Which certifications are most popular among cybersecurity professionals? And do those cybersecurity certifications align with what employers really want?

That’s a core question for cybersecurity professionals everywhere, especially since the time and effort required to earn most cybersecurity certifications is so intensive. If you’re interested in cybersecurity as a career path, you don’t want to choose certifications that nobody else in the industry really cares about, and won’t have much impact on your job prospects.

Fortunately, the 2020 (ISC)2 Cybersecurity Workforce Study recently asked 3,790 cybersecurity professionals from around the world about their certifications, and that data provides some insight into what certifications you should think about pursuing.

In percentage terms, cybersecurity professionals held the following certifications (because many technologists hold more than one cybersecurity certification, the percentages add up to far more than 100). CISSP leads the pack, followed by CCNA Security, CISSP with Concentration, and CCNP Security. 

It makes sense that CISSP would top this list. It’s a vendor-neutral and advanced-level credential offered by the (ISC)2 (International Information Systems Security Certification Consortium), and it’s generally recognized as sweeping in scope. If you want to earn it, you’ll need to know everything from security and risk management to software development security. If you possess it, employers have more confidence that you can develop appropriate cybersecurity standards and procedures. 

(ISC)2 also asked cybersecurity professionals about the skills they thought they needed to effectively do their jobs (as well as land new ones): 

“While the cloud is not new,” reads the accompanying report, “cloud services remain a challenge to secure. It’s no surprise then, that 40 [percent] of cybersecurity professionals across roles, age brackets and company sizes named cloud security as the skill they most need to develop in the next two years, and no doubt an area in which they would seek to demonstrate their knowledge through certifications.”

While not every employer requires their cybersecurity experts to have certifications, both employers and technologists told the survey-takers that companies and clients feel more confident in the abilities and knowledge of teams with the appropriate certifications. On the broadest level, having well-certified teams can boost companies’ reputations within the broader industry. 

But which certifications do employers actually want? Burning Glass, which collects and analyzes millions of job postings from across the country, has a breakdown of the most-requested cybersecurity certifications over the past 12 months: 

As you can see (and as you might have expected), the security certifications that employers want applicants to have align with the certifications that cybersecurity professionals tend to possess. However, there are some instances in which fewer technologists possess cybersecurity certifications in high demand by employers—and that’s a potential opening for any candidate who wants to stand out in the marketplace.

Those certs include CompTIA+ Security, which only 9 percent of the survey’s respondents possess, but which topped out in second place among Burning Glass’s top cybersecurity certifications. CompTIA Security+, is approved by the United States Department of Defense and is compliant with the standard for ISO-17024. It’s a certification that’s often recommended for those just beginning their career, along with the Global Information Assurance Certification (GIAC) Information Security Fundamentals (GISF).

CISM ranked second-to-last on the (ISC)2 survey, but it came in fourth on Burning Glass’s list. Also known as the Certified Information Security Manager certification, this one is administered by the Information Systems Audit and Control Association – ISACA, and it’s meant to show ultra-competency in cybersecurity infrastructure (it’s also regarded as a “midcareer” certification).  

Of course, earning a mix of certifications seems like the solid strategy that most technologists pursue. But if you’ve already racked up your CISSP and a few other certs, and you’re curious about what to tackle next, CompTIA+ and CISM are clearly wanted by employers—and thus worth a serious look.