Philip Cao

Stay Hungry. Stay Foolish.

Tech Certifications Are Earning Cash Premiums, and Info/Cyber Security Certs Are the Hottest

5 min read


Why would an employer pay its tech workers extra cash for a skill or certification if they’re already getting a salary and annual bonus?

There are a dozen good reasons why, and they all share one thing in common: None would be necessary if the company’s compensation structure and pay practices were agile enough to successfully compete for talent in volatile labor markets. The nature of the tech labor marketplace is exactly that, where the market value of a job or skill can move like a roller coaster depending on what’s hot and what’s not at any given moment. If your employer doesn’t have built-in flexibility to react quickly and correctly, it will struggle to find and keep people to execute tech-enabled business strategies.

Who Needs Skills Pay and Why
How do you know if your employer is a victim? Say, for instance, your company doesn’t normally have trouble retaining tech talent and suddenly the best people start walking out the door. Most likely your company wasn’t able to match competing salary offers. Then to make matters worse, it’s soon discovered that the competing offers were actually realistic average local market salaries for these positions – so your employer was underpaying these people from the start. It’s called ‘salary compression,’ when market-driven pay for talent is growing at a faster rate than the annual salary increases employers are able to offer their workers.

Compression is a widespread systemic reality that tends to be much worse in the tech workforce because of the rapid evolution of technology, skills and jobs. Every employer must decide whether to fix it permanently (very difficult) or patch it occasionally (less difficult and more practical).

If there is little leeway in the incumbent’s salary range to sweeten the pot on a counter-offer, and a promotion is not a viable option, paying workers extra cash for critical skills and certifications can be the perfect solution. That is especially true when workers possess the very hot certified or noncertified tech skills that other employers are aggressively targeting. The trick is to tie this extra cash directly to current market value for the hot skill or certification and guarantee that premium for some period of time, usually one year or more. When time’s up, the employer can check whether market value has changed and decide if it makes sense to continue to pay the skills premium and how much to pay, or to switch it out for another hot skill that has become more valuable to the organization.

What is the current cash market value for certifications?
Extra pay awarded to 69,900 U.S. and Canadian IT professionals for 880 certified and noncertified IT and business skills – also known as skills pay premiums – has been tracked and updated quarterly since 1999 in the IT Skills and Certifications Pay Index™(ITSCPI). About 3,000 private and public sector employers currently provide this data to Foote Partners, covering a total of 255,600 IT professionals at these companies.

ISACA certifications are doing extremely well. As a group they’ve gained 15.3 percent in cash market value in the last six months compared to nearly 8 percent growth in pay across all 80 security-related certifications in the ITSCPI. The Certified in Risk and Information Systems Control (CRISC) and Certified in the Governance of Enterprise IT (CGEIT) are the top gainers. The CSX Practitioner (CSXP) certification appeared for the first time in the latest ITSCPI, earning an average pay premium equivalent to 12 percent of base salary – a very strong number for a new certification.

The following security certifications are earning the highest pay premiums right now. They’re paying median cash premiums equivalent to 13 percent to 19 percent of base salary, typically paid out each pay period as a cash bonus in addition to salary, and are shown below in descending rank order of market value including ties, arranged alphabetically within each rank.

  1. Certified Cyber Forensics Professional
  2. (Tie) Certified Forensic Computer Examiner
    CyberSecurity Forensic Analyst
    GIAC Reverse Engineering Malware
  3. (Tie) EC-Council Certified Incident Handler
    EC-Council Computer Hacking Forensic Investigator
    GIAC Certified Forensics Examiner
    GIAC Certified Forensics Analyst
    GIAC Exploit Researcher and Advanced Penetration Tester
    GIAC Web Application Penetration Tester
  4. (Tie) GIAC Enterprise Defender
    GIAC Secure Software Programmer–Java
    InfoSys Security Architecture Professional (ISSAP/CISSP)
  5. (Tie) Certified Information Security Manager (CISM)
    Certified Information Systems Security Professional
    Certified in Risk and Information Systems Control (CRISC)
    EC-Council Licensed Penetration Tester
    InfoSys Security Engineering Professional (ISSEP/CISSP)

Market values for 412 tech certifications in the most recent ITSCPI data update are averaging the equivalent of a 7.7 percent of base salary and as a group recorded gains in 14 consecutive calendar quarters, unprecedented in the 18 years Foote Partners has been tracking and reporting compensation for certifications. Figuring prominently in this growth has been info/cyber security certifications.

Market values for 80 info/cyber security certifications have been on a slow and steady upward path for four years, up 10.7 percent in average cash value as a group in just the past 12 months and 15 percent during the past two years – the largest gain among all certification categories reported. Strong performing security certifications so far in 2016 cut a wide swath: cybersecurity, forensics, penetration testing, perimeter protection and enterprise defense, security analysis, risk and security software programming.

Editor’s note: Registration is open for the first testing window of 2017 for ISACA’s core certifications.

Exams for CISA, CISM, CGEIT and CRISC will be offered in 2017 at PSI testing locations worldwide during three, eight-week testing windows. The first testing window will be 1 May-30 June, with 28 February marking the early registration deadline. Exam registration via the ISACA website is available at

David Foote, Chief Analyst and co-founder, Foote Partners, LLC

[ISACA Now Blog]

Leave a Reply

Copyright © 2006-2022 Philip Hung Cao. All rights reserved