Certifications aren't strictly necessary in order to get hired as a cybersecurity analyst (with the notable exception of many government jobs). But they can help you demonstrate to an HR recruiter or hiring manager that you have a specific skillset via a third party's assessment of your skills.
The process of studying for an exam can also help you to gain additional skills. I know that I find the prospect of an exam at the end of my studying to be an effective motivator!
Certifications can't take the place of on-the-job experience (and shouldn't). But they may be particularly helpful for folks coming into the field with a non-traditional background to demonstrate skills.
It can be overwhelming to sort your way through all of the possible certifications, so here's my suggestion for how to progress.*
Certifications if you're just getting started in cybersecurity:
This is the best certification if you're new to cyber. It's an overview of a number of topics (almost like a shorter, simpler version of the CISSP) and studying for it will probably help you figure out what parts of cyber interest you.
- Pre-requisites: None
- Cost: ~$400
- Organization: CompTIA
I'm including a note about the CEH (Certified Ethical Hacker) exam here because I see it referenced pretty regularly.
Still, I don't recommend it because it isn't a well-respected technical certification for penetration testing. Also, in recent years there have been some concerns about how EC-Council (the organization which administers the exam) approaches sexism and racism within cyber, and about how often they update the technical information in their exams. I'm not a big fan of any of their certifications.
I'd advise Security+ for folks just getting started in cyber, and advise more specific penetration testing certs for folks more interested in that area.
Certifications if you're a few years into your career...
Certified Information Systems Security Professional (CISSP)
This is generally the most widely-recognized, broad certification within information security. If you're only going to get one certification, this is the one.
It's not particularly technical (it's technical for a management certification), but it's widely recognized by HR teams. It's an inch deep and a mile wide – a HUGE amount of information grouped into 8 domains:
- Domain 1. Security and Risk Management (15%)
- Domain 2. Asset Security (10%)
- Domain 3. Security Architecture and Engineering (13%)
- Domain 4. Communication and Network Security (14%)
- Domain 5. Identity and Access Management (IAM) (13%)
- Domain 6. Security Assessment and Testing (12%)
- Domain 7. Security Operations (13%)
- Domain 8. Software Development Security (10%)
It's tough, but do-able. How long it takes to study will likely depend on how long you've worked in information security.
- Pre-requisites: 5 years of work experience in two or more of the domains listed below (though if you don't have that, you can still pass the exam and have an 'Associate of ISC^2', giving you 6 years to gain the required 5 years of work experience. You can also substitute some other certifications or a 4 year degree for a year of required work experience.)
- Cost: ~$750
- Organization: ISC^2
For more details on this exam, I wrote a post on my experience taking it here.
Next Steps for Security Certifications
Once you have the two certs above, it's typically time to think about where in security you'd like to specialize, or what you'd like to focus on.
Which certifications you pursue past this point depends heavily on where you'd like your career to go.
CISA: Certified Information Systems Auditor
If you're looking to move into auditing work, this is the certification to take (after your CISSP). It's tough, but not a particularly technical certification. This seems to be slightly less difficult than the CISSP exam.
- Pre-requisites: 5 years of work experience in systems auditing, control or security work (though if you don't have that, you can still pass the exam and have 5 years to gain the required work experience. You can also substitute a 2 or 4 year bachelor's degree for 1-2 years of experience, and a master's degree for a year of required work experience.)
- Cost: ~$760
- Organization: ISACA
CISM: Certified Information Security Manager
If you're interested in being a manager, this is a widely recognized certification, and a good follow up to the CISSP. It's tough, but not particularly technical. This seems to be slightly less difficult than the CISSP exam.
- Pre-requisites: 5 years of work experience in professional information security management (though if you don't have that, you can still pass the exam and have 5 years to gain the required work experience. You can also substitute several other certifications for a year or two of required work experience.)
- Cost: ~$760
- Organization: ISACA
GIAC certifications are extremely well-regarded in the cyber security field, but they're also pretty expensive (not including the SANS course that often accompanies the exam).
Typically folks acquire them when their employer is willing to pay for the course + cert attempt. All of their courses are well regarded, but I'd advise starting with GSEC (Security Essentials) or GCIH (Certified Incident Handler).
There are GIAC certifications for pretty much any topic from Security Architecture to Forensics to Network Security. So depending on where you'd like your career to go, or which areas you're looking to upskill in, you can find a GIAC course/cert for that skill.
They vary in difficulty, but are generally regarded as pretty tough, technical certifications.
- Requirements: Most have no requirements
- Cost: ~$2000
- Organization: GIAC
This is the certification if you're looking to do penetration testing (though some folks start with the GIAC pen testing cert - GPEN - and then move onto OSCP).
It's tough, it's extremely technical, and it's the gold standard for getting into penetration testing. It is an entry level cert for highly skilled penetration testers, but it's a great place to start.
- Requirements: You have to take their penetration testing course before sitting for the exam
- Cost: ~$1400
- Organization: Offensive Security
**The CRT is a roughly equivalent cert outside of the United States. If you've passed both the OSCP and the CREST Practitioner Security Analyst (CPSA) exam, you can apply for 'CRT equivalency'.
Cloud knowledge (and certifications) are in extremely high demand. They're a particular subset of vendor certifications which are becoming increasingly popular.
I'll cover AWS certs here, as they are the among most commonly requested certifications (as they're currently the most used cloud platform, followed by Azure, and then GCP).
There's also a large amount of overlap between the cloud platforms, as all three major providers have similar offerings and services and if you can build services on one, it's easier to do so on another.
None of AWS' certifications have any pre-requisites and all certifications are good for three years before requiring re-certification (re-taking the test, or taking a more advanced certification test).
That's different than the rest of the certs on this list which are typically good forever as long as you pay the maintenance fees and complete some continuing professional education credits (CPEs).
The cost is $100 for the Cloud Practitioner exam, $150 for Associate level exams, and $300 for Professional or Specialty exams.
Cloud Practitioner - This is a good cert if you're working in a non-technical field, but work with technical folks often and you'd like to better understand what they're talking about! I don't recommend it for technical folks, as it's a relatively easy certification and won't demonstrate many technical skills.
While it's no longer a requirement to take one of the associate exams before pursuing a professional level certification, I'd still recommend doing so.
Solutions Architect Associate - Designed for folks who want to understand how applications are structured in AWS and how various services work together. A solid all-around cert for folks in security.
Developer Associate - Tests understanding of how a developer leverages AWS, with a heavy focus on their code pipeline and developer tools. Requires both conceptual knowledge and hands on knowledge of how to write code with AWS. A solid all-around cert for folks in security.
SysOps Administrator Associate - Designed to focus on how a system administrator would use AWS - both a conceptual knowledge of the tools, and some understanding of the exact steps someone would take to carry out to administer servers in AWS. A solid all-around cert for folks in security.
Solutions Architect Professional - A far more in-depth look at how various services work together and how you should architect infrastructure. It's a pretty tough, relatively technical exam. A solid all-around certification for folks in security.
DevOps Engineer Professional - A combination of the knowledge required for both the SysOps Administrator and Developer Associate exams, but far more in depth. A useful cert for folks who need a pretty in-depth understanding of DevOps, but not strictly necessary for many security roles.
Specialty: Advanced Networking, Data Analytics, Database, Machine Learning, Security, SAP on AWS
These can be useful to demonstrate specific expertise with AWS services - the Security specialty cert is particularly useful in nearly any cybersecurity role.
Many vendors carry their own certifications, and they can be useful if they're a product you're likely to use often in your role (Splunk certifications, for example).
But you're probably already aware if you fall into this category, and they're generally less broadly applicable than the rest of the certifications on this list.
Before I close out, a brief note: while certifications can be useful, by the time you reach a certain point in your career, you'll see significantly diminishing returns from certifications (with a caveat that this may not apply to specific fields, like government agencies). This is largely because most of your demonstrated value will come with your on-the-job experience.
While certifications are designed to show that someone has a specific skill set, nothing shows that better than someone who can demonstrate they've actually leveraged that skill set/done the thing in the past.
*Of the certs on this list, I currently hold the CISSP and GPEN certs, as well as 4 AWS certifications and a few other third party certifications.