For the second year in a row, there will be one million IT security job openings that will go unfilled in 2017. The shortage of skilled IT professionals is forcing hiring managers and executives to rethink how they recruit and retain top talent. At the same time, IT security professionals are looking to improve their skills to not just stay relevant, but valuable. In this blog post, we will compare the rewards of the most common IT security certifications and look at the impact of each certification on salary for different IT security roles.


While CISM (Certified Information Security Manager) and CISSP (Certified Information Systems Security Professional) are two of the most popular and recognized industry certifications, they’re also two of the most financially rewarding certifications. Each certification has its unique set of requirements and focus areas. Both are vendor-neutral, cover a comprehensive set of topics, and require at least five years of work experience in specific domains.

Security professionals who possess either one of these two certifications can also expect to earn a six-figure annual salary, on average, and as high as $200,000+. However, CISM certified-professionals, regardless of job role, earn a bit more than CISSP, as shown by the below graph. This distinction is particularly pronounced for top performers, with CISM-certified IT security professionals earning 7.0% more than their CISSP-certified counterparts at the 90th percentile.

Download the complete salary guide

Download to get the complete salary guide for CISM, CISSP, CISA, CompTIA+, GSEC certifications across multiple job roles

Download Now

Certified Information Systems Auditor (CISA)

The Certified Information Systems Auditor (CISA) is one of the primary standards for information systems auditing. There are over 100,000 individuals holding this certification, and its popularity continues to rise. The increased demand for CISA certification can be traced back to the financial scandals of early 2000s and the subsequent passage of the Sarbanes-Oxley (SOX) Act of 2002. Today, demand for CISA is high across all industries, and is expected to rise amidst continued increases in cyberattacks and information security regulations.

While the CISA exam is notably more difficult than most security certifications—carrying an abnormally high failure rate—and requires a minimum of 5 years of professional information systems auditing experience, the rewards are well worth the effort. Most financial institutions across the globe are increasingly looking to hire CISA certified IS auditors and risk managers.

CISA certified professionals can command annual compensation in excess of $100,000, and can reach nearly as high as $200,000 a year.

CompTIA Security+

CompTIA ‘s Security+ is an excellent entry-level certification with a focus in cryptography, identity management, and threat management. While not a requirement, successful candidates tend to possess at least two years of professional experience before they acquire the Security+ certification.

Perhaps because Security+ is considered an entry-level certification, it correlates with somewhat lower earnings compared with more rigorous certifications. For example, top performing information security analysts with CompTIA’s Security+ certification have an annual salary of $97,000 compared to $123,000 earned by security analysts with CISM certification.

GIAC Security Essentials (GSEC)

GSEC is another entry-level certification that can drive higher earnings. It focuses on evaluating an individual’s practical knowledge of information security. The certification is best suited for security professionals who have a hands-on security role.

On the high end, GSEC certified professionals can expect to earn over $100,000 in annual salary. While the average information security analyst with a GSEC degree may start off earning below $50,000, the same role can command a salary of $106,000 in the 90th percentile.

While a security certification doesn’t, by itself, prove a candidate’s competency, it is one of the more important qualities that can help someone land a job. It is a signal to a prospective employer that the certified individual is not only serious about his or her continued education in the security industry, but also possess understanding of key IT security concepts. Ultimately, a candidate’s job performance will depend not just on the types of certifications they possess, but also their level of experience, work ethic, and results.