Acknowledging Our Love-Hate Relationship With Security Certifications
It’s nothing new that social media is a hotbed of hot takes. Even the most innocuous posts somehow manage to offend or anger someone out there on the internet. But that doesn’t mean that it should all be dismissed as nonsense, especially when it comes to information security. News of critical vulnerabilities, dangerous exploits, breaches, and ransomware attacks have all broken on social media, often well ahead of traditional news sources. Additionally, tough but necessary conversations about gender bias — and outright harassment — and the need for diversity in security continue to raise awareness and provoke thought and action via social channels.
And Then There’s Security Certifications…
Around this time last year, I started to notice patterns in social media posts and threads related to obtaining and maintaining security certifications. Those at the beginning of their careers were excited to announce that they passed their certification exams, and those further along were nearly as excited to announce that they let their certs lapse. So Researcher Kevin Earl and I dug in.
My new report, Rethink Your Reliance On Security Certifications, includes analyses of security certifications conducted between November 2021 and July 2022 in three categories:
- Sentiment: posts or comments on LinkedIn and Twitter from 200 individuals determined to be in cybersecurity roles
- Investment: pricing information for 47 certification exam and renewal fees and 34 certification exam prep programs or boot camps
- Requirement: three hundred randomly selected cybersecurity job listings on Indeed.com requiring the CISSP, CISM, or CISA certifications — or some combination of the three
What did we find? Well, let’s dive into the sentiment analysis. The majority of the 200 individual posts or comments — 53% — expressed negative sentiment toward security certifications, and that negative sentiment boiled down to two main themes:
- Cost. Across all sentiments in our analysis, 22% of security pros indicated an issue with the cost of certifications, and 25% of those expressing negative sentiment felt that the certification maintenance and CPE processes were costly and of little value or applicability.
- Utility. Thirty-nine percent of security professionals expressing negative sentiments stated that their certifications were either not useful or applicable in their current roles, and 46% of this same group explicitly stated that they have already abandoned their certifications or are planning to do so.
Not everyone was ready to jump ship when it comes to security certifications, however. Our analysis found that 22% of those reporting positive or neutral feelings state that their certifications got them through candidate screening processes and “in the door.”
And here is the heart of the love-hate relationship. Security certifications don’t make you a better practitioner; they make you a better candidate. Experience and continued training and upskilling takes over from there. How do we reconcile this?
It’s Time To Change Our Hiring Practices
This research and report isn’t about bashing certifications. There’s a time and place for the learning associated with security certs, especially those for specialized or advanced skills and knowledge.
Certifications play just one role in the flawed, three-ring circus that is hiring for security talent. Human resources and its overly rigid and binary applicant tracking systems — and overwhelmed, rushed hiring managers — also contribute to clogs in the security talent pipeline. So what’s to be done? In the report, I lay out several actions that security leaders and their partners in HR can take to rebalance the role of security certifications and other common hard requirements such as bachelor’s degrees, including:
- Getting real about job descriptions. Write honest job descriptions that provide meaningful insights into why the role exists, where it fits within the organization, and a typical “day in the life.”
- Moving from required to desired. Instead of requiring certifications — even those designed for early-career professionals — list entry-level ones as “preferred” or “desired.”
- Finding new ways to gauge knowledge. Use security skills and training platforms and cyber ranges, along with behavioral interview questions, to better understand a candidate’s role-relevant knowledge and potential.
Attend The S&R Forum To Hear More!
I’ll be sharing more data from this report as well as how certification and degree requirements adversely affect the early-career security talent pipeline — and additional actions that security leaders can take to change their currently limiting hiring practices — at the Forrester Security & Risk Forum next week. Join me there and let’s discuss!