A friend of mine passed the CISSP exam last spring after 14 months of studying. Great news, right? Except she had three years of experience, not the required five, so (ISC)² made her an “Associate of (ISC)²” instead of granting the full credential. She didn’t know that rule going in. She found out the day she passed.
That kind of gap between cert expectations and hiring reality comes up constantly. This guide tries to close it.
How hiring managers actually think about certs
Most job postings list certifications under “preferred” rather than “required,” but that’s a bit misleading. For federal, defense, and healthcare roles, certain certs are genuinely non-negotiable due to compliance mandates. The DoD 8570 directive, for instance, maps specific certifications to specific privilege levels. If you’re applying to a contractor role with privileged access, Security+ isn’t a preference; it’s the floor.
For private-sector roles, the reality is messier. A CISO at a mid-size SaaS company once told me: “I care a lot more about what you’ve actually built or broken than what’s on a piece of paper.” I think she’s right about senior roles. I’m less sure she’s right about entry-level hiring, where screeners often use cert status as a filter before a human ever reads the resume.
The Bureau of Labor Statistics projects 33% job growth for information security analysts through 2033, well above average. That demand is real. It also means more competition at every tier, which is why certs have become more valuable as a signal even as the field’s best practitioners quietly roll their eyes at them.
Entry level: Security+ is where most people start
CompTIA Security+ (currently the SY0-701 version) costs $404 for the exam. It covers threat actors, cryptography basics, network defense, identity management, and incident response at a conceptual level. No prior experience required, which is both its strength and its weakness.
The cert does one thing very well: it gets you past the automated filter. For SOC analyst, helpdesk-to-security-track, and junior analyst roles, Security+ shows up in job postings more than any other certification. It’s also the most common requirement for DoD-adjacent contract work, making it genuinely valuable if federal contracting is your target market.
Expect $55,000 to $78,000 starting salary in mid-tier markets with Security+ and a year of experience. More in major metros.
CompTIA also offers Network+ as a precursor. You don’t strictly need it, but candidates who don’t have solid TCP/IP fundamentals often struggle with Security+ material and definitely struggle with the interviews that follow.
Mid-career options: where it actually gets complicated
This is where the cert landscape fragments, because mid-career in security is not one path.
If you’re headed toward offensive work (penetration testing, red team, vulnerability research), the Offensive Security Certified Professional (OSCP) has become the de facto standard. The exam is a 24-hour hands-on lab challenge where you must own a set of machines and document your findings. It’s brutal. It’s also the most respected practical credential in offensive security. Cost: $1,499 for the 90-day lab bundle. It’s not cheap, and it’s not designed to be.
If you’re on the defensive side (SOC, threat intelligence, security operations), the CySA+ from CompTIA ($404) or the GIAC Security Essentials (GSEC, around $949) are more appropriate targets. Both sit between Security+ and CISSP in complexity and are well-recognized in enterprise environments.
The Certified Ethical Hacker (CEH) from EC-Council costs upward of $1,199. Honestly, I’ve seen mixed opinions from practitioners. Some hiring managers treat it as a green flag. Others in the offensive security community consider it less rigorous than OSCP. If your target employers are large enterprises or consulting firms running structured security programs, CEH has real value. If you want to work at a specialist pen testing shop, OSCP will serve you better.
Senior level: CISSP and what it actually requires
The Certified Information Systems Security Professional from (ISC)² is the management-track benchmark. Median salary for CISSP holders in the US sits around $151,000, according to (ISC)²’s annual workforce study. That number gets cited a lot, and it’s real, but it’s also worth noting that people with CISSP tend to have 10+ years of experience. The cert and the experience are correlated; the cert alone doesn’t produce that salary.
The requirements: five years of paid work experience across at least two of the eight CISSP domains. If you have a four-year degree in a related field, you can knock one year off. The exam itself is a Computerized Adaptive Testing format that can run between 100 and 150 questions. Pass rate data isn’t published, but common estimates from study communities put first-attempt passage somewhere around 47%.
Back to my friend with three years of experience: she had to wait two more years before she could convert her Associate status to full CISSP. That’s not a tragedy. But it’s the kind of thing worth knowing before you invest 14 months and $699 in exam prep.
Certs vs. experience: the honest answer
Experience wins at the senior level. Every time. No hiring manager at a serious company is picking a CISO based on credentials alone.
But experience is hard to accumulate without getting hired first. Which brings you back to certs, especially early. The sequence that seems to work for most people:
- Build foundational knowledge: A+, Network+, or equivalent self-study
- Security+ to pass automated filters and access DoD-adjacent opportunities
- Two to three years in a real role (SOC, IT, sysadmin, whatever opens the door)
- Specialization cert matching your target track (OSCP, CySA+, GCIH, cloud-specific)
- CISSP when you have the experience to sit for it, if leadership is the goal
Side projects matter more than people realize. A home lab, a CTF score on HackTheBox, a documented vulnerability research project on GitHub , these are the things that actually move interviews. Certs provide the vocabulary. Labs build the muscle memory.
Cloud certifications: worth adding to the pile?
Increasingly, yes. The AWS Security Specialty and Google Cloud Professional Cloud Security Engineer certifications have become standard asks at companies with significant cloud infrastructure. They’re not cheap (typically $300 to $400 per exam) and they have renewal requirements, but cloud misconfigurations are the dominant failure mode in modern security incidents, so employers are paying attention.
If your target roles are at cloud-native companies or heavily AWS/GCP/Azure shops, pairing Security+ with a cloud security cert is probably a stronger combination than Security+ alone. I don’t have hard data to back that up for every market, but it matches what I hear from hiring managers in fintech and healthtech.
The one cert I’d tell most people to skip: Certified Cloud Security Professional (CCSP) before you have significant hands-on cloud experience. It’s a solid credential but the content is too abstract to be useful without real cloud work behind it.
The path is long. That 33% growth projection means the jobs are there when you get to the end of it.