Do cybersecurity certifications still deliver? Experts share 6 key insights

Cybersecurity certifications continue to open doors and shape careers in security operations (SecOps). However, the mileage that individuals and organizations get out of certs can vary by industry, the specific demands of the job, and the practical experience needed to tackle real-world challenges.

As a result, there's growing recognition among industry professionals and employers that certification achievements must be balanced with hands-on experience. An ISC2 survey of 14,000 cybersecurity professionals showed that respondents retain a relatively high level of interest in obtaining cybersecurity certifications: 16% described themselves as currently pursuing a non-vendor-specific certification such as ISACA, CompTIA, CISSP, and ISC2, and 17% said they are pursuing vendor-specific programs such as those from Microsoft and Cisco. Another 40% said they plan to pursue a certification within the next six months.

Of those expressing interest in certs, 65% described their primary motivation as skills improvement; 53% said they want to stay current with trends, and 50% are looking for career and professional development. But with big changes facing SecOps teams, are certifications still relevant? Here's what top industry experts say.

See Special Report: Software Supply Chain Security for DummiesPlus: Download the Dummies Guide

1. Cybersecurity certifications do carry weight

In a field where skills demand far exceeds supply, a cybersecurity certification can help individuals demonstrate familiarity and knowledge in the field. This is especially true for initial screening and in large organizations with formal hiring processes, said Jason Soroko, a senior fellow at Sectigo.

In the real world, these certifications can help determine if an inexperienced candidate has a baseline of literacy in the subject of cybersecurity.

Jason Soroko

Importantly, many certifications are well recognized within the industry and are perceived as demonstrating a standardized level of knowledge and understanding of a particular security domain. Specific certifications can also highlight a candidate's area of expertise or specialization within cybersecurity.

Stephen Kowski, field CTO at SlashNext Email Security+, said that many hiring managers generally view certifications as a positive indicator of a candidate's foundational knowledge and commitment to the field.

Without practical experience, certified candidates may be considered for entry-level positions or roles with strong mentorship opportunities. Demonstrating hands-on skills through personal projects or internships can significantly enhance the value of certifications for less-experienced candidates.

Stephen Kowski

A certification signifies that you know about a certain tradecraft. Mayuresh Dani, manager of security research at Qualys Threat Research Unit, said certs on resumes allow companies to divide their applicants into haves and have nots.

However, cybersecurity is a technically niche field, which warrants that the frontrunners be hands-on with their tradecraft. Certified or not, if one is not hands-on with their skill, it leads to a delay in defending the assets that they are assigned to.

Mayuresh Dani

2. Mileage varies depending on the employer

Larger enterprises often place more emphasis on certifications due to standardized hiring processes and regulatory requirements, Kowski said.

Smaller companies may focus more on practical skills and cultural fit. However, certifications can be valuable in organizations of all sizes as a tool for assessing candidates' knowledge and commitment to the field.

Stephen Kowski

Government and industry regulations are another factor. Some requirements, such as those contained in Directive 8570.01-M and 8140 from the U.S. Department of Defense and those in the Federal Information Security Management Act (FISMA), require personnel working in information assurance to have certain baseline certifications that differ for various roles. Other regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) and HIPAA, do not explicitly mandate certifications but require organizations to have qualified security personnel, which many organizations often interpret as certified professionals.

3. Hands-on experience trumps certifications alone

A cybersecurity certification is useful for demonstrating baseline knowledge of a particular security domain. The right certification can help an inexperienced person get a foot in the door and serve as an indicator of a candidate's commitment to the field. However, certifications are no proxy for real-world, hands-on experience, said Sectigo's Soroko. They do not reflect hard-won, real-world skills, he said. Certifications can become outdated quickly due to the fast-paced evolution of the field, making continual renewal less meaningful after a certain level of experience.

A star cybersecurity candidate can come from almost any background field and provide huge value whether they have a certification or not.

Jason Soroko

Individuals with hands-on experience know how to apply the knowledge they have gained to actual scenarios, which often can be very different from textbook examples, he said. They often have more creative problem-solving abilities and can adapt better to quickly evolving cyberthreats. Experience also provides a deeper understanding of how security fits into a company's broader business requirements and goals and allows for a better understanding of specific security tools and technologies.

Hands-on experience is generally much more valuable than certifications alone, since it demonstrates practical application of knowledge and problem-solving skills, Kowski said. Employers often prioritize candidates who can showcase real-world achievements and adaptability in addressing complex security challenges. The ideal candidate typically possesses a combination of relevant certifications and substantial hands-on experience.

However, having appropriate hands-on experience can outweigh and override certification requirements.

Stephen Kowski

4. Certifications force additional learning

The fast-evolving nature of cyberthreats can quickly make knowledge acquired via a cybersecurity certification program outdated. What is relevant today can become less important overnight, and the skills that a particular certification might focus on now might soon need refocusing or updating. This can force additional learning on individuals, which in a fast-changing threat landscape can be a useful thing.

Certifications usually have designed obsolescence and can become outdated if not regularly updated to reflect the latest threats and technologies. However, reputable certification bodies typically revise their content periodically to maintain relevance. The underlying principles, though, stay fairly static over time; the OWASP Top 10 regularly shifts around the threats as opposed to brand-new ones being introduced.

Stephen Kowski

Kowski said that renewing certifications demonstrates a commitment to ongoing professional development and staying current in the field. It can be particularly valuable for maintaining credibility and meeting specific job requirements, he said. However, the decision to renew should be balanced against practical experience gained and the specific career goals of the individual. "You can succeed with or without renewal depending on the pathway you pursue," he said.

5. Employers often consider equivalences to certifications

In many instances, organizations are willing to accept equivalences to a certification for individuals who have verifiable skills in areas such as code contributions or in capture-the-flag challenges and in disclosed bug-bounty reports, said Sajeeb Lohani, senior director of cybersecurity at Bugcrowd. Often, these equivalencies are just as good at demonstrating knowledge as a certification, and they can be better because they show true passion for the field. The goal for everyone is to demonstrate passion and skill in conjunction with a great work ethic and fortitude. "In my opinion, a blend of both certifications and public contributions is perfect," Lohani said.

At the end of the day, a certification is helpful to get that first interview. Certifications are essentially a way for companies to get a proven skill. However, the fact that the skill may not translate appropriately into the required business context is often missed by companies.

Sajeeb Lohani

6. Certifications don't always capture real-world threat scenarios' complexity

One reason why employers often prefer experience over certifications is that certs don't always prepare people for real-world cyberthreats. They often teach standardized, somewhat static threat models and simply cannot keep with all the new techniques and tactics that attackers adopt. Certified professionals can therefore be unprepared for the latest attack vectors or emerging threats that weren't part of their course materials. This failing is particularly acute with the dramatic turn by attackers to making the software supply chain the preferred attack vector.

Certifications also typically provide generalized knowledge of a particular domain but cannot account for the deeply contextual nature of real-world cybersecurity challenges where factors such as the organization's technology stack or its business processes can have a big impact on cybersecurity, said Josh Knox, an evangelist at ReversingLabs.

If the only certifications you’ve had are OSCP offensive security or PenTest+ certified or ethical hacker, then you were only looking at the attack and only understand vectors and methods. Certifications have their place, but just having one or focusing on one area or the other is not going to make you well rounded, and you are still going to need a team of voices around you to make decisions.

Josh Knox

Another issue is that, while certifications often present a highly idealized way of implementation, real-world implementation is rarely so easy to implement, Kowski said. "Practical experience and continuous learning are essential to complement certification knowledge and apply it effectively in dynamic threat environments," he said.