It still pays to be both cleared and certified, and average salaries can be significantly higher given the demands today for those working in cybersecurity in the government sector. There is a serious demand for IT professionals skilled in information security.

In 2016 there were more than 200,000 security positions available in the United States, and industry forecasts suggest that number could grow to 1.5 million positions globally in just two years.

Top of the Top

First and foremost there is no wrong certification to have, but some definitely offer more than others. According to the results of a survey conducted by Global Knowledge there are several certifications that could be considered on the “must have” list for anyone looking for a leg up on the competition.

Leading the pack of recommended certifications was the Certified in Risk and Information Systems Control CRISC), which is managed by the non-profit group ISACA – formerly the Information Systems Audit and Control Association. It was introduced in 2010, and while only 20,000 people worldwide have earned this credential, 96 percent who have it keep it current. It isn’t the easiest to obtain either, and those seeking it must have at least three years of experience in at least two of the four areas that the certification covers. It is also only offered during three eight-week windows per year – but with an average salary of $131,298 for those with the certification, it is worth it.

A close second in IT certifications is the Certified Information Security Manager (CISM), which was also created and managed by ISACA. It is not as exclusive – more than 32,000 people have been certified since 2002. But it is exclusive enough, which is why it offers an average salary of $129,156.

According to Global Knowledge other top paying certifications include AWS Certified Solutions Architect, Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP)¸and Certified Information Systems Auditor.

For those IT professionals in information security there are several certifications that are also considered “must have” to advance one’s career. Security-related jobs do cover a lot of ground, however, so choose your “must haves” accordingly. CompTIA Security+, CEH: Certified Ethical Hacker and GSEC: SANS GIAC Security Essentials,Microsoft Certified Solutions Expert (MCSE) – Server Infrastructure, Microsoft Certified Solutions Associate (MCSA) – Windows Server 2008, Microsoft Certified Solutions Associate (MCSA) – Windows Server 2012 and Cisco Certified Networking Professional (CCNP) Routing & Switching also appear high on the list of certifications to get.

Certifications that could be deemed “honorable mention” include CompTIA Network+, Cisco CCNA Routing and Switching and Security­+.

Do Certifications Pay?

“Certifications definitely pay off,” said Jim Purtilo, associate professor in the computer science department at the University of Maryland. “Just not necessarily for the professionals who hold them.”

Government contractors who invoice based on rate schedules get to charge more for an hour of someone’s time when they have more credentials, so the company has incentive to hire people with one or another certification, Purtilo added.

“Well respected internationally recognized (vendor neutral) trade association certifications such as CISSP, PMP, CISA, CISM, CEH and other similar certifications do open doors and could give candidates a strong salary negotiations advantage,” said Mansur Hasib, program chair, cybersecurity technology program at the University of Maryland University College. When combined with earned degrees from properly accredited universities and respected academic programs recognized by NSA and DHS, a salary bump is much more likely.”

When it comes to obtaining a certification, the value may not be in possessing the certification, but in validating the skill.

“When I talk with companies, I almost never hear them say they seek certifications based on what it means the employee knows; whether these mean better products isn’t as important as billing more per unit of time,” Purtilo told ClearanceJobs.  “Some are certainly useful but the market value of many certifications is driven by ‘rent seeking’ behavior more so than quality. I think if regulatory demand for them went away, then so would many of the certifications.”

A less rosy view of certifications is taken by Adriel Desautels, manager and CEO of Netragard, a firm that specializes in the delivery of threat penetration testing services.

“Certifications are largely a component of ‘political security’ but offer no real value or measure in terms of capability,” Desautles told ClearanceJobs. “Some of the best people we’ve worked with have no certifications but instead are self-taught and extremely advanced as far as capability.”

He added that others have had certifications and yet were hardly able to hack their way out of a wet paper bag.

“The real key to value is expertise which is a product of real-world experience,” added Desautles. “There exist two classes of security:  ‘political security,’ which present the appearance of good security while not actually having good security, and this is the unfortunate industry norm which is why breaches happen so frequently; and ‘genuine security,’ which to be truly secure and security focused not appearance focused.”

Vendor specific certifications may have limitations too.

“Most of these certifications only prove you may know how to navigate through a vendor’s complex software,” Hasib told ClearanceJobs. “Sometimes, vendor focus can result in tunnel vision. Trade association non-vendor certifications which demonstrate that a type of skill set such as auditing, leading or managing cybersecurity, is far more useful.

“My recommendation is always to develop critical thinking, and problem solving and integration skills,” Hasib added. “Vendor certifications are primarily focused on driving up sales for a particular vendor. Cybersecurity professionals have to be vendor agnostic, interdisciplinary and be able to work with a variety of systems.”

In the end for a good paying job it may not come down to certification but rather a more rounded education and experience.

“Prospects for long term advancement are still rosiest for people holding the traditional degrees and majors, and less so for people who emphasized tech training,” explained Purtilo. “It takes more than certifications to get to the C-Suite. To me this confirms the enduring value of a classical undergraduate education which helps young people learn to communicate, reason, plan and interact, all no matter what technology happens to be hot at the time.”

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com. You can follow him on Twitter: @PeterSuciu.