Pay for ISACA Certifications is on the Rise

David Foote
Author: David Foote, Chief Analyst and Co-Founder, Foote Partners, LLC and ISACA conference speaker
Date Published: 21 June 2023
Related: Credentialing

The rapid growth of technology and its increased integration into nearly every aspect of our lives has brought about new challenges in ensuring the security of our digital infrastructure. As a result, the demand for skilled cybersecurity professionals has surged, leading to the establishment of a thriving cybersecurity certification marketplace.

New highly-validated data from 4,200 employers in our long-running IT Skills and Certifications Pay IndexTM (ITSCPI) reveals that the average cash pay premium for 606 IT certifications has risen in three of the last four calendar quarters, currently earning certificants the equivalent of 6.6 percent of base salary. Even better, for the 137 IT security certifications reported, it is a whopping 8.3 percent for those lucky enough to work for an employer willing to pay you a premium for your certification.

ISACA certifications have displayed particularly impressive overall pay performance in the labor marketplace based on the latest survey findings in the ITSCPI (data collected through 1 April), which reports verified and validated cash pay premiums being paid to 92,725 workers in the United States and Canada.

Pay premiums for six ISACA certifications included in the ITSCPI have risen an average 6.1 percent over the past 12 months. All of this growth has come from three that showed 12 month gains of between 10 percent and 37 percent in cash market value through 1 April: Certified in the Governance of Enterprise IT (CGEIT), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). Making this even more newsworthy is the fact that average pay performance for all 137 security certifications surveyed in the ITSCPI is up slightly less than 1 percent in the same period.

Why these three ISACA certifications?

The performance of these three certifications and others is representative of a larger insight into how the pandemic, economic uncertainty and new technology advances such as Generative AI/LLM have suddenly propelled companies into fresh examinations of their IT governance structures and risk management at a critical time. In other words, there have been many positive impacts of recent business environment changes, perhaps none more so than how organizations are now deeply engaged in much-needed, long overdue adjustments to their business models and operations driven by explosive advances in tech.

In addition to the CGEIT certification earning lucky recipients pay premium bonuses equivalent to between 8 percent to 13 percent of their base salary – up 37 percent in market value compared to one year ago – a cluster of 10 “IT Audit/Privacy/Risk/Governance” noncertified skills in our survey has risen 10.2 percent in market value in the same period and is earning recipients a 14 percent average pay premium. Coming in at more modest but no less significant 12 month cash pay premium gains are the CISA and CISM certifications, which have risen 10 percent and 20 percent, respectively, in market value, most of their growth coming in the most recent two calendar quarters. Holders of these certifications can earn cash pay premiums in the 9 percent to 14 percent range.

This is not an accident. 

At its essence IT governance provides a structure for aligning IT strategy with business strategy. And by following a formal framework, organizations can produce measurable results which, today, is de rigueur for businesses in transition. In the big picture, taking as gospel that in practical terms all companies have become tech companies, IT governance is an integral and critical part of overall enterprise governance.

What else is driving popularity in IT governance? More and more regulations governing the protection of confidential information, financial accountability, data retention and disaster recovery, among others. Plus, in the current macro- and micro-economic environment, companies are generally under more pressure than usual from shareholders, stakeholders and customers. This applies to both public- and private-sector organizations.

A formal, up-to-date IT governance program must be on the radar of any organization in any industry that needs to comply with regulations related to financial and technological accountability. It requires a lot of time, effort and especially expertise to implement a comprehensive IT governance program, and for that workers will continue to be rewarded with related skills and certifications pay premiums.

Non-certified GRC skills are also hot

There’s also GRC (governance, risk and compliance), which is largely the same thing as IT governance but incorporates security domains. While GRC is the parent program, what determines which framework is used is often the placement of the CISO and the scope of the security program. For example, when a CISO reports to the CIO, the scope of GRC is often IT-focused. When security reports outside of IT, GRC can cover more business risks beyond IT.

This is just one reason why noncertified GRC skills have gained nearly 7 percent in market value in the last 12 months according to ITSCPI data, now averaging cash pay premiums equivalent to between 14 percent and 19 percent base salary. Evaluating and managing risk is an obsession for most businesses; for others it is something to ignore at great peril to their future success. The field of risk analytics and evaluation has entered its prime: recent projections put the global fraud detection and prevention market at $182 billion by 2030, up from $36 billion in 2022.

The higher-paying premiums for non-certified security-related skills in our survey is, in part, dictated by the prevention of misappropriation of assets, bribery and corruption, fraud, data theft or money laundering in financial services, government and public utilities. Many employers are rewarding people who can incorporate data and insights from many sources to better identify, measure and mitigate risk, whether or not they hold security certifications.

But there’s more to this growth in risk management skills demand: it’s also the way business investment and development has been stimulated by advances in artificial intelligence, advanced data analytics, distributed cloud, edge computing, mobile computing, Internet of Everything, blockchain and all manner of disruptive digital transformation.

Most of these technologies are exposing companies to an astronomically higher level of cyber risk, especially the surge in cloud computing. Without the cloud, businesses could not have sent millions of workers home, maintained global supply chains or shifted entire industry business models in a matter of weeks as COVID quickly spread. According to recent Foote Partners forecasts, this trend is not about to change anytime soon regardless of whether or not another pandemic is in our future.

Editor’s note: Learn more about CISA, CISM, CGEIT and other ISACA credentials here.