Are Information Security Certifications Worth Your Time?

December 9, 2014  |  Clare Nelson

Career navigation in the information security industry is tricky. The industry is fairly young, and it moves at a breakneck pace. Job requirements have become more specialized and lofty, often without commensurate compensation. Moreover, while there are several legitimate information security certifications, there are also organizations that sell certifications or training, sometimes with lesser quality. This post will explore information security certifications and other means to enhance your career.


Many job seekers are irked when they see (ISC)2 or other sources report that thousands of information security positions will need to be filled in the next few years. What if this is misleading, or only a partial picture of reality? What if there is a small number of high-paying, thrilling, fascinating information security jobs; and a growing number of average, not-so-interesting jobs?

Information security recruitment expert, Lee Kushner gave an example where he was searching for a candidate with combined technical and leadership expertise. He noted it is hard to find. Candidates often have one or the other, not both. Leadership, networking, and ongoing training are critical. Kushner is no fan of certifications; but some posit that certifications can’t hurt, especially if it is early in your information security career.

In May 2014, Brandan Blevins, reporter at SearchSecurity, revisited the ongoing debate about security certifications. He asked Kushner, “What advice would you offer to someone who wants to move from a relatively low-level security operations role to a security management or leadership role?” Kushner replied, “I think that what they should do is they should find internal projects where they can lend their expertise. There they can start taking more of a leadership role internally. The best way to start transitioning your experience is by taking responsibility internally, rather than looking externally. That sounds completely stupid coming from a recruiter. But that is really where it comes down. You have your best internal caché when you have already built an internal reputation, or a brand for yourself.”

In October 2012, Jeremiah Grossman, founder and CEO of WhiteHat Security, tweeted, “…biggest appsec challenge is the huge shortage of qualified pros: builders, breakers, defenders…”

Which Security Certifications are Worthwhile?

How well respected is Certified Ethical Hacker (CEH)? If you are going to sign up for CEH training, ask for a copy of the syllabus. If it is out of date, complain, and walk away. Most CEH courses are designed for the CEH exam. This means the process moves slowly. For example, one CEH course offered by a highly respected authority used the old BackTrack penetration testing platform when Kali Linux was available. When asked why the syllabus was not current, the instructor indicated that the syllabus mapped to the exam that was still on BackTrack. The bad guys don’t worry about such certifications, they probably laugh at CEH.

If you are new to information security, CISSP may be helpful getting an interview, although it may not significantly increase your salary. Having a CISSP myself, I can tell you it’s not trivial to get or maintain–it requires hours of study across many security disciplines. However, the value of CISSP and other certifications remains controversial:

  • Recognized by human resources.
  • More important early in one’s career, or for persons transitioning from a different field.
  • Provides theory; but not training.
  • SANS 2014 survey indicated salary increases of up to 5% for certifications

There is a bigger salary gap for those who have completed just high school, bachelor’s, or graduate degree: For example, those security professionals with between four and six years of experience and only a high school diploma net an average salary of $75,938. A professional with the same experience and a bachelor's degree earns an of $84,619 per year, while a master's degree or MBA correlates with another large bump in average pay to $97,109 per year.

Kushner states, "Our clients never say they'll pay $100,000 for a candidate to fill a specific role, but if they've got a certain cert, they'll pay $120,000."

Some argue that leadership, networking, plus ongoing training is more important than certifications. This means there is great value in joining professional organizations, attending conferences, and nurturing whatever you are passionate about. The RSA Conference is expensive; but there are BSides in many major cities. Many BSides only cost $10, and include free food, beer, and door prizes. You can gain free admission to many conferences by volunteering.

What Can You Do?

There are many steps you can take to achieve your optimal potential, get paid more, and achieve greater job satisfaction.

  • Respected security certifications remain valuable. Consider investing the time and effort,
  • Defend against burnout. The landmark presentation first delivered at the 2011 BSides Las Vegas, then at the RSA Conference, by Josh Corman, Jack Daniel and others, “Burnout in Information Security,” shed light on the topic, bringing it out of the closet, and into the foreground.
  • Be responsible for making your job more compelling, thrilling and satisfying.
  • If you write job descriptions, if you are a manger, be responsible for making jobs more compelling, thrilling and satisfying.
  • If you want to advance, or have the ability to shape your job more to your liking, build your leadership skills.
  • Join a professional organization, and get involved by volunteering in them, such as OWASP, ISSA, ISACA, IEEE, HackFormers, InfraGard, HIMSS.
  • Attend security cons and actively network
  • RSA Conference, DEFCON, Black Hat, BSides, ShmooCon, DerbyCon, LASCON
  • Give talks.
  • One easy way to give your first talk is to partner with a friend, and present it in tandem.
  • Volunteer, feed your passion.
  • Get involved with groups like www.iamthecavalry.org, they are looking for volunteers in the following domains: Medical devices, Automotive, Home, Public infrastructure.

Is it Easier to Be a Bad Guy?

The DEFCON 17 presentation, “Effective Information Security Career Planning,” by Lee Kushner and Mike Murray included some surprising survey results: more than 50% of respondents indicated they are less than satisfied with their jobs. Only 21% said they are more satisfied.

If the bad guys are happier than we are, how can we beat them?

Ha! By beating them, with all the steps I’ve outlined!

About our Guest Blogger, Clare Nelson, CISSP – Clare is vice president business development for mobile security leader, MetaIntelli. She wrote encrypted TCP/IP variants for NSA early in her career. Later she worked in product management, then marketing and sales. Clare is a member of Austin OWASP, HIMSS, and ISSA chapters. She was elected to the Austin ISSA Board in 2012 and 2013; and is co-founder of C1ph3r_Qu33ns. She has a degree in mathematics, and is the 2014 USA Yoga National Champion.

Part 2 of this blog is available.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial