Do cybersecurity certifications still deliver? Experts share 6 key insights

cybersecurity-certificates-relevantCybersecurity certifications continue to open doors and shape careers in Security Operations (SecOps). However, the mileage that individuals and organizations get out of them can vary by industry, the specific demands of the job, and the practical experience needed to tackle real-world challenges.

As a result, there's growing recognition among industry professionals and employers about the need to balance certification achievements with hands-on experience. A survey of 14,000 cybersecurity professionals that ISC2 conducted showed a relatively high level of interest in cybersecurity certifications among respondents.

Sixteen percent described themselves as currently pursuing a non-vendor specific certification like ISACA, CompTIA, CISSP, and ISC2 and 17% pursuing vendor specific programs such as those from Microsoft and Cisco. Another 40% (combined) planned to pursue a certification in the next six months. Sixty five percent described their primary motivation as skills improvement; 53% to stay current with trends and 50% for career and professional development.

With big changes facing SecOps teams, are certifications still relevant? Here's what top industry experts say.

[ See RL's new Essential Guide: Software Supply Chain Security for Dummies ]

1. Cybersecurity certifications do carry weight

In a field where skills demand far exceeds supply, a cybersecurity certification can help individuals demonstrate familiarity and knowledge in the field. This is especially true for initial screening and in large organizations with formal hiring processes, said Jason Soroko, senior fellow at Sectigo.

"In the real world, these certifications can help determine if an inexperienced candidate has a baseline of literacy in the subject of cybersecurity."
Jason Soroko

Importantly, many certifications are well recognized within the industry and are perceived as demonstrating a standardized level of knowledge and understanding of a particular security domain. Specific certifications can also highlight a candidate's area of expertise or specialization within cybersecurity.

Stephen Kowski, field CTO at SlashNext Email Security+, said hiring managers generally view certifications as a positive indicator of a candidate's foundational knowledge and commitment to the field.

"Without practical experience, certified candidates may be considered for entry-level positions or roles with strong mentorship opportunities. Demonstrating hands-on skills through personal projects or internships can significantly enhance the value of certifications for less experienced candidates."
Stephen Kowski

A certification signifies that you know about a certain tradecraft. Mayuresh Dani, manager, security research at Qualys Threat Research Unit also allows companies to divide their applicants into "haves" and "have nots."

"However, cybersecurity is a technically niche field which warrants that the frontrunners be hands on with their tradecraft. Certified or not, if one is not hands on with their skill it leads to a delay in defending the assets that they are assigned to."
Mayuresh Dani

2. Mileage varies depending on the employer

Larger enterprises often place more emphasis on certifications due to standardized hiring processes and regulatory requirements, Kowski says.

"Smaller companies may focus more on practical skills and cultural fit. However, certifications can be valuable in organizations of all sizes as a t for assessing candidates' knowledge and commitment to the field."
—Stephen Kowski

Government and industry regulations are another factor. Some requirements such as those contained in US Department of Defense (DoD) Directive 8570.01-M and 8140 and the Federal Information Security Management Act (FISMA) require information assurance personnel to have certain baseline certifications for different roles. Other regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and HIPAA do not explicitly mandate certifications, but require organizations to have qualified security personnel, which many organizations often interpret as certified professionals.

3. Hands-on experience trumps certifications alone

A cybersecurity certification is useful for demonstrating baseline knowledge of a particular security domain. The right certification can help an inexperienced individual get a foot in the door and serve as an indicator of a candidate's commitment to the field. However, certifications are no proxy for real-world, hand-on experience in the realm, said Sectigo's Soroko.

Certifications do not to reflect real-world skills which are hard won, he said. Certifications can become outdated quickly due to the fast-paced evolution of the field, making continual renewal less meaningful after a certain level of experience.  

"A star cybersecurity candidate can come from almost any background field and provide huge value whether they have a certification or not."
—Jason Soroko

Individuals with hands-on experience know how to apply the knowledge they have gained to actual scenarios, which often can be very different from textbook examples, he said. They often have more creative problem solving abilities and can adapt better to quickly evolving cyberthreats. Experience also provides a deeper understanding of how security fits into a company's broader business requirements and goals and allows for a better understanding of specific security tools and technologies.

Hands-on experience is generally much more valuable than certifications alone, as it demonstrates practical application of knowledge and problem-solving skills, Kowski said. Employers often prioritize candidates who can showcase real-world achievements and adaptability in addressing complex security challenges. The ideal candidate typically possesses a combination of relevant certifications and substantial hands-on experience.

"However, having appropriate hands-on experience can outweigh and override certification requirements in the right organization."
—Stephen Kowski

4. Certifications force additional learning

The fast evolving nature of cyber threats often makes the knowledge that an individual might acquire via a cybersecurity certification program, outdated very quickly. What is relevant today can become less important overnight and the skills that a particular certification might focus on now might need refocusing or updating very quickly. This can force additional learning on individuals which in a fast-changing threat landscape can be a useful thing.

"Certifications usually have designed obsolescence and can become outdated if not regularly updated to reflect the latest threats and technologies. However, reputable certification bodies typically revise their content periodically to maintain relevance. The underlying principles though, stay fairly static over time, the OWASP Top 10 regularly shifts around the threats as opposed to brand new ones being introduced."
—Stephen Kowski

Kowski said that renewing certifications demonstrates a commitment to ongoing professional development and staying current in the field. It can be particularly valuable for maintaining credibility and meeting specific job requirements, he said. However, the decision to renew should be balanced against practical experience gained and the specific career goals of the individual. "You can succeed with or without renewal depending on the pathway you pursue," he said.

5. Employers often consider equivalences to certifications

In many instances, organizations are willing to accept equivalences to a certification for individuals who have verifiable skills in areas such as code contributions or in Capture the Flag (CTF) challenges and in disclosed bug bounty report, said Sajeeb Lohani, senior director of cybersecurity at Bugcrowd. Often these equivalencies are just as good in demonstration knowledge as a certification is, if not actually better as they show true passion for the field. The goal for everyone is to demonstrate passion and skill, in conjunction with a great work ethic and fortitude. "In my opinion, a blend of both certifications and public contributions is perfect," Lohani said.

"At the end of the day, a certification is helpful to get that first interview. Certifications are essentially a way for companies to get proven skill, however, the fact that the skill may not translate appropriately into the required business context is often missed by companies."
Sajeeb Lohani

6. Certifications don't always capture real-world threat scenarios's complexity

One reason why employers often prefer experience over certifications is because the latter doesn't always prepare individuals for real-world cyber threats. Certifications often teach standardized, somewhat static threat models and often simply cannot cover new techniques and tactics that attackers constantly adopt to stay ahead of defender. Certified professionals can therefore be unprepared for the latest attack vectors or emerging threats that weren't part of their course materials.

Certifications typically also provide generalized knowledge of a particular domain but cannot account for the deeply contextual nature of real-world cybersecurity challenges where factors like the technology stack an organization uses, or its business processes can have a big impact on cybersecurity, said Josh Knox, an evangelist at ReversingLabs.

"If the only certifications you’ve had are OSCP offensive security, Or PenTest+ certified, or ethical hacker then you were only looking at the attack and only understand vectors and methods. Certifications have their place but just having one or focusing on one area or the other is not going to make you well rounded, and you are still going to need a team of voices around you to make decisions."
Josh Knox

Another issue is that certifications often present a highly idealized way of implementation but in practice it is rarely as easy to implement, Kowski said "Practical experience and continuous learning are essential to complement certification knowledge and apply it effectively in dynamic threat environments."

Article Link: Do cybersecurity certifications still deliver? Experts share 6 key insights