All of a cybersecurity professional's knowledge and experience cannot be reduced to their certifications and whether or not they have them. Nonetheless, having certifications shows prospective employers and clients that you understand the knowledge that each certification covers.
It's also worthwhile for employers to invest in their employees by paying for their certification-specific training and exams. Paying for your IT employees to be security certified can be a useful staple in their cybersecurity training. IT workers who are trained in cybersecurity are a key component of your defense against cyberattack. Plus, certifications expire. That compels security practitioners to keep up with changing technology and standards, partly by writing new versions of security certification exams or acquiring CPEs.
A lot of product vendors, such as Cisco and Microsoft, have their own certifications, which may be useful to security practitioners who use their technology. But I'm going to cover vendor neutral security certifications for this post. In my opinion, they're the most important certifications a security practitioner can have.
Security+
I believe the first certification security practitioners should get, before any others, is CompTIA's Security+. It really does cover the basics that all security practitioners should know, regardless of their role.
CompTIA recommends that people who plan to write their Security+ exam should have a couple of years of general networking experience and preferably a CompTIA Network+ certification. I actually acquired my Network+ after I acquired my Security+ and I fared okay.
The Security+ certification covers subject matter such as cryptography, risk identification and mitigation, security infrastructure, identity management, and network access control. I would even recommend the Security+ to people who work as systems administrators or in helpdesk. Understanding the basics of security technology and implementation is useful for all IT roles.
If you acquired Security+ certification prior to January 1st, 2011, you're certified for life. Everyone else is expected to write a new Security+ exam once every three years.
More information can be found on CompTIA's website.
CISSP
This is the big one. This is the vendor neutral security certification that gets the most hype in the job market. CISSP is an acronym for Certified Information Systems Security Professional. If you're at least five years into your cybersecurity career, you should seriously consider studying for (ISC)²'s best-known certification.
I would recommend working toward the CISSP for people in all security roles. (ISC)² requires that all people who'd like to write their CISSP exam have no less than five years full-time paid work experience in at least two of the eight domains of the CISSP Common Book of Knowledge. They include cloud computing, secure application development, risk management and other areas.
Once you have CISSP certification, (ISC)² requires that you maintain your credential with a minimum of 40 CPE credits per year, and at least 120 CPE credits each three-year period.
More information can be found on (ISC)²'s website.
SSCP
(ISC)²'s Systems Security Certified Practitioner certification isn't mentioned as frequently as their CISSP certification, but it's an important credential to have if you're expected to design an organization's security systems.
(ISC)² will allow you to acquire SSCP certification if you have at least one year of full-time paid work experience in at least one of the seven domains of the SSCP Common Book of Knowledge. They include systems and application security, cryptography, incident response, and access controls among others. Because of that, if you want both a SSCP and a CISSP, I really recommend that you acquire your SSCP first.
To maintain your SSCP certification, (ISC)² expects you to earn a minimum of 20 CPE credits per year, and pay a $65 USD annual maintenance fee.
More information can be found on (ISC)²'s website.
CEH
If you're into penetration testing in any way, getting EC-Council's Certified Ethical Hacker certification is an excellent idea. The CEH covers areas such as the latest security threats, hacking techniques, tools, and methodologies, and advanced attack vectors.
If you have at least two years of information security related experience of any sort, or attend EC-Council's official training, they will allow you to write the exam.
In order to keep your CEH certification, EC-Council requires that you pay a $100 USD per year renewal fee and update your Continuing Education Credits through the EC-Council Delta Portal.
More information can be found on EC-Council's website.
ECSA
Once you have a CEH certification, EC-Council suggests that you can advance your understanding of penetration testing and your eligibility for various security administrative roles with an EC-Council Certified Security Analyst certification.
The ECSA covers useful knowledge for blue teams as well as red teams. Having an ECSA prepares you for conducting advanced security assessments to identify and mitigate risk of the cybersecurity of all of your computer infrastructure.
Although it's recommended that you have a CEH before tackling the ECSA, the prerequisites are the same, as are the requirements for maintaining your certification.
More information can be found on EC-Council's website.
CISM
If you're a security practitioner in a business oriented, organizational security role, it's a good idea to acquire ISACA's Certified Information Systems Manager certification.
If you intend to get both (ISC)²'s CISSP and ISACA's CISM, you should probably start working on both around the same point in your information security career. But unlike the CISSP, for a CISM you absolutely must have at least three years of information security management experience in addition to at least five years of general information security experience.
When you study for your CISM, you'll learn about the relationship between overall business objectives and information security objectives. This is great for working with the C-suite on improving a businesses cybersecurity! Corporate executives speak the language of money.
People with a CISM are subject to an annual reporting period which begins on January 1st of each year, regardless of which time of year you acquired your certification. There's also a three-year certification period. Those dates vary, and ISACA will let you know when your three-year period occurs. You are required to report at least 120 CPE hours per three-year period, and pay annual CPE maintenance fees to ISACA.
More information can be found on ISACA's website.
In Summary...
Security certifications are very useful. They demonstrate to potential employers that you have knowledge in key cybersecurity areas. Maintaining certification keeps people on their toes, making them lifelong learners by necessity. The number of certifications and the number of organizations which offer them can be overwhelming, especially to newcomers in our industry. Hopefully I'm able to offer a starting point for pursuing the most useful vendor neutral certifications out there.