Security practitioners are increasingly conflicted about the role that certifications play in their career development. Phil Muncaster finds out why
If you enjoy spending time down the internet rabbit hole that is a Twitter debate, you may have seen an interesting recent thread. In it, a cybersecurity professional asks the online void whether anyone is still using certifications. After two decades of maintaining his own certs, the professional argues that continuing professional education (CPE) credits are becoming increasingly diluted, with the certifications themselves offering diminished value. It is difficult to find anyone in the succeeding – and lengthy – thread that disagrees.
Yet certifications are still hugely popular. They promise a higher salary, and many employers require said certifications for industry roles. The question is whether they can stay relevant in an industry characterized by rapid technological advances and a volatile and dynamic threat landscape.
A Brief History of Certs
Information security certificates have a long history. For as long as there have been complex IT products on the market, vendors have run accreditation courses for practitioners to prove their competence in using them. In the late 1980s, the need for a more generalist vendor-neutral certification program emerged, and the non-profit International Information Systems Security Certification Consortium (ISC)² was born. Over 152,000 practitioners worldwide now hold its Certified Information Systems Security Professional (CISSP) certification.
To keep such accreditations current and encourage participation, bodies like (ISC)² and professional association ISACA require holders to earn CPEs. Ways of earning CPEs include attending webinars and events (including Infosecurity Magazine webinars and online summits) and completing training courses. Data from (ISC)² claims that 72% of professionals are required by their employer to earn certifications and that those holding them earn an average salary of $91,700 in the US versus $58,800 without. Certificates remain the third most sought-after employee attribute for recruiters after problem-solving and curiosity, it claims.
Shrinking the Talent Pool
However, many practitioners are becoming disillusioned by industry certifications. While they may be useful for young professionals early in their careers, many argue that such qualifications have not aged well, offering limited value for those later in their careers.
Ed Tucker, senior director of cybersecurity at The Workshop, claims that certs have actually become a barrier to entry for many at a time of acute industry skills shortages.
“By its very nature, this narrows our potential talent pool, but also means we create something of an echo chamber, where people begin with an ingrained security prejudice, rather than a fresh and inquisitive mindset that looks at problems for what they are,” he tells Infosecurity. “Why are we still recruiting based on whether someone passed a test rather than who they are and the natural skills they bring?”
He argues that certifications may also be hitting the industry’s efforts to diversify.
“They narrow our pool of talent when what we need is the biggest possible net,” he continues. “How can we expect someone from a different socio-economic background to have attained certs without significant support? Frankly, why the hell would we want them to?”
Socura CEO, Andy Kays, says his firm doesn’t screen candidates by their certifications but rather their aptitude, experience and attitude.
“Not all certifications are created equal, and it’s not always clear which certs are truly valuable, especially when there is the potential for them to have been obtained illegitimately,” he tells Infosecurity. “It’s like writing. An English or journalism degree will infer to an editor that someone possesses strong writing skills and the kind of knowledge required to do the job. However, it is no guarantee. Likewise, many of the best writers have no formal qualifications, nor should they be required to attain them.”
A Useful Tool
Perhaps unsurprisingly, the member associations and accreditation bodies Infosecurity spoke to firmly defend their certifications as a useful tool for employers to judge candidates. (ISC)² chief qualifications officer, Casey Marks, argues that they level the playing field for candidates.
“Not every aspiring professional can obtain a university degree or knows ‘the right people’ to get an internship or apprenticeship to secure a cybersecurity career. Certifications are a cost-effective, targeted and efficient mechanism to assist in the demonstration of competence for employment,” he tells Infosecurity. “They are the only mechanism with an independently accredited process that allows individuals to publicly demonstrate a commitment to continued competence within the field.”
Rowland Johnson, president of certification body CREST, says certs can also bring clarity to proceedings in an industry where there is an “asymmetry of language between buyers and sellers,” although he acknowledges that they should not be used in isolation.
“People are able to build and develop skills through training and on-the-job experience, which should be actively encouraged and applauded as an essential ingredient for the sector. However, in an industry clamoring to define job definitions as well as skills and competency frameworks, cybersecurity certifications provide the only tangible measurement of capability,” he tells Infosecurity.
“Despite their ability to demonstrate an individual’s knowledge and skills, infosec certs are not a silver bullet. They provide an indicator, along with many other pointers, and should rarely be used as an exclusive measurement of competency.”
A Money Making Machine?
For Trend Micro VP of security research, Rik Ferguson, it is the industry that has grown up around certifications over the years that’s the problem, rather than certs per se.
“A whole acronym industry has emerged that competes to put letters after your name. The ones I was obliged to continue to pay for I let lapse because I felt I wasn’t getting anything in return from the certifying bodies year after year. It began to feel like a mechanism for milking me and thousands of other people,” he argues.
“I’ve direct experience of trying to hire people in tech support roles who were certified up to their eyeballs and on paper were incredible. However, they’d never done a day’s support work in their lives and didn’t have the skills required to do the job because these skills were not the same as the knowledge required to pass the exam.”
HP Inc CISO, Joanna Burkey, has also seen the industry change over the years. While she maintains they can serve a real purpose, there are drawbacks.
“Especially when cyber was a ‘new’ domain, [certs] were often used to reflect a degree of knowledge in this emerging space – which was useful. However, infosec certs have become somewhat diluted over the years and are used too often as a checkbox way to pre-qualify candidates,” she tells Infosecurity.
“This ‘expected by default’ mentality can be exclusionary to people without certs who may actually be the better candidate. Getting a cert is time-consuming, expensive and generally requires ongoing credits to be obtained year on year. Not everyone has the time, money or inclination to do that, and in my opinion, for many roles, it sets an unreasonably high bar and acts as a barrier to joining the industry. Considering the current shortfall in global cybersecurity talent, we need fewer, not more barriers.”
Vectra’s EMEA CTO, Steve Cottrell, echoes other experts in arguing that certifications can have diminished value for those in the latter stages of their careers. He also points to the heavy burden that maintaining the qualifications can put on individuals.
“As someone who has hired several hundred security professionals over the past decade or so, I can’t recall a single instance when a candidate having a particular certification was the deciding factor,” he tells Infosecurity.
“Plus, in addition to the financial outlay, you also must consider the personal development angle – requiring a set number of hours of education activities for each certification cycle can become burdensome for busy security professionals. For new candidates, the turn-off for many is the dated syllabus, which is at odds with today’s threat landscape and business challenges we are facing.”
Getting Certs Off Their Death Bed
So how can the industry turn things around and reaffirm the relevance of certifications in a post-pandemic world characterized by rapid change? For CREST’s Johnson, it comes down to what they certify.
“There is certification of knowledge – confirming that individuals know information – and certification of skills, confirming that individuals can apply that information in a real-world scenario. Then there is a certification of competency, which is much more challenging and draws upon knowledge, skills and experience,” he explains.
“Currently, there are few yardsticks for measuring competency, with many more that assess skills and knowledge. CREST believes that all levels of certification have value, but the closer they are to a competency measurement, the closer the alignment for an individual to deliver effective services and outcomes.”
HP’s Burkey also offers her qualified support for certifications going forward and highlights certain ones like ISACA’s Certified Information Security Manager (CISM) as being well-regarded in the sector.
“Once people are hired, especially young people earlier in their career, I’m a big fan of supporting their pursuance of certs. Even if they obtain them and leave, it’s good growth for folks, and that is good for the industry overall,” she continues. “Yet I feel strongly they are an additional skill for many roles, not a foundational or required piece.”
Others aren’t as optimistic. Socura’s Kays feels that certs often run counter to the spirit of the profession and many of its practitioners.
“The security industry is difficult to formalize in the manner of a profession like accounting,” he adds. “There will always be a place for more non-conformist views, who tend to dislike certification schemes. We still need people with the hacker mindset of wanting to learn new things in their bedroom, not the classroom.”
For Trend Micro’s Ferguson, the certifications industry is at a crossroads, but a better future is possible.
“If the industry continues as it is, I don’t think it has a bright future because it is slowly killing itself with its own greed and irrelevance,” he concludes. “However, it can have a bright future if the infosecurity community is willing to address the historical strategic and corporate failures of the certification industry by coming up with new, potentially more relevant certifications that aren’t financially but professionally motivated.”