I’ve seen Tweets and heard many discussions about certifications, like CISSP, CEH, OSCP and so on, in InfoSec. No doubt certifications have value – in many situations hiring managers are quickly going through resumes and certifications are symbolic of at least book-learning, and some degree of dedication to InfoSec. Certifications can be expensive and time consuming so having them clears the bar of at least slightly dedicated.
While certifications are arguably a “good thing” inferring a recognized value understood in the InfoSec community, do people really need them to land jobs? After all, job seekers are existentially in need of employment and not likely to want to spend time and money on certifications if they are not necessary.
We have published previous blogs on certifications in InfoSec. But I was still curious as to whether certifications are required to get a job in InfoSec. So I decided to do a Twitter poll on my personal Twitter account to gather more data to help write this blog.
It appears from my Twitter poll, that certifications aren’t an absolute requirement to gain employment in InfoSec, but having them might help candidates get through HR pre-screening. Certificates were viewed as a sort of filter by a few folks.
Given two equally qualified candidates, the one with certifications might have the edge:
Several folks were sensitive to the cost of attaining some certifications reaching greater than $1000. They suggested more affordable options. Some certifications are affordable on even modest budgets.
It was pointed out that entry-level folks shouldn’t be expected to have certifications, and a few folks suggested that employers might hire candidates on a trial basis and fund their efforts to attain requisite certifications. If they pass the certification test within a defined timeframe, they become a full-time employee, if not, they do not. A pretty neat idea to allow talented yet cashflow-challenged candidates to get a foot in the door. There was a theme of understanding and sensitivity of the financial burden of acquiring certifications being extreme to some candidates.
Some folks thought alternatives to expensive certifications are options for students recently graduating or career transition situations. Bootstrapping, home malware labs and creativity in developing skills is admired by quite a few. Options like capture the flag (CTF), participating in security events, and presenting at conferences were suggested. I can attest that we have published guest blogs by students that they’ve used on their CV’s to help land a job. Having a technical blog published on a corporate blog on the resume is not a bad thing!
People also argued about the applicability of certifications for particular roles. For incident response (IR), forensics and network security, certifications might matter more than other roles. It depends on the job the hiring manager is filling. To blithely require certifications for all InfoSec roles might eliminate some excellent candidates.
Hiring managers view the projects the candidate is working on as well as their work experience, in addition to certifications. The level of the job hiring managers are filling is also key. More junior roles tend to have less of an expectation of certifications.
The bottom line
While certifications certainly don’t hurt, the Twitter poll seemed to indicate that they are not an absolute requirement. There was a feeling that certifications denote a level of training, which certainly isn’t a bad thing. But there is no guarantee that candidates who come with certifications will be able to do the job the hiring manager is filling.
With 1538 votes in the poll, backing out those responding “Show results” from the numbers, it appears about 87% of respondents thought that it is not a reasonable requirement to require expensive certifications in order for a candidate to be worthy of consideration.
