The truth about cybersecurity certifications

It’s a common trait amongst cybersecurity professionals. When they meet each other, discuss their qualifications with prospective employers, or print their business cards, there is often an alphabet soup of initials by their names, specifying the many certifications they’ve achieved.

Now, some of these certifications are certainly worthwhile, but over the last few years, the entire industry has gone gaga with dozens of new cybersecurity certifications offered by for-profit organizations. This has led to a marketing push with a consistent message that more certifications equate to more money, knowledge and opportunities for cybersecurity professionals.

Are cybersecurity certifications really as valuable as the market suggests? Not according to a recently published research report from ESG and the Information Systems Security Association (ISSA). 

First of all, cybersecurity certifications aren’t nearly as prolific as one would assume.  More than half (56 percent) of cybersecurity professionals surveyed have achieved a CISSP. Aside from a CISSP, however, certifications rates drop precipitously, with 19 percent achieving CompTIA Security + certification, 17 percent achieving a Certified Information Security Manager (CISM) certification and 16 percent achieving a Certified Information Security Auditor (CISA) certification.

For all those cybersecurity professionals with some type or types of cybersecurity certifications, ESG and ISSA asked two other questions: Which certifications are most useful for getting a job, and which certifications provide the knowledge, skills and abilities (KSAs) actually needed to be cybersecurity professionals?

The results here are even more telling. More than half (61 percent) say a CISSP is useful for getting a job, while 55 percent claim that a CISSP provides the KSAs they need as cybersecurity professionals. Beyond the CISSP, however, only the CompTIA Security + certification was selected by more than 10 percent (actual percentage was 13 percent) for providing KSAs, and no other type of cybersecurity certification was selected by more than 10 percent of survey respondents as a means of helping them get a job.

This data indicates:

1. Some cybersecurity certificates may act as “window dressing” for cybersecurity professionals, adding credentials to their CVs without really helping them progress their skills or careers.
2. Cybersecurity professionals often tout their certifications as a badge of honor within their peer community, but this may be a false sense of pride.
3. Cybersecurity acumen comes from experience, mentoring and hands-on training rather than book knowledge.
4. Employers should avoid being seduced by the number of certifications of applicants and skew employment decisions on other criteria.
5. CISOs who want to offer employees training opportunities should emphasize hands-on training courses and mentoring programs over certifications.

To be clear, cybersecurity certifications may be worthwhile in esoteric cybersecurity areas or for individuals looking to explore new career directions. That said, certifications should be thought of as supporting rather than replacing real-world experience.