It’s a common trait among cybersecurity professionals: When they meet each other, discuss their qualifications with prospective employers, or print their business cards, there is often an alphabet soup of initials by their names, specifying the many certifications they’ve achieved.
Now some of these certifications are certainly worthwhile but over the last few years, the entire industry has gone gaga with dozens of new cybersecurity certifications offered by for-profit organizations. This has led to a marketing push with a consistent message that more certifications equate to more money, knowledge, and opportunities for cybersecurity professionals.
Are cybersecurity certifications really as valuable as the market suggests? Not according to a recently published research report from ESG and the Information Systems Security Association (ISSA).
First of all, cybersecurity certifications aren’t nearly as prolific as one would assume. More than half (56%) of cybersecurity professionals surveyed have achieved a CISSP. Aside from a CISSP however, certifications rates drop precipitously with 19% achieving CompTIA Security + certification, 17% achieving a Certified Information Security Manager (CISM) certification, and 16% achieving a Certified Information Security Auditor (CISA) certification.
For all those cybersecurity professionals with some type or types of cybersecurity certifications, ESG and ISSA asked two other questions: Which certifications are most useful for getting a job, and which certifications provide the knowledge, skills, and abilities (KSAs) actually needed to be cybersecurity professionals?
The results here are even more telling: More than half (61%) say that a CISSP is useful for getting a job while 55% claim that a CISSP provides the KSAs they need as cybersecurity professionals. Beyond the CISSP however, only the CompTIA Security + certification was identified by more than 10% (actual percentage was 13%) as providing KSAs, and no other type of cybersecurity certification was selected by more than 10% of survey respondents as a means of helping them get a job.
This data indicates:
- Some cybersecurity certificates may act as “window dressing” for cybersecurity professionals, adding credentials to their CVs without really helping them progress their skills or careers.
- Cybersecurity professionals often tout their certifications as a badge of honor within their peer community, but this may be a false sense of pride.
- Cybersecurity acumen comes from experience, mentoring, and hands-on training rather than book knowledge.
- Employers should avoid being seduced by the number of certifications of applicants and skew employment decisions on other criteria.
- CISOs who want to offer employees training opportunities should emphasize hands-on training courses and mentoring programs over certifications.
To be clear, cybersecurity certifications may be worthwhile in esoteric cybersecurity areas or for individuals looking to explore new career directions. That said, certifications should be thought of as supporting rather than replacing real-world experience.