Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer I

What IT Security Certifications Are Growing As Desired By Employers

According to the Cyber Edge group's 2022 Cyber Threat Defense Report, employers interviewed indicated that certifications in cloud security and software security as shown below are in top demand.  These certifications would include the Certified Cloud Security Professional (CCSP) and Certified Software Security Lifecycle Professionals (CSSLP).    According to the trends I've been tracking on Indeed from employer job postings it appears however, the certification trends posted in employer job openings have the CISSP followed by ISACAs Certified Information Systems Auditor (CISA) as the top certifications. CCSP and CSSLP are among the lower ranked advertised certifications for employer job openings.  Maybe the new trend hasn't caught on yet with employer job advertisements?


Screenshot 2022-09-30 165112.png

Screenshot 2022-09-30 165910.png

19 Replies
Advocate I

The CEH has never been taken seriously since its inception. The only reason the cert took off at all was due to the US DoD listing it as a requirement to satisfy the failed InfoSec regulation they created.


As far as usefulness today most pentesting has been automated save a few client facing applications and network testing done for audit purposes only. Generally, we see as good if not better results from a proper scanning and testing regimen on a dollar per dollar basis then we see boring the daylights out of rows of pentesters every day. 


I have four great case studies on the subject based on past and present clients where we show the cost differential between programs, costs per exploit found and risks involved. 


Please don't embarrass yourself into believing pentesting or the "CEH" has a future.


Contributor III

We do automated pentests, using industry standard tools, before the humans have a go. The meat scanners frequently find things that the automation didn't pick up on.

You do automatic scans - as part of your CI if possible - to find the low-hanging fruit, and human testers to catch the rest.
Newcomer I

I do not believe the second chart.


There are NOT 20,000 CISSP job postings on Indeed.


Look for yourself.


I have been.


For years...

Community Champion

Every time I search, the "locations" menu only lists "remote" and cities in my own country, which I had presumed to explain why my count was less than 20,000.


How do you search Indeed for jobs "globally" or in a different country? 

Advocate I

Indeed for Europe, et. al.


Found any number of sites with similar listings.

Viewer II

Today I ran a Chat GPT query on entry level certs and it seems to suggest that CEH is still in top 5 for whatever reason ... anyway I am planning to sit SSCP exam soon and this puts it in mid range salary bracket. 




It stated that the source for this salary data is "Glassdoor" platform.

Newcomer I

@Beads Thanks for the assuring words. I, as a certified CISSP with a good standing being lookover by someone from the red team is somehow a common theme. Especially if you're not from CS degree (which I am not)  or never breaking to some system (which I will not). 

Any encouragement word for me my good sir? 

Advocate I



Not sure of the context of being "lookover by someone from the red (offense) team being a common theme. Most of the work I am being asked to perform these past couple of years has more to do with software and application security than "cyber". This could very well explain the CS favoritism in your shop. I dunno what to say without more background.


Are you working in pentesting, with a red team member, doing security audit, application security, etc. as you're unclear.


Application security is one of the biggest hiring draws right now in the market, as "cyber" appears to be taking a bit of a rest. Unsuccessful attacks are continuing to go down by 2.5-3.0 percent a year, so we have a bit of a breather, if that helps. I see less pentesting and more day-to-day and personal interaction with developers in the past few years as being my new normal. Again, not sure if that helps, but it is giving us some breathing room to shore up more base problems than simply running around and putting out fires as we have become accustomed to doing for the past 25 years.


Keep asking questions.


- B/Eads

Newcomer III

Just from my experiences, but Cloud certifications are in BiG demand over the past year or two.  Sadly, not so much the CCSP or even CCSK, but rather something/anything for AWS and Azure/M365 since there are so many hybrid environments these days.  Employers/HR want some "hands-on" certifications for these cloud platforms.  As previously mentioned: 1) CISSP (Gold Standard), 2) CISA (to satisfy the Financial/Banking/Auditing community folks), 3) Something from AWS and Azure/M365.  Together, these will get you in the most doors whether you work in operations, engineering/architecture, risk management, DevOps, etc. 
I'm glad ISC2 is [finally] moving away from Concentration to Stand Alone certifications with the ISSAP, ISSEP, ISSMP.  As a long-time security DoD security professional, we were required to obtain the ISSEP years ago when working on three letter agency projects and programs.  I was surprised to learn these certifications weren't valued at all when I transitioned to working commercial markets.  Seriously, we've got LOTS of so-called security engineers and architects who could benefit from these certifications.  Conversely, the ISSEP CBK can be updated (not so three letter agency flavored), and the ISSAP CBK can also be updated since the latest is from 2014.  Personally, I would love to see employers require security engineers to obtain the ISSEP, and security architects the ISSAP at the senior/principal level.  Honestly, ISC2 needs to attack the ISSAP and ISSEP with the same vigor and rigor they do with the CISSP.    
Don't overlook the CompTIA Network+ and Security+.   Plenty of employers require these (at least from the HR perspective) for junior level positions.  Elsewhere, the Risk Management folks like the CRISC (nice to have) and I like it paired with the CGRC if you're looking for an IT Risk Management career.  I took several CEH self-paced courses over the years (e.g., CEH 7, 8, 9, etc.) but never found the CEH to be a useful certification (just my opinion).  I have the Pentest+ (which is a decent entry level certification) but if you're going to a Pentester you really need to obtain the OSCP (Gold Standard).  I'm hoping to take the OSCP later this year...not because I need it as a management type, but I like to keep my technical somewhat up-to-date, which isn't easy when dealing with people, policy, and reports on a daily.    

Newcomer II

ISC2 CC is good to start your transition.