ThorstenSchmitt - Fotolia

What CISO certifications are the most important to have?

There are multitudes of cybersecurity certifications, but which are the best CISO certifications? Expert Mike O. Villegas discusses the most effective combination of credentials.

New research from security vendor Digital Guardian found that on average, the CISOs and security managers for Fortune...

100 companies hold an average of 2.86 technical certifications, with CISSP being the most popular of the common CISO certifications. What are some other CISO certifications that should be considered? And should that average be higher for top CISOs?

Certifications alone do not prove someone is qualified to perform the role of a CISO. There are plenty of individuals who hold several cybersecurity certifications but lack the personal qualities, communication skills, technical skills or work experience required for the CISO or cybersecurity professional position. However, this does not mean cybersecurity certifications are not important. By passing these examinations, the holders of cybersecurity certifications have demonstrated that they have the foundational knowledge and Common Body of Knowledge required for a CISO. Without these certifications, it is not likely that the CISO candidate would get the opportunity to demonstrate his other qualities and experience. The same could be said for higher education degrees.

Digital Guardian reported in 2016 that 53 of the Fortune 100 CISOs held the CISSP certification and 22 held the CISM. The top five certifications held by Fortune 100 CISOs include CISSP, CISM, ITIL, CISA and CRISC. ISACA's "State of Cybersecurity: Implications for 2016" report issued in March 2016 states that "the 2015 respondents [461 cybersecurity professionals] reported that lack of hands-on skills is the most important factor in judging a candidate not qualified for a position. The second most frequent reason for not considering a candidate qualified is lack of a certification." This means that if the candidate did not have a cybersecurity certification, he was not even considered for the job.

The Fortune 100 CISOs have an impressive list of credentials, but CISOs outside of that list both from private and public companies have an equally impressive list. However, there are exceptions to every rule. There are CISOs that do not have a CISSP or CISM; there are those that do not have graduate level degrees or even undergraduate level degrees in cybersecurity or CIS; and there are those that were assigned the CISO position with little knowledge in cybersecurity. But all have one thing in common: they hold a position within a company that allows them to set the direction, program, deployment and maintenance of information protection. How well they achieve that is eventually determined by their tenure.

In the ISACA State of Cybersecurity report, the question was asked "What are the most significant skills gaps you or your organization sees among today's cybersecurity/information security professionals?" Of the 842 respondents to this survey, 75% indicated ability to understand the business, 61% indicated communication skills and 61% said technical skills were all lacking in the industry.

The most effective complement of CISO certifications includes the CISSP, CISM or CISA, and CPA or MBA. The technical SANS certifications are also an option for CISOs, but the combination of cybersecurity and the business certifications or degrees is a powerful combination.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out how CISOs should handle cyberextortion attacks

Learn how an external CISO hire can overcome new job challenges

Discover how to fix the cybersecurity skills shortage

This was last published in November 2016

Dig Deeper on Careers and certifications