Are infosec certifications the best way to boost your salary?

As companies become increasingly exposed, they’re willing to pay a premium for good help

Reports that information-security and risk-expertise are attracting salary premiums have long been rife, but the extent of the gap has been quantified even as new training courses and partnerships expand the breadth of available security specialisations.

Four of the highest-ranked certifications on the latest Global Knowledge list of the industry’s top -paying certifications are offered by industry association ISACA, whose Certified in the Governance of Enterprise IT (CGEIT) specialisation was found to attract a 22 percent premium (at an average of US$121,363/$A156,500 per year) compared with the 15th-ranked certification, the Citrix Certified Association – Networking (CCA-N), at $US99,217 ($A128,000) per year.

More than 20,000 professionals hold ISACA’s Certified in Risk and Information Systems Control (CRISC) certification, which ranked sixth with a $US111,049 ($A143,000) salary. It is closely followed by Certified Information Security Manager (CISM), which is held by 38,000 professionals and attracts an average salary of $US108,043 ($A139,000).

The association’s longest-running certification, Certified Information Systems Auditor (CISA), is held by more than 130,000 people and drives an average salary of $US99,684 ($A128,600).

“Better governance of information and technology has a clear impact on improving business results,” ISACA CEO Matt Loeb, himself a holder of CGEIT certification, said in a statement. “Individuals who are certified in this are in demand for more highly compensated positions.”

Cybersecurity expertise topped the list of skills that recruitment giant Hays IT recently suggested would help futureproof job-seekers’ careers.

Finance, insurance, utilities, and retail industries “are all competing for top talent in these areas right now,” the firm’s analysis noted, “but there’s no doubt all industries will eventually be affected.”

Does certification increase employees’ value?

Interestingly, perceptions of the job prospects due to upskilling vary dramatically with age. A new Hays IT survey of 1254 professionals found that 5 percent said upskilling leads to a salary increase immediately, with 54 percent – including 71 percent of Millennials, 56 percent of Gen-Xers, and 40 percent of Baby Boomers – believing it will have financial benefits in the long term.

Other top-earning certifications on Global Knowledge’s list include AWS Certified Architects ($US121,292/$A$156,500) and Developers ($US114,148/$A147,250); Six Sigma Green Belts ($US104,099/$A134,300); and Certified Ethical Hacker (CEH), at $US106,375 ($A137,250).

The strong showing for CEH-qualified security professionals reflects growing enterprise demand for battle-hardened hackers who can be enlisted to strengthen corporate information-security defences.

Such staff can be hard to come by, and most companies have yet to organise regular penetration-testing exercises or ‘live’ Red Team exercises, in which the targets are unaware of the methods or tools used by the ‘attackers’.

A recent CyberArk survey of 1300 IT professionals found that just 8 percent of security decision-makers regularly run red-team exercises.

Also problematic was the finding that 46 percent of respondents said their organisation’s security strategy rarely changes substantially – even after the company has been breached in a cyber attack.

The figures represent a challenging industry inertia amongst corporate information users, with CyberArk’s analysis noting the need for security teams “to reset expectations around where security priorities and spend should be focused.”

“We are still seeing cases where budgets are disproportionally focused on perimeter defences,” the analysis continues. “It’s what can be done to mitigate threats once attackers are inside – and they will get in – that should be prioritised and become a board-level discussion.”

Changing this discussion is an increasingly important part of companies’ engagements with certified information-security and corporate-risk specialists – whose skill sets are in demand as companies scramble to meet the requirements of new compliance regulations including Notifiable Data Breach (NDB) legislation and the EU general data protection regulation (GDPR).

A recent Australian Cyber Security Growth Network (ACSGN) analysis found that Australia would need around 11,000 additional cyber security workers in the next decade just to meet ‘business-as-usual’ demand forecasts.