimed squarely at those who aren’t yet a cybersecurity professional, but aim to be one. It even includes high school students in its range of ideal candidates.
The range of more serious cybersecurity certifications offered by (ISC)2 include the SSCP, or Systems Security Certified Practitioner, which is aimed at those who work in security administration and operations; and CCSP, or Certified Cloud Security Professional, which covers (true to the title) positions in cloud security.
There are more certifications we haven’t mentioned here; for more information, check out our Certifications Guide. The point is that there’s a huge range of certifications, from those that cover the very basics, to advanced certifications that take years of industry experience to obtain.
If you’re just getting into IT and cybersecurity, we definitely recommend checking out some of the entry-level IT certifications, like CompTIA A+. If you’re already an IT professional looking to step into cybersecurity, CompTIA Security+ would be a great place to start.
After that, you’ll most likely want to determine a path you want to take through the cybersecurity world before you fully commit to any particular certifications. Once you zone in on some specific career goals, you’ll have a better idea of which certifications you want to go for. Good luck out there!