IT Security Certifications: Which Ones Matter?

Finger of destiny selecting security

In a fascinating story for NetworkWorld, Senior Principal Analyst for the Enterprise Strategy Group Jon Oltsik distills the results of a recent annual research report titled The State of Cyber Security Professional Careers.


Oltsik is also credited as the author of that report, and works for one of its two sponsors. The other sponsor is the ISSA (aka the Information Systems Security Association, a professional association for cybersecurity professionals to which I myself belong).


The two groups surveyed 437 ISSA member information security professionals in mid-2016. The data gathered led Olstik and other to draw some interesting conclusions about that population that can be projected onto the wider body of cybersecurity professionals worldwide.


I'll summarize some high points here, but the report is worth grabbing and reading from stem to stern, especially if you work (or are thinking about working) in the infosec region within the wider IT realm.


The bar chart seen below indicates the leading responses to the question: "Which cybersecurity certifications do you hold?" The responses indicate that, at least among ISSA membership (11,000 strong or thereabouts, according to Leslie Kesselring, the ISSA's PR representative), there is only a very small number of credentials that really register on their overall radar.


Four certs to be precise, ranked as follows by the percentage of survey respondents who hold them: CISSP (56 percent), Security+ (19 percent), CISM (17 percent), and CISA (16 percent).


Ed T Figure 1 10 14 2016

Source: The Truth About Cybersecurity Certifications, NetworkWorld, Jon Oltsik, Oct. 12, 2016.


As somebody who's tracked the infosec certification landscape closely for more than a decade (with a set of certification surveys for dating back to 2003 to prove it), I was surprised to see such a small number. I was also surprised to see that the SANS GIAC (Global Information Assurance Certification) program failed to register with this audience at a level comparable to the other items already mentioned.


I'm reaching out to Mr. Oltsik of the ESG to see if he can open up his data for me to peer into a bit more closely — I'd like to see what else showed up in the replies of survey respondents. If I learn anything interesting, I'll follow up on it here.


At this point, I only know that none of the hundreds of other infosec certs available in the marketplace registered close to the 16 percent cited for the ISACA's Certified Information Systems Auditor (CISA) credential.


Experience ometer

Other high points worth noting from the report include the following:


? Cybersecurity professionals perceive a "moral imperative" in their job roles, and take pride in using technical skills and knowledge to protect IT and business assets (27 percent of respondents), or see morality in working in infosec (22 percent).


? Most cybersecurity professionals started out in IT: 78 percent reported starting their careers under the IT umbrella, and then evolving into a focus on cybersecurity.


? Most cybersecurity professionals struggle to define a career path for themselves: 65 percent reported having no clear career path, nor formal plans to move their careers to the next level. The report attributes this chaotic situation to wide diversity in "cybersecurity focus areas, the lack of a well-defined professional career development standard and map, and the rapid changes in the cyber security field itself."

It goes on to voice a call for action to businesses, IT in general, cybersecurity managers, academics and public policy leaders to try to impose some order on this chaos and to create "formal cybersecurity guidelines and frameworks" to better guide cybersecurity professionals in career planning and development efforts. For what it's worth, I concur wholeheartedly.


? The survey found that cybersecurity certifications "are a mixed bag." Outside the CISSP, the report cites only a lukewarm response to other security credentials, and goes on to say that "security certificiations should be encouraged for specific roles and responsibilities, but downplayed as part of a cybersecurity professional's overall career and skills development."

Elsewhere in the report the authors argue that the combination of hands-on work experience and mentoring from more seasoned cybersecurity professionals trumps certifications both roundly and soundly.


This is just the tip of the iceberg as far as information and insight found in the report is concerned. Please grab yourself a copy and give it a read. Lots of good stuff here!


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Ed Tittel is a 30-plus-year computer industry veteran who's worked as a software developer, technical marketer, consultant, author, and researcher. Author of many books and articles, Ed also writes on certification topics for Tech Target, ComputerWorld and Win10.Guru. Check out his website at, where he also blogs daily on Windows 10 and 11 topics.