Return on Investment in security/ Best Security certs to get

Clm

Cert

Positions open for this cert

Bottom Salary

Amount of resumes with this cert



CISSP

12,710

75,000

9,629



CISM

3,796

80,000

2,718



CEH

2,469

75,000

3,315



CISA

6,271

75,000

3,810



CRISC

857

85,000

909



OSCP

484

75,000

194



GIAC(ALL)

2,297

75,000

1,362



CCNA-SEC

5,749

60,000

26,864



CASP

965

70,000

1,266




The above chart is data I pulled from the website Indeed.com. I was looking for the best return on investment in the cyber security cert realm. My interpretation puts CISSP as having the best overall ROI. I came to this conclusion because CISSP has the most overall request at 12,710. And has the biggest gap of jobs to people having this preferred cert, There is a shortage of about 3,081 CISSP's. There will always be margins for error but in my opinion this is a good representation of where the certs ROI

How they rank to me
1.CISSP
2.CISA
3.CISM
4.GIAC
5.CEH
6.OSCP
6.CRISC
8.CASP
9.CCNA-SEC

Let me know what you think.

sschwieterman

Awesome data! Seeing it put like that makes me very happy my boss has signed me up for the CISSP!

EnderWiggin

I'd say the best ROI would be the OSCP, since there are only 40.1% of candidates with the cert as there are positions. The CISM is another good one, as it pays an extra five grand, and only has 71.6% candidates as there are positions, as opposed to CISSP which has 75.5% candidates for the available positions.

Clm

EnderWiggin wrote: »

I'd say the best ROI would be the OSCP, since there are only 40.1% of candidates with the cert as there are positions. The CISM is another good one, as it pays an extra five grand, and only has 71.6% candidates as there are positions, as opposed to CISSP which has 75.5% candidates for the available positions.

Yes but the only problem with OSCP is that there aren't nearly as many spots open. From a percents stand point yes but from a numbers stand point CISSP has over 6 times as many open positions as OSCP has positions total. Also 12,710 to 484 I feel like because HR is looking for more cissp its better

TheFORCE

Good analysis. I wouldn't corrolate the data 100% though.

OctalDump

A couple of things to make this more complicated - the number of openings isn't sufficient to estimate the supply/demand question. It can be more lucrative to get into a field with much higher demand than supply, since you can more quickly get work (less competition) and negotiate a better deal. The other thing is a reminder for people to look at the details of their specific market. The national market might be really good for certification x, but if most of those good paying jobs are in places you don't want to work...

But I think that this is a better effort than most of these things we see. It would be interesting to see also an analysis of job listings with multiple certificates listed.

danny069

It will be interesting to compare this chart 5 years from now.

EnderWiggin

Clm wrote: »

Yes but the only problem with OSCP is that there aren't nearly as many spots open. From a percents stand point yes but from a numbers stand point CISSP has over 6 times as many open positions as OSCP has positions total. Also 12,710 to 484 I feel like because HR is looking for more cissp its better

There are more open positions, sure, but there are also a lot more people to compete with. There's less competition with the OSCP, which brings the best return in my eyes.

Ritual

EnderWiggin wrote: »

There are more open positions, sure, but there are also a lot more people to compete with. There's less competition with the OSCP, which brings the best return in my eyes.

I agree that the OSCP is the best right now for ROI according to the chart, but is the demand for pentesting going to improve at all? Will this specialization decline? Its something that needs to be weighted into the equation.

I personally think the skills of an OSCP will stay in demand, and with more and more connected and distributed services, security testing will grow to an even larger industry then it is now.

firemike314

I take this pull is with no experience then? The numbers I am seeing with at least 8 years experience with CASP or CISSP and even CEH are a lot higher my friend. I also noticed edu. plays a part in it. If you have a Masters, CASP or CISSP, with experience lets say 6 years +; looking at around 95k to start.

Clm

firemike314 wrote: »

I take this pull is with no experience then? The numbers I am seeing with at least 8 years experience with CASP or CISSP and even CEH are a lot higher my friend. I also noticed edu. plays a part in it. If you have a Masters, CASP or CISSP, with experience lets say 6 years +; looking at around 95k to start.

They pay rates are the bottom pay offered by the companies. I know you can definitely make more i make more and only have one of the certs and a AA

Clm

EnderWiggin wrote: »

There are more open positions, sure, but there are also a lot more people to compete with. There's less competition with the OSCP, which brings the best return in my eyes.

Well hey difference of opinions no problem in that either one could potentially boost your career but im going to stack them up so im ensured employ ability.

Ritual wrote: »

I agree that the OSCP is the best right now for ROI according to the chart, but is the demand for pentesting going to improve at all? Will this specialization decline? Its something that needs to be weighted into the equation.

I personally think the skills of an OSCP will stay in demand, and with more and more connected and distributed services, security testing will grow to an even larger industry then it is now.

I think the more offensive type security, Vul scanning and auditing when grow in the future as more and more companies get hacked there going to want a more advanced system administrator who focuses on security as they customer service.

My only question do you think they will develop more automated security.

gespenstern

Thanks, nice research. Certainly much more informative than survey results we see here periodically.

EnderWiggin

Ritual wrote: »

I agree that the OSCP is the best right now for ROI according to the chart, but is the demand for pentesting going to improve at all? Will this specialization decline? Its something that needs to be weighted into the equation.

I personally think the skills of an OSCP will stay in demand, and with more and more connected and distributed services, security testing will grow to an even larger industry then it is now.

Another factor to consider is that with the CISSP, you're paying for just a test, and then have to pay almost a hundred bucks every year to keep it active. So after a few years, it costs more than the OSCP, but the OSCP provides educational resources with the cost of the cert.

Clm wrote: »

Well hey difference of opinions no problem in that either one could potentially boost your career but im going to stack them up so im ensured employ ability.

Stacking them up is definitely the way to go, and makes this whole discussion moot haha

the_Grinch

I know upon getting my CISSP I received a lot more calls and inquiries about various positions. Thus for the money and time I would say the CISSP would be the way to go. I can agree that OSCP is definitely a good one to have, but it would also require that you paint it in the proper light. OSCP is good for more than just pentesting though obviously it is geared more towards that realm. You would make a great edition to a hunt team if you have the OSCP since you understand how an attack would work and thus know how to find indictions of compromise along with how to detect compromises in near real time.

Ultimately, you can have all the certifications in the world, but experience is going to truly be the difference between getting hired or not. Long ago I learned that obtaining a certification will not get you the job. It might get you the interview, but once you get that the rest will come down to experience.

DatabaseHead

Strictly on volume it has to be the CISSP.


Interesting Sec + isn't listed.

Clm

EnderWiggin wrote: »

Another factor to consider is that with the CISSP, you're paying for just a test, and then have to pay almost a hundred bucks every year to keep it active. So after a few years, it costs more than the OSCP, but the OSCP provides educational resources with the cost of the cert.

Stacking them up is definitely the way to go, and makes this whole discussion moot haha

Lol yeah but i feel like there are alot of people who are only looking to get one cert. so they should make the best decision on that one cert.

the_Grinch wrote: »

I know upon getting my CISSP I received a lot more calls and inquiries about various positions. Thus for the money and time I would say the CISSP would be the way to go. I can agree that OSCP is definitely a good one to have, but it would also require that you paint it in the proper light. OSCP is good for more than just pentesting though obviously it is geared more towards that realm. You would make a great edition to a hunt team if you have the OSCP since you understand how an attack would work and thus know how to find indictions of compromise along with how to detect compromises in near real time.

Ultimately, you can have all the certifications in the world, but experience is going to truly be the difference between getting hired or not. Long ago I learned that obtaining a certification will not get you the job. It might get you the interview, but once you get that the rest will come down to experience.

I agree you need experience. I only Use certs as tickets to get a interview and then I wow them with my knowledge skills and expertise oh and a little charm.

DatabaseHead wrote: »

Strictly on volume it has to be the CISSP.


Interesting Sec + isn't listed.

To me SEC+ is a entry level cert and the certs i posted are more mid level to advanced in my opinion

636-555-3226

::sigh:: looks like my 2017 objectives are going to have to be CASP and CEH. Just for S&G maybe I'll take them both cold just to challenge myself....

NetworkNewb

636-555-3226 wrote: »

::sigh:: looks like my 2017 objectives are going to have to be CASP and CEH. Just for S&G maybe I'll take them both cold just to challenge myself....

If are in security and you aren't making those bottom salaries already I assume they would definitely help!

billDFW

Any rough idea on what a Sec+ and PMP holder would earn ? How much interest would companies/recruiters/HR have in that guy ?

Danielm7

billDFW wrote: »

Any rough idea on what a Sec+ and PMP holder would earn ? How much interest would companies/recruiters/HR have in that guy ?

Just the certs alone there is no way to know that. If you have a PMP I believe you'd have a fair bit of proven project management experience. If you were looking for a PM role and wanted the sec+ to show you know security basics, you'd likely get paid more than just trying to be an entry level tech/security role who doesn't manage projects.

Clm

Danielm7 wrote: »

Just the certs alone there is no way to know that. If you have a PMP I believe you'd have a fair bit of proven project management experience. If you were looking for a PM role and wanted the sec+ to show you know security basics, you'd likely get paid more than just trying to be an entry level tech/security role who doesn't manage projects.

I agree with Daniem7 If I was in your position i would try for PM positions that are security focused that's where your best bet is at. now for pay it all depends how many years of pm experience do you have?, where are you located? degrees?

beads

Known and worked with a few associate and fully accredited PMPs working on security projects. These people definitely do not need or warrant a CISSP. I hold both credentials myself but can tell you the security side of the project is FAR more interesting to me than being the group secretary - which is all I view my PMs as.

As far as the difference in coin? Last year seasoned PMs were getting offers far in excess of CISSPs because of the lag in the market. Then you see a bunch of people race to complete the full PMP with little to no actual experience on the PM side and viola'! Another PM who really has no clue as to what they are trying to accomplish save note taking. With that I will say I have two awesome PMs that I work with that make my PM side of my life a dream. Worked with insta-PM and insta-CISSPs with much the same disappointment.

I prefer Payscale as their averages tend to be widely accepted in the industry and less biased than say a training vendor.

Certified Information Systems Security Professional (CISSP) Certification Salary, Average Salaries | PayScale
Project Management Professional (PMP) Certification Salary, Average Salaries | PayScale


Given the above looks like CISSP in the short term is the winner. Long term the PMP will advance farther over time and lead to better generalist roles within management.

YMMV

- b/eads