How to Choose a Cybersecurity Certification

For National Cyber Security Awareness Month, we are resharing some of our most popular cyber security blogs from the past year to ensure you stay #CyberAware online - at home or in the office.

Various organizations offer a bewildering array of cybersecurity certifications. What should you pursue? 

cyber security industry certifications

 I'll start with the U.S. Department of Defense requirements. They apply to many people, and NICE is bringing similar requirements to the rest of the government.

You don't work for the U.S. military or government? Then, bear with me because I have more suggestions. 

icon and lock overlays with person touching the screen

 U.S. Government Requirements

The U.S. DoD Directive 8570.01-M defines workforce categories. There are IAT and IAM, Information Assurance Technical and Information Assurance Management. Both have levels I, II, and III. Military service members need the corresponding certification, and so do civilian employees and contractors.

The rest of the government is following DoD. For example, NIST is working on Special Publication 800-181. It describes the National Initiative for Cybersecurity Education or the NICE Cybersecurity Workforce Framework.

The NICE Framework specifies 7 Categories or high-level groupings of standard cybersecurity functions, 33 Specialty Areas, and 52 Work Roles. Those Work Roles require KSAs, or Knowledge, Skills, and Abilities.

Workers demonstrate command of KSAs through relevant experience or performance-based education and training.
That means cybersecurity certification tests. NICE requirements will look a lot like DoD 8570.01-M.

Let's Look at 8570

DoD approves three to six specific cybersecurity certification tests for each IAT and IAM level. A certification for one level satisfies all lower levels in that track.

CompTIA Security+ and (ISC)2 CISSP have become popular because they satisfy many requirements. So, let's see why:

Screenshot from https://iase.disa.mil/iawip/Pages/iabaseline.aspx

Security+ satisfies IAT Level II (and therefore IAT I) and IAM Level I. So it gets you started on either track.

Also, CISSP satisfies IAT Level III and IAM Level III. Therefore, one cybersecurity certification satisfies all levels of both tracks.

There's more to 8570 than just IAT and IAM. IASAE, the IA Workforce System Architecture and Engineering speciality, has Levels I, II, and III. CISSP qualifies for Level I and II. However, Level III needs a CISSP follow-on, either CISSP-ISSAP or CISSP-ISSEP. (Information System Security Architecture Professional or Engineering Professional)

In addition, CSSP or CyberSecurity Service Provider comes in five varieties with somewhat different certification requirements.

The Classic 8570 One-Two Punch

For most people subject to 8570 requirements, Security+ and CISSP are the obvious choices.

My recommendation would be to start your career track with entry-level Security+. The field isn't all that difficult. The hard part is figuring out how to get through the exams! You have to get into the "certification test mindset." The questions can be tricky and vague. The more you know about an area, the more complicated some questions become. Learning Tree's CompTIA Security+® Training shows you what the test covers. But more importantly, it shows what the test is really like.

Your Security+ preparation will reveal which study methods work best for you. But, of course, no single technique works for everyone. Then you're "in the groove" for CISSP study and testing. Check out Learning Tree's CISSP test prep course for the next step.

Going For A CSSP Position?

Notice that CEH or the Certified Ethical Hacker certification qualifies you for all but one CSSP speciality. Learning Tree's Certified Ethical Hacker (CEH) Training could prepare you for most CSSP positions.

But Maybe You Don't Work For The U.S. Government

Security+ and CISSP are recognized worldwide, and CISSP is particularly highly regarded. One or both will help you get the job and pay you to want.

You might do CISSP as your first cybersecurity certification test. However, that's jumping in at the deep end. Security+ is easier and cheaper. Start there.

What else might you consider in addition to these? This gets interesting.

IT Decision Makers Want Cloud Skills With Security

Rackspace recently published a study. 71% of IT decision-makers believe that their organizations have lost revenue due to a lack of cloud expertise. People abuse "Cloud" to mean almost anything involving the Internet or large data sets, so Rackspace asked for details.

They asked respondents to list and rank their top ten hardest-to-fill skills. Cloud security was #2 overall. Security in general and in-house was #4.

What was the highest pay? Cloud security was #2, barely behind database management, and general cybersecurity was #5.

So yes, there is a demand and good pay for cybersecurity skills.

Which certification might help you? CompTIA has a Cloud+ certification. I would also consider certifications in the underlying technologies, especially Linux server administration. So much of cybersecurity comes from careful attention to detail. CompTIA Linux+ is the intro level. Red Hat's RHCSA and RHCE are the serious ones.

Cybersecurity Supply And Demand

The Cyberseek project analyzes the U.S. cybersecurity job market. The NICE initiative, CompTIA, and Burning Glass Technologies fund it. Check out their interactive Cybersecurity Heat Map. You can examine the demand and supply of cybersecurity jobs nationally, by state, and by metropolitan area.

What jumps out? First, many job postings require Security+, but there's a lot of competition. 32,140 posted jobs opportunities require Security+, while 167,776 people have that.

However, over twice as many jobs require CISSP, and there is less competition. Seventy-two thousand seven hundred. For example, posted jobs require CISSP, while only 76,413 people have it.

There are even better ratios. There are 1.2 jobs for every person with CISA or Certified Information Systems Auditor, and almost two jobs for every person with CISM Certified Information Security Manager. (Both of those certifications are from ISACA, the Information Systems Audit and Control Association) However, smaller numbers of jobs require CISA and CISM.

Test-prep courses can help you to pass the first time. Check out Learning Tree's collection of exam-prep courses.

Continuing Education

All of these certifications need continuing education. Learning Tree has several cybersecurity training courses. They could refresh existing knowledge and lead you into new areas. Keep current!


Have you explored our collection of Cybersecurity postings, resources, and courses? Find something new on our Cyber topic page!


This piece was originally posted on Feb 28, 2018, and has been reposted with refreshed formatting.