Cybersecurity professionals can choose from an abundance of certifications to add to their security scout sashes, with new programs constantly emerging. Certifications can have value in showing an individual has achieved a certain level of competence, but not all security accreditations are equal. To be worthwhile, certifications should come from reputable, established agencies and fit participants' professional goals.
When security practitioners consider pursuing new credentials, they should first weigh where they are in their careers and where they want to go. Initially, it makes sense to pursue educational opportunities that focus on practical skills and technical aptitude. As they take on more senior roles, however, those aspiring to the rank of CISO should shift their focus to management and strategy competencies.
The CISO role is demanding, but it can also be personally and financially rewarding, with some of the largest companies' cybersecurity executives commanding more than $500,000 annually. While professional designations don't guarantee C-suite positions, the right ones can help position a security leader to land the field's top job.
The best certifications for aspiring CISOs include the following:
- Certified Information Systems Security Professional (CISSP);
- Certified Chief Information Security Officer (CCISO); and
- Certified Information Security Manager (CISM).
CISSP is the best-known and most widely accepted cybersecurity certification available. (ISC)² has issued the certification since 1994. In 2020, an independent benchmarking evaluation by a U.K. government agency found CISSP is roughly equivalent to a master's degree in cybersecurity.
While many security designations focus exclusively on technical content, CISSP also covers midlevel managerial skills. This dual emphasis makes it particularly valuable for aspiring security leaders, many of whom have extensive practical expertise but less management experience.
The CISSP Common Body of Knowledge (CBK) covers the following eight domains:
- Security and Risk Management (15% of exam)
- Asset Security (10% of exam)
- Security Architecture and Engineering (13% of exam)
- Communication and Network Security (13% of exam)
- Identity and Access Management (13% of exam)
- Security Assessment and Testing (12% of exam)
- Security Operations (13% of exam)
- Software Development Security (11% of exam)
To qualify for CISSP, applicants must demonstrate they have worked four to five years -- depending on their educational backgrounds -- in at least two of eight CBK domains. Candidates must score at least 70% to pass the exam.
Globally, more than 180,000 professionals hold CISSP certifications today. (ISC)² requires CISSPs earn 40 continuing professional education (CPE) credits annually and complete recertification every three years.
EC-Council explicitly developed CCISO to help CISSPs and other experienced cybersecurity managers become executives. While CISSP focuses primarily on middle-management capabilities, the CCISO course teaches C-level business competencies, such as budgeting, strategic planning and vendor management.
It's worth noting that a security leader likely doesn't need both a CCISO and an MBA because the content overlaps significantly. From an education standpoint, both a CISSP with a CCISO and a CISSP with an MBA would be well positioned to step into the C-suite.
To qualify for the CCISO exam, applicants must demonstrate five years of experience in three to five of the following domains, depending on whether they participated in authorized EC-Council training:
- Governance, Risk and Compliance (21% of exam)
- Information Security Controls and Audit Management (20% of exam)
- Security Program Management and Operations (21% of exam)
- Information Security Core Competencies (19% of exam)
- Strategic Planning, Finance, Procurement and Third-Party Management (19% of exam)
EC-Council's optional training packages, which include the cost of the exam, range from $2,499 to $3,499. Those who opt not to enroll in training must pay an eligibility application fee of $100 and purchase an exam voucher for $999.
Participants have two-and-a-half hours to complete the CCISO exam, which consists of 150 questions that span the above topic areas. Passing scores vary -- between 60% and 85% -- depending on the degree of difficulty of the specific question bank. A CCISO must earn 120 CPE credits every three years for recertification.
CISSP and CCISO are arguably the two certifications that most closely align with the office of the CISO, and they are likely to serve aspiring security executives well.
Another solid certification option is ISACA's CISM. Like CISSP, it aims to teach midlevel managerial and decision-making skills to security technologists. Unlike CISSP, however, CISM focuses mostly on governance and management capabilities, with less emphasis on technical knowledge.
To qualify for CISM, applicants must have three to five years of experience in information security, depending on their educational and professional backgrounds. The exam lasts four hours and consists of a total of 150 multiple-choice questions in the following areas:
- Information Security Governance (17% of exam)
- Information Security Risk Management (20% of exam)
- Incident Management (30% of exam)
- Information Security Program (33% of exam)
Currently, more than 48,000 professionals hold CISM designations worldwide. To maintain certification, CISMs must complete at least 20 hours of CPE per year and 120 CPE hours every three years.
Many additional cybersecurity certifications provide valuable education and expertise but don't necessarily position a professional for the CISO job.
Certified Information Systems Auditor (CISA), for example, is another popular ISACA certification. At Nemertes, we typically see folks with this certification working in compliance, falling under the purview of the chief risk officer. In our estimation, best practice is to separate the auditing function from security enforcement due to the inherent conflict of interest between the two. A CISA certification is, therefore, not usually the best or most obvious steppingstone to the CISO office.
In another example, EC-Council issues the Certified Ethical Hacker (CEH) exam, which is demanding and highly reputable. Most ethical hackers work on the internal audit side of the enterprise, however, or in external penetration testing companies -- not stops on the typical CISO career path. That said, a CEH certainly could become a CISO, perhaps one who benefits from the deep technical expertise the certification requires.
In general, however, CISSP, CCISO and CISM certifications are likely the best options for someone whose primary goal is to become a security executive in the enterprise.