Earning a cybersecurity certification is one way tech professionals can signal commitment and technical knowledge to potential employers. But given the thousands of cybersecurity positions that remain open, do you actually need to go through the effort and expense of earning one or more certifications in order to land a cybersecurity role, or can you depend solely on your skills?
For many of those organizations looking to hire more cybersecurity talent, certifications are currently viewed as a must-have. A recent survey released by security firm Fortinet finds that 91 percent of respondents prefer to hire candidates with certifications. In addition, 67 percent of organizations prefer team members or direct reports to have certifications, since they believe these credentials validate cyber awareness and tech knowledge.
Digging further into the numbers, the survey (based on responses from 1,850 IT and cybersecurity decision-makers in 29 countries) finds that 60 percent of respondents report that certifications show an increase in cybersecurity skills and knowledge, while 55 percent report that those with certs perform their job tasks better.
There is, however, a downside when organizations focus too heavily on hiring tech professionals with specific certifications. According to the Fortinet study, 72 percent of respondents report it’s challenging to find individuals with technology-focused certifications.
This reflects findings from other studies. The 2023 Official Cybersecurity Jobs Report published by Cybersecurity Ventures noted that, while there are about 94,000 tech professionals with the Certified Information Systems Security Professionals (CISSP) certification in the U.S., more than 134,000 job openings require the CISSP certification as part of the hiring process.
The certification issue also comes at a time when there remains a significant cybersecurity talent shortage. Even with tech hiring slowing over the past year, CyberSeek estimates about 470,000 cyber positions remain open in the U.S. public and private sectors. These are some of the reasons why many tech and security experts question whether there is an overreliance on certifications and what, if anything, they prove in real-world situations.
“Certifications can be a helpful stepping stone, especially for those entering the field, as they provide structured learning and can catch the eye of recruiters,” Devin Ertel, CISO at Menlo Security, recently told Dice. “However, the cybersecurity landscape constantly evolves, and practical experience is irreplaceable. For the industry to truly address the talent shortage, we need to foster diverse talent pools and create opportunities for individuals to showcase their abilities beyond just a list of certifications.”
Making a Case for Cybersecurity Certifications
Currently, CyberSeek lists six cybersecurity certifications that are the most requested when hiring managers are interviewing for open cyber positions. These include:
- CISSP: 74,228 job openings
- CompTIA Security+: 69,906 job openings
- Certified InformationSystems Auditor (CISA): 47,230 job openings
- Global InformationAssurance Certification (GIAC): 37,857 job openings
- Certified Information Security (CISM): 36,162 job openings
- Certified InformationPrivacy Professional (CIPP): 5,908 job openings
While having one or more of these certifications can help distinguish a resume and get recruiters’ attention, experts note that many cybersecurity leaders also look for candidates who have broad knowledge of the security industry. This includes understanding concepts such as the Cybersecurity Framework published by the National Institute of Standards and Technology, which was recently updated.
“Automation skills have become crucial for efficiently managing security operations, streamlining incident response, and implementing consistent measures. Knowledge of scripting and security automation tools enhances an organization’s ability to respond quickly to threats and reduce human error,” Jason Soroko, senior vice president of product at security firm Sectigo, told Dice. “The NIST Cybersecurity Framework 2.0 emphasizes the integration of governance and security. Skills overlapping with governance, such as understanding regulatory requirements, policy development, and risk management, are essential. Professionals with these skills ensure that security measures align with organizational goals and regulatory standards.”
For those looking to break into cybersecurity, the Fortinet report details that many organizations are willing to pay for certifications and other upskilling to ensure their cyber teams are aligned and that the staff is up-to-date on the latest trends and threats.
“Eighty-nine percent... of IT leaders say they would pay for anemployee to obtain a cybersecurity certification,” according to the survey.
Consider Alternatives to Certifications
At a time when the cybersecurity industry and the Biden administration are pushing to hire more talented professionals with alternative backgrounds that do not include academic degrees, the need for a certification to qualify for a job can seem like a stumbling block.
Cybersecurity experts, however, note that candidates should inquire if potential employers can accept equivalents and alternative learning, such as practical, hands-on experience at another job or participation in security workshops or events.
“Companies usually have a line stating that they will accept equivalencies, implying that you do not need a specific certification if you have proven said skill in things such as blogs, publicly accessible means like code contributions, or other areas like Capture the Flag (CTF) challenges and disclosed bounty reports,” Sajeeb Lohani, senior director of cybersecurity at Bugcrowd, told Dice.
While certifications are helpful to get the first interview, equivalencies can show hiring managers a dedication to security, Lohani added: “The aim for everyone is to prove passion and skill, alongside work ethic and determination. A combination of both certifications and public contributions is ideal, in my opinion.”
Other experts agree that candidates need to show how equivalent and alternative learning paths, such as CTF events and bootcamps, can demonstrate competency and tech skills.
“Companies should balance certification requirements with practical experience, widening the candidate pool and emphasizing hands-on skills and problem-solving abilities,” Soroko added. “Practical assessments or project-based evaluations can potentially be a better way to gauge a candidate's capabilities.”
At the same time, organizations should work toward encouraging potential hires, or internal candidates interested in switching to cybersecurity, to apply for jobs even if they lack the requisite certification, said Ken Dunham, cyber threat director at Qualys Threat Research Unit.
“Dropping requirements for certifications or standards for any position is not an acceptable solution so other creative means must be sought, such as on-the-job training, mentoring, partnering with universities and talent acquisition and retention programs,” Dunham told Dice.
“The tech industry is very unique in how it is starved for ‘unicorns’ and certain niche staff members, yet, from a business competitiveness perspective, those same individuals may get laid off, resulting in the more skilled individuals retiring or opening their businesses instead of working for an organization that they formerly trusted with job security and quality of life,” Dunham added.
