There’s a school of thought in cybersecurity—and in technology, in general—that certifications don’t matter. That experience is the only thing that matters. The thought goes that certification issuing organizations are just in the business of making money. Experience matters more than certifications and certifications are an ineffective measure of one’s abilities. Certifications only measure one's ability to take and pass tests. This school of thought simmers in the background and is most likely to come to the forefront, when there are new jobs or promotions on the line. The obvious question from aspiring cybersecurity professionals: Do cybersecurity certifications even matter?
Certifications aren’t a perfect tool, but yes, they bring value and they matter in the cybersecurity career field. They can be especially useful to people trying to break into or advance within cybersecurity. That being said, let’s unpack the naysayers’ argument that certifications don’t matter.
People who believe that cybersecurity certifications are a waste of time tend to already be gainfully employed in cybersecurity roles. That is to say, they are in the privileged position of not needing to leverage certifications to get a job. You can think of these naysayers as a vocal minority. They may be quick to proclaim they’re developing their skills doing real work, rather than chasing certifications.
Hands-on experience is always going to be more highly valued, than a certification in a domain you have no professional experience in. But that’s not really the point they’re making. In this “I do real work” mantra, naysayers are displaying professional elitism. They are better than people pursuing certifications.
Personally, I love that cybersecurity certifications help democratize self-education. The simple fact is that we’re not going to fill the skills gap by only hiring people with degrees in cybersecurity, computer science, or electrical engineering. The studying required to pass a certification exam gives aspiring cybersecurity professionals the framework to educate themselves.
What Does Your Certification Prove Anyway?
True, passing a certification exam doesn’t necessarily make you an expert in that cybersecurity domain. No one ever said it did though. Passing a certification exam proves you have demonstrated your knowledge of a cybersecurity domain to an industry-recognized minimum standard. That gives recruiters and hiring managers a means to compare apples-to-apples.
They can have a reasonable understanding of the knowledge and skills required to pass the CompTIA Security+, CompTIA CySA+, or (ISC)2 Systems Security Certified Practitioner (SSCP). No one would reasonably say that certifications are more important than real-world experience, but they provide an indicator which is easy to verify and cannot be embellished. You either passed or you didn’t.
The studying required to pass a certification exam gives aspiring cybersecurity professionals the framework to educate themselves.
The claim that certification exams simply test your ability to take tests, has a little merit. There is a certain format to standardized tests. The format is imperfect, but necessary to scale to testing large numbers of people. It’s the same format used for the SATs or the TOEFL. If you’ve learned how to take tests in that format, you’ll have an advantage in taking certification exams.
Some tests are starting to develop hands-on portions (executed in sandboxes). Some tests are predominantly hands-on, like the Offensive Security Certified Professional (OCSP). A 100% “fair” way to test the knowledge of large groups of people to a consistent standard doesn’t really exist… especially as “fair” is subjective. Standardized exams continue to be imperfect tools to test knowledge.
Certifying Organizations There to Make Money?
Goods and services cost money. The naysayers usually aren’t complaining about the cost of certification exams, but the cost of renewal or maintenance fees to keep their certifications in good standing. I get it. Paying an organization in perpetuity to say that you have a certification can get costly as the certifications add up. Claiming that certifications are a “waste of money” after you’ve already gotten the professional benefit of having passed the certification is a bit disingenuous though.
I would suggest asking your employer, if they’ll pay for industry-related certifications fees. A lot of employers will. Otherwise, if you don’t think you’re getting on-going value from a certification, you can: 1) stop paying and let your certification expire, 2) suck it up and pay for it anyway, or 3) get more involved with the organization to improve the offerings or extract greater value from your certification.
At the end of the day certifications serve as indicators of your skills and knowledge. The digital badge or fancy piece of paper that accompanies the certification isn’t the goal. The knowledge that you acquire in preparation for the exam is the goal.
While certifications are an efficient way to indicate your cybersecurity knowledge, remember there is a lot of non-certified expertise out there. You’ll find people with deep technical expertise or wide understanding of cybersecurity organizations and frameworks. Just because an individual doesn’t have a bunch of letters after their name, doesn’t mean they aren’t experts in the field.
At the end of the day certifications serve as indicators of your skills and knowledge.
Certifications are very useful in providing a framework to acquire new knowledge and skills as well as an efficient means to indicate that knowledge in the industry. They’re particularly useful for those breaking into cybersecurity. Use certifications to achieve those goals. Just be aware that the smartest person in the room is often not the one with the most certifications.