The SSL Store Susses Out the Top Security Certs for 2020

SSL stands for Secure Sockets Layer. It's a secure protocol for sending information safely over the Internet. Many (if not most) websites use SSL for secure portions of their content, including user account info, online checkout, and other sensitive, private. or confidential information. SSL encrypts data for transmission so that eavesdropping only produces cyphertext that is intelligible only to those with the means to decrypt the transmission.

Websites that employ SSL also use SSL certificates (which include impossibly large and complex keys for encryption to make sure that brute force attacks are extremely unlikely to work). The SSL Store is a prime purveyor of SSL and TLS (Transport Layer Security, an alternative to SSL) technology, of certificates of both kinds, and of various trust offerings and security products. That's why they're well-positioned to understand what's hot in the area of cybersecurity in general, and certification in particular.

The SSL Store's blog is called hashedout (with tongue planted firmly in cheek, because SSL and TLS make extensive use of hashing techniques). This week's post came about because of a new article that ran there on Monday under the headline The Top Cyber Security Certifications Hiring Managers Will Look for in 2020. It's worth a read-through, because it explains how security cert choices should vary by one's specific technical interests and prospective job roles in that field.

Ten Top CyberSecurity Certs for 2020

Here's the list that appears in the article, copied (almost) verbatim from the blog post. My commentary follows afterward:

The 10 Most Sought-After Cyber Security Certifications

Sponsor — Name of Certification (Acronym)

(ISC)² — Certified Information Systems Security Professional (CISSP)

ISACA — Certified Information Security Manager (CISM)

EC-Council — Certified Ethical Hacker (CEH)

ISACA — Certified in Risk and Information Systems Control (CRISC)

(ISC)² — Certified Cloud Security Professional (CCSP)

ISACA — Certified Information Systems Auditor (CISA)

(ISC)² — CISSP: Information Systems Security Management Professional (CISSP-ISSMP)

(ISC)² — CISSP: Information Systems Security Architecture Professional (CISSP-ISSAP)

ISACA — Certified in the Governance of Enterprise IT (CGEIT)

EC-Council — Computer Hacking Forensic Investigator (CHFI)

As such things go, there's not a lot to argue about with what's in the list. I do have some quibbles. I think it's odd that the CISSP "merit badge" certs (ISSMP and ISSAP) are included, simply because most people who earn a CISSP (a pre-requisite for either of those merit badges) are going to hear about them ad nauseam from the sponsor anyway.

It's also interesting that while (ISC)², ISACA and EC-Council rule this list, other major security players like CompTIA (which has four different information security certifications nowadays) and SANS (whose GIAC program includes 60-plus credentials, most highly regarded in the marketplace as well) are entirely missing.

Upon closer examination, though, the top 10 list actually originates from the annual Global Knowledge survey (something I know well, and have even worked on a few iterations of for that company). That data comes from GK's mostly corporate training customers. It's a valid subset of  the marketplace, but not as broad or all-encompassing a sample population as one might like.

I would also like to see more attention paid to certs from the IAPP (the International Association of Privacy Professionals), whose certifications have become increasingly important and valuable in this brave new post-GDPR era.

The Q&A that precedes the top 10 list in the hashedout article is probably the most valuable part of that coverage. There, you'll find interesting answers from a group of information security experts to the following questions, some of them incredibly familiar to me (and readers of this column).

NOTE: I have edited the text of these questions for brevity, clarity, and readability, but tried very hard not to change their meaning or import.

What cyber security certs do you consider the most valuable and why?

Does having one or more certs make an applicant more desirable than candidates who lack them?

Is there a time when experience is more important that certification, or vice-versa?

Have any certs helped you get a job or move up in your career? If so, which ones and why?

When evaluating applicants, is it a deal breaker when someone applying for a cybersecurity job has no such cert?

What certs do you look for when hiring experts for your own teams?

What advice would you give someone who wants to start a career in cyber security or transition from another IT specialty?

All in all it makes for an interesting read. It also reminds us all that, while certification is indeed a boon to those in IT, individuals must learn how to present themselves and explain their skills, knowledge, and career objectives in order to parlay this kind of thing into something truly valuable.