With thousands of open cybersecurity positions throughout the U.S., and a new class of college graduates ready to start careers, having one or more cybersecurity certifications would seem a surefire way to position a candidate for career advancement.
Cybersecurity experts and industry insiders, however, remain split as to whether having cybersecurity certifications helps in landing a job or leaping to a more senior position.
“I’ve never been a supporter of the idea that certifications are ‘needed’ in order for someone to excel at their job,” said Casey Ellis, the founder and CTO at Bugcrowd. “This is partly informed by my own experience as a college dropout, but more important relates to the fact that cybersecurity itself is so broad and dynamic that skillsets, creativity, mindset, and leadership are attributes that I consider to be more important than whether someone has passed a particular certification or not.”
“That said, for organizations needing to process large volumes of applicants for cybersecurity positions, the use of certifications is a practical—if imperfect—way to make that process more efficient,” Ellis added.
For tech pros seeking a cybersecurity certification, CyberSeek, a joint initiative of the National Institute of Standards and Technology’s (NIST) Nice program, offers an interactive way to see which job listings request a specific certification and which title matches with a particular certification or certifications.
An example is an IT auditor position, which CyberSeek shows is typically associated with the Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP) and other certifications.
While job listings lean on certifications to screen candidates, other recent research found that certifications may not help job seekers as advertised. Immersive Labs surveyed more than 570 senior security leaders and executives and found that, while almost all organizations encourage industry certifications, only 32 percent report that they are effective at mitigating cyber threats.
What Are the Top Cybersecurity Certifications?
While there’s no definitive list of the top cybersecurity certifications, CyberSeek does list which certs are the most requested vis-a-vis recent job openings. The site’s current statistics show that the Certified Information Systems Security Professional (CISSP) certification is the most requested, with more than 97,000 listings.
“The CISSP has for a long time been the passing-bar certification for working in information security in the U.S. federal government,” BugCrowd’s Casey recently told Dice.
The other six cybersecurity certifications making the CyberSeek List include:
- CompTIA Security+
- Certified Information Systems Auditor (CISA)
- Global Information Assurance Certification (GIAC)
- Certified Information Security Manager (CISM)
- Certified Information Privacy Professional (CIPP)
While Casey doubts whether a specific certification matters to getting hired, he noted that the CompTIA Security+ certification is a good starting point for those looking to enter the cybersecurity field, while the growing requests for CIPP reflect new government regulations and an added emphasis on privacy.
“The Security+ has long been a certification I recommend for folks who are relatively new to the field. It is very broad and somewhat conceptual but provides some pretty strong baselines,” Casey added. “I see the CISSP as a step up on this, and funnily enough, a lot of the analogies I use to explain security equities and the economics of risk management are derived from studying for and passing this certification nearly 20 years ago.”
Can Cybersecurity Certifications Make a Tech Career Difference?
In general, qualifications for cybersecurity jobs usually evolve around experience, education or certifications. Any of the three can make the difference between landing a job or getting passed over, but certifications show that a candidate is willing to learn and a certification can help make up for a lack of experience, especially for those starting.
“If you’re new to the field and did not pursue a bachelor’s degree or internships were not available to you, the right certifications can be a great way to demonstrate practical knowledge, motivation and a desire to learn. They are, however, not typically required, except in cases where regulation and compliance for specific industries mandate that employees must have them,” Melissa Bischoping, director of endpoint security research at Tanium, told Dice.
A certification should reinforce technical knowledge for those tech pros looking to complete a course, but there’s no guarantee a certificate will lead to a better salary or position. Bischoping advised that those seeking a cybersecurity certificate think about their long-term career goals.
“When choosing a cert to pursue, it’s important to recognize how it makes you competitive for your next career step—even if that’s entering into the field itself,” Bischoping said. “Additionally, technical certifications with hands-on components tend to be regarded more favorably than those that are purely multiple choice and based on memorization. Research the certifying body and its reputation in the industry. Certifications can be expensive, so seek employer training assistance, scholarships or training assistant opportunities to help offset the cost where possible.”
Others are more skeptical of whether certifications help when the threat landscape changes as rapidly as it does now.
“Certifications look good; however, they do not demonstrate the practical application of skills in real-world applications and scenarios,” George Jones, CISO at Critical Start, told Dice. “They do not demonstrate hands-on experience or adequately assess skills necessary to handle current challenges. This is primarily due to the rapidly evolving threat landscape and rapidly advancing technologies used by organizations and threat actors.”
One of the problems with cybersecurity is that the industry oftentimes requires various degrees and certifications for entry-level positions, which then leads to more job openings than qualified candidates to fill these roles, said John Bambenek, principal threat hunter at Netenrich.
“I have a background in economics, law and philosophy and I have relied on aspects of those disciplines often more than I have in what I’ve learned getting a CISSP,” Bambenek told Dice. “Entry-level employees are expected to get a bachelor’s in computer science, a master's in cybersecurity and then a few certifications and only then are they qualified for [security operation center] work. Cybersecurity is not a computer science problem.”
What Approach Is Best for Tech Pros?
While debates about certifications will continue, Phil Neray, vice president of cyber defense strategy at CardinalOps, noted that a lack of cybersecurity certification should not discourage tech pros from applying for a position. His advice is for candidates to show some understanding of key technologies such as SIEM or endpoint detection and response (EDR) and demonstrate how other skills or experiences can benefit the organization.
“Certifications are always helpful in differentiating your candidacy from others, but don't let lack of certifications prevent you from applying for cybersecurity jobs,” Neray told Dice. “With the current shortage of skilled personnel, savvy cybersecurity hiring managers are looking for people with core traits like analytical skills, attention to detail, creativity, resilience and the ability to communicate effectively and work with others on a team.”