Top 7 Reasons for Security Certification

Here’s my top 7 reasons for getting a security certification:

  1. It opens the hiring door. Or more simply stated, employers are looking for them. More and more, if you’re not certified, your resume won’t get past Human Resources. When they scan your application and resume, you’ll end up in the digital delete bucket if the screening software doesn’t see those special letters (CISSP, GIAC, CISA, CCSP, CISM, etc.).
  2. You can command a higher salary. This happens more frequently when you already have a cert and you’re getting hired. However, I earned my CISSP after I was hired, and when I later completed a critical project on time, my new certification made it easier for my boss to convince the VP that I deserved the $5K raise on the spot.
  3. It opens the promotion door. Earning a certification shows initiative and the desire to better yourself and grow.  Even if your employer pays for the training and the exam, you still have to do all the work and put your neck on the line, pass or fail. Just make sure you pass so you look like a winner. Employers promote winners. (And if you don’t get promoted within a reasonable amount of time, you’re still more valuable to the next employer–so where’s the downside?)
  4. Certifications say that you’ve spent the time to learn the basics (or prove that you know the basics), and you will only get better. While some certs are more basic and some more technical, no certification is going to make you an expert; a cert just means you’re armed and dangerous and that you can add real value to the business if you can keep a level and humble head. Certs are a foundation that you can continue to build upon.
  5. Your peers and strangers will give you more respect. However, after you open your mouth, you’re on your own; you either solidify that respect or degrade it, but what else is new? You’ve raised the bar of what others expect out of you, and that keeps you on your toes. Just make sure to keep your toenails clipped.
  6. Certs force you to continue to learn. All certs require Continuing Professional Education (CPE) credits to keep them current. It keeps you growing and thinking, and that means you’re hopefully not going to be stuck in a particular rut (like “no smartphones or iPads on my network!”) or go stale.
  7. You are held to a code of ethics. This code can keep you out of trouble and help steer your decisions or approach to solving problems.  Several times I’ve decided not to use a certain methodology because it violated one of the codes I adhere to. Codes also uphold the professionalism of the field you’re in and the professionalism and value of the certification itself. In addition, codes can give you a way out when management comes to you with some crazy idea or wants you to look the other way this once.

Agree or Disagree? Leave me a comment, and include any certs you have.

Getting a security certification is even more valuable when you don’t work on the security team, like an auditor or IT specialist.  Such a cert will give you a sharp edge on others in your immediate field (especially if you already have a cert in your field in addition to the security cert).  One Fortune 500 manager told me my CISSP cert was the deciding factor in hiring me as an auditor. At another large company, I was the only CISSP on the audit team, which had more than 20 auditors.

One additional thought:

The next time someone tells you that certifications aren’t necessary, are becoming too common, or that experience is the real differentiator, ask them what certifications they have. Usually the nay-sayers have none, which means they have little authority for their opinion. If they do have any, ask them why they wasted their time getting them. Either way, it should be an interesting discussion.

Related Certification Posts:

Security Certs for Commoners? Nope

Fun CPEs for CISSPs

How to Pass Certification Exams

Top 10 Pay-Boosting Tech Certifications

CISA vs. CIA Certification

FREE CISA Study Guide

Where is the IS in CISA?

More on the CisA Exam



Filed under Audit, Certification, Security, Technology, Top 10

31 responses to “Top 7 Reasons for Security Certification

  1. coffeeking

    this one came just at the right time as I am planning to appear for CISM this weekend, and I no longer work in Security but Audit. so this post makes me feel even better for my decision to take this exam. thanks to you posting it!


    • coffeeking,
      Glad I could be of encouragement. I don’t doubt for a moment that CISM will help you in audit and with your peers. And I’m sure you’ll pass. When you do, make sure you come back and brag.

      Do you have any audit certifications? If not, the CISA is a lot easier than you think. If you’ve worked in audit for at least 2 years, it should be easy. I know a former auditor who has the CISA and CISM as well as a bunch of other certs. Having said that, I think the CIA is much more practical and pertinent to audit than the CISA*, but it’s also harder. If you interested in the CIA, check whether the CISM exempts you from one of the 4 CIA exams. I’m pretty sure the CISSP exempts you from one.

      * Personally, I think the CISA is a light-weight cert that is way overrated. The problem is, most of the IT auditors I know and that I’ve interviewed have it, so it’s almost “required.” As I’ve said before, most IT auditors I’ve encountered don’t know IT worth a squat even though they’re CISA certified (see my rants about the CISA exam). The CISA means you understand audit, not IT. It should mean you understand the basics of both.

      Always a pleasure to hear from you!


  2. Chris

    Very timely post as I am considering CISSP at the moment to get a bit more of a detailed perspective on security. Currently I have the CISA & CPA designations.

    Do you have a preference for different certs? The article above seems quite CISSP focused.

    One of the drags about these certifications are the high ongoing costs, it is a pity as it is a de-motivator to collecting them all. I am glad CISSP is more reasonable.


    • Chris,
      Glad you like the post; thanks for taking the time to comment. Depending on your goals (and assuming you do both IT and non-IT audits), I think adding the CISSP would be a tri-fecta!

      I focused on the CISSP because the article from which I quoted focused on it. I like the CISSP because it gets your feet wet and dirty. However, be warned that the CISSP is not like the CISA, it’s M U C H more IT and security focused and quite technical. Be prepared. When I took the test, at least 50% of those who took it with me failed it. It’s doable, but you can’t party and study at the same time like some jokers do.

      My preference is for non-vendor certs as they are broader and don’t need to be upgraded with the software/hardware. For someone going deeper into security and IT, I like the SANS certifications. All the SANS training that I’ve had is top notch, and that’s what my peers tell me too.

      Without knowing more of your goals, I can’t be more specific. The CISSP will help you if you stay anywhere near IT. If you’re going to move out of audit within 2 years and get into IT or security, I’d go for the CISSP next. If your skills are more financial/operational than IT and you are going to stay in audit a while, whether it’s in IT or non-IT or both, I’d suggest getting the CIA. But again, that’s not knowing your goals and more about your specific IT/security skills.

      I’ll talk to one of my buddies who has 6+ certs and see which ones he feels has been the most valuable working as an auditor or security analyst (he’s done both). I’ll leave his input in a comment here, so check back. I’ll try to email you too.

      As for the high ongoing cost of certs, I agree totally. The CISSP is one fee does all; very nice. I was shocked to see how the CISA charges you for membership, the local chapter, and certification (that’s the real tri-fecta that pays off for ISUCKYA (sorry, couldn’t resist).

      Just make sure you really want/need the next cert before you invest the time and money, because in the long run, you’ll invest lots of both as the years go by. The last thing you want to do is spend the money and the time, and then in 2 years, change goals and drop the cert, diverting all your hard cash and work to drain.

      Good luck and let me know what you end up doing or if you want to discuss further.


  3. Jacqy

    Since you mentioned specifically about CISSP, i must leave something here. The REQUIREMENT for obtaining CISSP cert is EXPERIENCE. Although ISC2 offers this Associate of ISC2 status, which you will have after paying hefty fee and passing the CISSP exam, you still need experience in any case. Okay, so you passed the CISSP exam, but how can that convince employers to even consider hiring when you have no experience? I mean, even if you obtain the official cert of CISSP, you still need to complete 120 credits of CPE (20 minimum) every year. Did i say it right? Yes, EVERY year. That means you have to spend at least a quarter of your occupation just to prove that you are capable of CISSP.

    Bottom line is that CISSP cert is a marketing trap that will eventually drag you down to “Heluva Effort”.


  4. Hi Jacqy,
    Great to hear from you.

    The CISSP, like the CISA and the CIA, and many others, require experience. Agreed. And I think they should. If you have no experience, what do you really have?

    The CISSP requires 120 CPEs total over 3 years, not every year. The minimum per year you must earn is 20. And for $85 per year, that’s not a bad yearly fee. Compare that $ to other certs which don’t carry the same weight.

    A quarter of your occupation getting CPEs? You mean work hours or leisure hours? I’m not sure I follow you. Either way, good employees can usually get a good portion of their CPEs during work hours attending training, seminars, etc. When I’ve been a contractor, that’s been non-existent. It means getting up on Saturdays and Sundays at 5 am to do some free, on-demand training before the family wakes up. A bummer, but still worth it. I get to keep my cert, training is free, and the brain is still expanding. Where’s the downside?

    Generally, the idea is to gain your experience and then get your certification. If you pass the exam first, you are more likely to study and “learn” things you don’t really understand and won’t solidify because you can’t practice it at work. Even if you’re in that spot, there’s always lots of volunteer positions (churches, non-profits, local chapters of groups, and clubs) you can work at here and there to gain experience. Some of it will even count on your cert application as experience.

    I remember when the MCSE was real hot that I had to train an MCSE who could not map a shared drive when given the server name and the share name. I was not an MCSE, but I had experience. You used to be able to get by with just experience in the old days, but it’s getting harder and harder. That’s why I encourage people to get certified.

    As I mentioned in my post, my CISSP has paid off. And it expect it to continue to pay off. My CISA, even though it’s much more expensive and lighter weight, also helped me get a raise. In my case, my certs are a marketing trap; they sure have helped me trap some good jobs and better pay. I know I’m fortunate and this doesn’t happen to everyone. And I don’t claim that certs are for everyone. I know plenty of folks who do okay without certs. More power and dinero to them.

    Jacqy, I’m interested to know what your career has been like and more about why you feel as strongly negative as you do about the CISSP. Either way, thanks for stopping by and sharing your thoughts.


  5. Hey IT Sec,

    I agree with the post, but I just generally have a less rosy view of it. Naturally miserable I think.

    So where you say certification gives you an edge in hiring, I say its a necessary evil, but you need to have it to not be held back at recruitment. Where you say it gets you a basic level of respect from your peers, I say it suggests a level of competence which may not always be backed up by the facts. That is probably my main gripe about certifications – as you say, once you open your mouth you are on your own. But how many times can you meet someone without a clue of what they are doing or how it fits in to the broader context, and still maintain any respect for the certification they have on their email signature?

    i think we should implement a big-brother sytle eviction round for some of these certifications, having a monthly vote on people in your designation who are rubbish and should be sent home. That would improve the value of our our qualifications, AND would give us some much needed TV coverage.

    Can i also take you to task on your suggestion that people without certifications aren’t qualified to criticise them … that’s a bit of a circular argument, certainly true in some (most?) people, but surely there are people out there who have enough courage in their convictions that they won’t conform by completing a certification they don’t believe in, even though they could, and yet they are probably the very best people to help understand the other side of the argument? I would think you could be equally dismissive of someone who holds a certification but doesn’t value it – are they really smart enough to enlighten the discussion, given that they are also illogical enough to obtain and maintain something they don’t want?



    • Cow,
      No doubt I am biased, but I don’t think of myself as rosy, but I may be mistaken.

      I agree that certs are a necessary evil, but I would add that they round you out if you really study to learn the material rather than to just pass. Yes, some cert’d folks aren’t worth much (I noted that in my MCSE example), but I would say that is more a reflection of the person rather than the cert. Should the cert be so hard to attain that only the truly gifted could pass? Certs are about knowing the basics, not about being an expert (IMHO). And the certifiers do want to make money, so I think they try to strike a balance between the two. I don’t like the $ aspect, but it’s just true, so let’s admit it. But that doesn’t mean the cert is worthless (pardon the bad pun).

      As for big-brother, I like to depend on the free market. Liars and cheats usually get their due and the word gets around, sometimes way too late, and sometimes never (unfortunately). Companies that keep certified idiots deserve what they get. We all know certified people that we respect, so again, judge the person, not the cert. But I agree that we should be harder on certified people.

      I accept the lashing for not allowing non-cert’d folks to criticize certs; it was most deserved. My weasel point is that I didn’t want people who are too lazy or jealous to complain for just those reasons. Again, I stated that certs aren’t for everyone and some do fine without them. One time I passed over 80 MCSEs to hire a guy who had no certs, and he was the best person I ever hired. And years later, he’s even better. Another guy I hired had no certs and yet was a great techie and good person all around. But in the end, yeah, it is circular. Guilty as charged!

      Cow, thanks for disagreeing. I sure hope others out there take me to task. I’ve always grown more from criticism than from praise. Here’s an open invitation to the rest of you. I can take it.

      I appreciate all the feedback on this topic and look forward to hearing more.


  6. Karl

    This is one excellent blog post on IT audit security and I will like to ask if you have heard of the CRISC (pronounced “see risk”) by ISAC (refer to

    It seems that the title chase is never ending!


    • Karl,
      Glad you liked the post. Thanks for the kind words.

      Yes. I know about CRISC, and one of my peers has it. IMO it’s not a certification that crosses boundaries like the ones I specifically mentioned. I see it more as an audit/compliance cert, and I haven’t seen much demand for it yet in job descriptions (it’s a relatively new cert). Do you have it?

      If I was looking to get certified in audit/compliance, I’d get the CIA and CISSP before I got the CRISC. You’d get better mileage out of the first 2.

      My peer who earned the CRISC (her latest cert) also has most of the ones I mentioned above (last count was 6 total). Also, many of those who currently have it were grandfathered in, based on other certs and prior experience–interpret that any way you want.

      I’d love to hear from anyone who got the CRISC as their 1st or 2nd cert. I’d be real surprised. I look at the CRISC and the PMP the same way. Sure they will help you, but they are not really necessary IN THIS FIELD. Who needs another cert with annual fees and CPEs?

      I’d love to hear from anyone who has the cert regarding their experience and what the cert means to them.


  7. Good work.. .and perfect replies too !!.. the person who does not read the books for CISA or CISSP or any as a matter of fact they will remain ignorant on most of the actual processes and how it should actually function. Your scope increases drastically including the monies.. Even if you hire a person without a Cert and just knowledge the growth is halted for that person.. in these Certs CPE keeps you updated and thats what the need of the hour is… MS Certs are never ending.. these are better and broader…Even if you are a fresher or not ….knowledge you gain after reading these will not kill but enhance your thinking about how to approach new domains and whats required to get there… Its a competitive world .. adapt to survive….

    Nice work…Buddy


    • Rengigeorge,
      While it’s true that certifications require you to continually to get additional training and the CPEs that go with it, I’m not sure I agree with you entirely. Let me explain.

      First, you can get the required CPEs without really learning much. Like everything else, what you sow, you reap. Plenty of folks just get the easiest CPEs as that’s their goal, not sharpening their minds and practice.

      Second, most people that don’t have certs but have great experience are those who constantly tinker, experiment, read, and learn. That’s how they got where they are, and the love and excitement of learning propels them forward.

      So in essence, I agree with you, but not across the board. It IS better to have certs because it forces you to be exposed to learning (whether you learn or not) and usually, certs increase your pay. But I know successful people who shun certs and run circles around you and me, not only in smarts, but in dinero.

      Keep those comments coming. Thanks!


  8. Ntando Sicam

    intersting comments
    .. i am kick starting my CISSP prep & then hopefully CISM is next.. thanks…..


  9. Alex

    I agree that CISA is a rather weak certification, I really over-studied for the exam in December 2012. Most of the questions were almost common sense questions with few answers requiring deeper consideration (I have a work background in data management and an educational background in both IT and Accounting). The only memorable consequence of the exam for me was the splitting headache I had for the rest of the day after answering 200 multiple choice questions. However, if you do not work in IT audit specifically, CISA will be well worth having for two reasons:

    1) If you get hired by IT generalists as DBAs or ETL engineers/data managers, then first of all, they do not really know what CISA is, they just read the title which sounds impressive. This title will set you apart from all the other resumes. In addition,what they see in the certification is assurances that what you build or maintain is likely to pass the many internal or external audits they are subject to if the company is publicly traded and/or deals with finance, governmental entities and/or health care. The future is here, it’s about audits and more audits. Furthermore, having CISA allows you to potentially tackle non IT issues that in your opinion have an impact on IT or IT governance.

    2) If you are hired as an IT consultant by a department competing with IT for limited resources such as Marketing or Finance, then your CISA certification gives you the credentials to intervene against IT for the benefit of your department. Lastly, CFO’s tend to appreciate IT resources that understand IT from an accounting standpoint.


    • HI Alex,
      Yes, I overstudied too, but a lot of people still fail it.

      I was with you until the end when I saw this: “CFO’s tend to appreciate IT resources that understand IT from an accounting standpoint.”

      I can understand an integrated audit looking at both the IT and accounting side of a system/process, but not sure I get your drift. Would the CIO appreciate me if I looked at accounting from an IT standpoint? Maybe if I figured out a way to reduce storage or increase throughput by reorganizing the order in which jobs crunch the numbers, but that’s still an IT slant.

      Did you mean understanding how the technology and its use might help better understand overall risk of the system? I’d rather someone versed in IT technology and processes look at the IT side and its risks and an accounting person examine the accounting risks. And if someone understood both equally, that would be even better.

      Care to clarify? Thanks.


  10. Schwarz

    Nice read!
    Thanks a lot!
    Now I might not need to be as worried about CISA’s difficulty!
    Speaking as an IT person


    • Schwarz,
      No I would not worry about the IT part of the CISA. But you need to have the audit piece down pat. Strangely enough, when I took the CISSP, I was pretty confident that I passed. When I took the CISA, I was 50/50. As it turned out, I passed the CISA with flying colors. (They don’t tell you how well you did when you take the CiSSP.)


      • Schwarz

        yes, for not having any knowledge in accounting/audit at all… :)
        how much time should I designate to the preparation though, and how much time did you guys take to study prior to the exam?


  11. Schwarz

    Actually are CISA and CISSP more relevant to accounting or IT?
    What department/sector are most of you (or holders of the certificate) work?

    Do most of you get a relevant job (security/audit) before studying for the exam OR do most of you get the exam part in order to get the relevant job (that is having done only the exam part but not any of the work experience part)?


    • Schwarz,
      Both CISA and CISSP are more relevant to IT. The CISA does not relate to accounting, but more to audit process, which is used for operations;/financial and IT auditing.

      It helps to pass both exams to have some experience first. You cannot get either cert without some experience; I think it’s 2-3 years.

      Most people get the experience first, then the cert.

      I spent about 6 months reading and studying for the exam, but I always overstudy. About 3 diligent months could do it, but most people have trouble disciplining themselves.


      • Schwarz

        I checked and confirmed I can get the certificate with my work experience (just, marginally maybe). Though I’m not exactly sure it’ll pay off when I get the cert for jobs because it seems most of the job ads require audit/security sort of experience which I don’t have either =\
        Anyways, hope that it’ll improve.
        Good news (bad?) is I checked, the next test date is in Dec so I have more than 6 months to study for it, unless I’m desperate enough to fly to another city for it…lol


  12. BH99

    Hey ITauditSecurity,

    I recently passed my CISA exam, and im looking into either doing CRISC or GSNA next? In your opinion is CRISC worth doing? I want to improve my risk assessment/risk analysis skills (while I am learning on the job). I also want to do a more technical designation, as I feel having a good technical background and knowledge will help you in your career as an Information Security Analyst (since your not really hands on, say as Security Operations analyst).

    I believe I am having trouble figuring out If I want a career in IT audit or in Information security, and decided to pursue a CRISC designation or GSNA would help determine my career path.

    Any advice?


    • BH99

      sorry for my bad grammar, its kind of late, and im getting tired ;-)


      • BH99,
        No problem on being tired….

        Either cert will be valuable in either IT audit or security, but I think the GSNA would be a better choice and more applicable to both fields. I like the GSNA as it is more technical, whereas the GRISC is more related to risk and controls.

        You could also consider the CISSP, but based on what you told me, I’d go the GSNA route.

        As far as choosing between IT audit and security, I thought I posted something on that, as I’ve done both. I’ll try to find it. I think security is a lot more fun, assuming you’re doing real security projects and assessments, not just doing user ID provisioning. I don’t miss being on call 24/7 as I was in security; in audit, I can go home and forget work. I think security usually pays more, but it demands more too.

        In audit, I can still find the problems and play with the technology, but don’t have to fix the problems.


  13. As a new auditor I am trying to find any certifications that don’t require years upon years of experience. Any insight on this? I will likely transition into the information security side more in time so certifications that cross those boundaries would be the most helpful. I have been leaning towards taking the CISSP at the “associate” level and when the time comes rolling it over into the full certification.


    • HI John,
      Don’t really know of any. Anyone else know of any?

      The purpose of experience requirements is to help ensure you don’t just pass the exam and wave your certification around as if you really know what you’re talking about.

      If you have the required experience, it is more likely that you not only have head knowledge, but experience where you applied that knowledge in the real world.

      You could look at Security+, which recommends 2 years experience (not sure it is REQUIRED).

      I always say that taking shortcuts doesn’t help you out in the end. Pay your dues the old fashioned way.

      I’ll never forget that I had a boss that forced me to hire a newly minted MCSE that I could tell didn’t understand servers or networks or any of the CBOK. It was apparent in the interview.

      I hired her, tutored her, and she quit within the first year, and not because I was mean to her. She realized she simply couldn’t do the work.

      I bumped into her a few years later and she hadn’t worked in an IT field since.

      I think your CISSP direction is appropriate. Good luck.


  14. Pingback: Quotes of the Weak (NOT) | ITauditSecurity

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.