Industry insights

Which cybersecurity certifications are best for your career?

David Strom
July 26, 2021 by
David Strom

Figuring out your appropriate certification program isn’t easy and involves almost as much studying as preparing for the certification exams themselves. But these programs can have big payouts in terms of job advancement, increases in responsibility and salary.

In our first part, we presented the issues a manager should consider in building a training program for their company. 

While there are vendor-sponsored ones from most major vendors, including Cisco, Microsoft and VMware, our focus is on training from independent training outfits or industry associations such as CompTIA and ISACA. (The significant offerings by the most popular vendors are summarized in the chart below.) Each one has a complex set of exams, prerequisites and study materials and, of course, certifications. 

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

The costs of training

Before you dive into a program and start studying for your certification, the first step is to narrow down your choices. One place that can help is GoCertify, an online evaluation tool that asks you a series of questions such as what subject area you are interested in and whether you need to renew your certification or obtain a new one. They will recommend a course of action, and they also offer a handy cost calculator on their site to tally up the various fees. 

While you probably already know the cost of taking the particular training class, there are lots of other elements of a program to consider, such as:

  • What exactly will it take you to complete the overall program and get that credential? For example, you might need to travel to a city to take the exam because it isn’t offered in your area or at a time that is most convenient to you.
  • Do you need to purchase hardware or software licenses to run the actual product for the class?
  • What is the cost for routine maintenance once you get your credentials? “Most credentials run on two- or three-year cycles and require at least some kind of related activity and expenditure every year,” says training expert author Ed Tittel. You’ll want to understand how often you’ll need to renew your credentials and what activities will be necessary as part of that process, and whether you need to maintain a membership in the credentialing organization after being certified.
  • How long will it take to complete the coursework and obtain your credential? Some programs can be done quickly, in a matter of a few weeks or a month, while others might take the better part of a year or more. You should factor in whether you will work at a full-time job while you pursue your education or get some comp time during this period that you prepare for the exams.

The interlocking web of credential prerequisites can also make the average college course catalog simple by comparison.  

Calculating training benefits 

There are various ways to calculate the benefits of having a credential. Tittel has a straightforward metric that he uses: “A certification that costs tens of thousands of dollars to earn had better also improve its holders’ income potential by at least one-third of those costs in yearly compensation increases.” 

Why one-third? Tittel assumes that the typical lifetime of any certification is just three years, so he wants to see a payback over that period. “Otherwise, the cost-benefit argues strongly against shelling out the cash for somewhat less salary gain.”

You also should consider what are your expectations about your job circumstances if you obtain this credential. Will you get a raise, and if so, how much income over the next two or three years? How does that rise in income match up with the costs that you calculated above? Will you be in a better job position however you define that situation?  

How to evaluate a certification program

Once you calculate the costs and benefits, you need to look closer at the particular program and ensure that it will deliver the goods. You should create your evaluation criteria for the various certification programs by asking questions such as:

  • How extensive is the program in terms of the total population of certificates? How long has the program been in operation? Tittel likes to see a minimum of five years. “One reason that a lot of people have gotten certified could be that the vendor has a better marketing program,” said Tom Hart, the COO of Eliassen Group, a major IT staffing operation based in the Boston area.  
  • What are people saying on social media about the program? Hart suggests that you examine various social media sites and other places where techies hang out, such as Reddit, and see what the buzz is on particular certifications. “There is nothing more valuable than a personal recommendation from someone who has taken the class, and technical people are especially approachable online to offer their opinions here.”  
  • Is the certificate in demand? Tittel scans job boards to see if the certificate is mentioned in job requirements, along with job surveys and other industry-wide data to see how much demand there is for the credential. “Search job sites such as or Dice for the acronym of the credential and see how much it pops up in the results,” he says. In addition, the program and credential should be frequently mentioned in various infosec-based B2B publications.
  • What kind of peer support is out there? Tittel also looks at peer study groups and other online discussion forums to assist students in qualifying exams. If this support is absent, think about choosing another certificate.
  • How current is the program? The better programs keep up with what the vendors are doing with their products and not just test you on stale knowledge or several years old versions. “Microsoft is making major software releases almost every year now on most of their products, and so the certifications have to stay current with the new versions,” Tittel says. This may also make it difficult to find printed exam study guides that are up to date too.

Undoubtedly, keeping all these factors in mind is a tricky balancing act. Ultimately, deciding which program to use is often a matter of personal preference and other reasons. But it helps to lay out the issues to clarify your thinking.

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

Leading Infosec training vendors comparison chart 

Certification Cost Other certifications to consider

CompTIA Security+   $370 for 90-minute test Penetration testing, cybersecurity analyst and general IT

EC-Council Certified Ethical Hacker (CEH)   $1,200 for four-hour test A dozen-plus specializations including disaster recovery and penetration testing 

ISACA Certified Info Security Manager (CISM)   $760 for four-hour test for non-members but significant discounts for members, study materials extra Risk management, data privacy and auditing

ISC2 Certified Cloud Security Practitioner (CCSP)   $549 for four-hour test Secure software, risk management and cybersecurity management

GIAC® Penetration Tester (GPEN) $7,270 for in-person instruction at various locations around the world A dozen-plus certifications including security essentials and incident handling 

Offensive Security Penetration Testing $1,000 for the first certification, exam must be completed within 24 hours Three different levels, plus certifications in web apps and DevOps

Note: This list is compiled from three sources that have recommended who offers the best infosec credentials and training: Infosec Careers, and SearchSecurity.

David Strom
David Strom

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as IT security, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 30 years. Over the course of his editorial career, he has helped launch dozens of Web sites, including the DesignLine series (such as for CMP's Electronics Group). As the founding editor-in-chief for Network Computing magazine, he hired a staff of 20, established the magazine's six networked laboratories, designed a network-based publishing and production system and wrote many articles on networking topics. From 2016-19 he created and curated the content of the Inside Security newsletter.