A Certifications Conversation with the Community: Yes, No…Idk?

Posted by Ashley Preuss

Do you really need certifications to be successful in cyber security? In a post on LinkedIn, Joyous Huggins, Lead Technical Analyst at Global InfoTek, asked members of the community to share their point of view on this highly contemplated question. As you might imagine, responses were mixed. Roughly 25% of commentators said “yes,” another 25% said “no,” and the remaining half stated variations of “it depends” or “yes and no.”

Kathleen Smith, CMO, joined the LinkedIn conversation saying, “The infamous ‘it depends’ is crucial to understand. Can they open doors? Absolutely. Are they crucial for success? Not necessarily.” While numerous practitioners share this sentiment, there are many others who take a black and white stance in regards to the necessity of certifications.

As a U.S. Navy reservist, Joyous discussed certifications with a high-ranking officer who explained, they allow the military to know you have a basic concept of core competencies—it’s a means to assess applicants and define a career track. In another conversation with a civilian colleague (who would likely add their name to the “yes you really do need them” tally), the individual insisted that you can’t land good jobs without them. However, in Joyous’ case she did. She landed a job without any certifications and she wondered what others in the community thought about the need for certs, so she took her question to LinkedIn.

Here are some of the comments Joyous received having posted, “LinkedIn Fam: Do you really need certifications to be successful in cyber security?”

“Yes and no. You need a way to overcome the hurdles to get hired. That’s a checkbox for a gatekeeper or other means to leap the pack. Certifications and a degree fulfill this for most people. But they don’t normally get you a job. They help to get you an interview. But there are other ways for a few areas, like pen testing. If you are crushing CTF competitions then you have another way to prove your abilities outside of certifications.

Keep in mind certifications don’t make you good on the job. They measure knowledge at a point in time. And making that leap from passing a test to being a professional requires application of knowledge, soft skills, people skills and a desire for excelling and improving yourself throughout your career. I’ve earned dozens of certifications in my career but I’ve never put them on the wall or really used them outside of landing a job. So, my recommendation is to pick up certifications that apply to the job you have and the job you want. They should be a byproduct of the knowledge you have, not earned as some kind of magic bullet to get a job.”

– Ed Spencer, Sr. Information Security Engineer

“As long as you don’t let them define you, they’re great. You are more than your CISSP, CCNA, CEH, EIEIO. They can assist you in demonstrating a competency at a point in time. Most are good for amplifying you, although a few are defining, IMO. They typically end in “E” and are very difficult to attain, but even then, they should amplify you, the professional, versus defining why someone should want to hire you. Obviously, especially in the government world, you may HAVE to have EIEIO to get hired, although it is minimally relevant to what you will be doing or whether you can do the job.”

– Joe Gray, Sr. Security Architect

“It depends on what industry you’d like to work in. Government jobs often require certifications, and roles that are pretty Audit focused usually require certs as well. Some industry professionals will actually ignore applicants if their resume is super cert heavy, since they believe there’s an inverse relationship with true hacking/tinkering ability and number of certs you have. I think it’s a good idea to get a few entry level certs when you’re trying to get your foot in the door, but real world projects and experience are superior.”

– JD D., Sr. Information Security Engineer

As you can see, there’s a lot of context surrounding the merit of certifications. Listing them on your resume doesn’t guarantee you a job or a successful career in cyber security. They can open more doors and help you get an initial interview, but they don’t define your experiences and professional worth in and of themselves.

It’s an evolving conversation and one that definitely merits an “it depends” response in many regards, as some companies require certifications while others simply demand experience. But if you’re going to allocate the time and resources to getting certified, strive to really learn something new through the process. There’s not much educational value in ordering a book and memorizing content to simply pass a test. For this reason, many in the industry favor performance-based certifications, which require hands-on knowledge of how to do the work. These serve as a better indicator of ability, versus just having a good memory to pass tests.

Also remember that there are other avenues to demonstrate your commitment to the industry. Participating in competitions, volunteering at professional conferences, and good old-fashioned networking will serve your professional development and job search efforts well.

In our conversation with Joyous, she pointed out that while the industry says we’re at a drought for talent, we make it difficult for individuals to receive the opportunity. With high price tags attached to certifications, not everyone can afford to take the exams. And in many cases, certification holders have to pay annual fees to maintain their credentials and recertify after a few years. Joyous advises we could benefit by revisiting the application itself versus the applicant. Do you think certifications are necessary for employers to assess the mind of cyber security professionals?

This entry was posted on Friday, June 14, 2019 5:44 pm

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.