You're Hired! The Truth About Certifications in Cybersecurity Careers

Cybersecurity certifications, while offering a clear route to recognition and career advancement, have also become a subject of increasing scrutiny. As the industry grapples with a persistent talent shortage, the role of certifications in addressing this challenge is a complex issue.

Before exploring certifications, it is first important to understand the current cybersecurity workforce environment. According to the latest ISC2 Workforce Study, the “cyber skills gap” has surged by 19% in the past year, with an estimated 4.8 million more professionals now required to adequately secure organizations. Additionally, 67% of organizations report staffing shortages within their cybersecurity teams.

Faced with a challenging economic environment leading to layoffs, budget cuts, and hiring freezes, companies tend to focus on mid to higher-level security specialists. For example, the ISC2 survey found that over 30% of security teams have no entry-level professionals, and 62% of hiring managers prioritize mid- to advanced-level roles, leaving fewer opportunities for newcomers.

This environment has made it increasingly difficult for cybersecurity students and junior professionals to break into the industry.

In this highly competitive market, cybersecurity certifications have become a key deciding factor in determining who gets hired and who doesn't. However, they are not guaranteed tickets into the industry.

On the one hand, candidates must choose the certification that best fits the role they wish to fill in a sea of available options. On the other, employers are looking for well-rounded candidates who bring both certifications and practical, real-world skills to the table, meaning that certifications alone are often insufficient.

Infosecurity has investigated the role of certifications in modern cybersecurity careers.

Why Cybersecurity Certifications Still Matter

At cybersecurity events like Infosecurity Europe and others, it's not uncommon to hear the argument that companies should consider hiring cybersecurity professionals regardless of certifications. Experts argue that skills like problem-solving, creativity, and adaptability—often honed through experience rather than coursework—are just as important, if not more so, than formal qualifications.

However, speaking to Infosecurity, David Gadd, Director at cyber recruitment agency TechCyber Solutions, said this argument is pure wishful thinking and far from reality.

“Despite what you can hear in the alleyways of security conferences, since there are so many applicants in cybersecurity, companies increasingly use certifications as barriers to entry into cybersecurity roles,” he said.

The primary reason for this is that many companies, especially the largest ones, rely on applicant tracking systems (ATS), software applications using classifying algorithms enabling the electronic handling of recruitment and hiring processes.

“Most of the time, ATS are based on buzzwords,” Gadd explains. “These systems will look for the certification required for the job and maybe even the number of times you mention it in your application. If it doesn’t appear, the system may not even select your application for human review.”

LinkedIn’s “Easy Apply” system works on a similar approach.

“Take, for instance, ISC2’s Certified Information Systems Security Professional (CISSP), which requires five years of experience. A candidate who would have these five years – and perhaps more – but has not passed the CISSP would automatically not be selected,” Gadd continued.

According to recent studies, nearly 99% of all Fortune 500 companies use ATS platforms on a regular basis. Over two-thirds of large companies (70%) and two in ten (20%) small and medium businesses (SMBs) also rely on ATS to hire people.

Additionally, certifications remain highly valued in the cybersecurity industry, as highlighted by a November 2024 thread on X by Confidence Staveley, founder of the Cybersafe Foundation.

In the posts, Staveley shared the success story of Dzorgbenyui Dordor, a Foundation member.

Dordor recounted how her ISC2 certification helped her application to stand out while other projects she led got her the job.

“During my job interview, my ISC2 certification in cybersecurity got the attention of the interviewer. Additionally, I impressed them by explaining a project I worked on during the fellowship, particularly the process of creating an access control policy and its significance for organizations. This demonstration of my skills and expertise helped me secure my position,” Dordor said.

People working in cybersecurity often add the certifications they have obtained at the end of their LinkedIn profile – and some display their certifications on digital credential websites like Credly.

The Right Certification for the Right Person

Cyber Certifications, A Busy and Confusing Field

Pursuing a security certification is just the first step in a much larger journey. With more than 470 cybersecurity certifications available—excluding vendor-specific ones—aspiring cybersecurity professionals must navigate a complex and overwhelming landscape.

Gadd said that for candidates, especially new entrants, choosing the proper certification can feel like traversing a minefield, requiring careful consideration of career goals, industry demands and personal interests.

Paul Jerimy, a cybersecurity professional and hobbyist web application developer, has created the Security Certification Roadmap, a chart representing the cyber certification landscape categorized into subdomains and levels of expertise needed.

While several security experts, including Gadd, told Infosecurity that the chart was a good resource, some members of the Discord community ‘InfoSec Prep,’ dedicated to people wanting to get into the cybersecurity industry, criticized the categorization of some certifications, including OffSec’s Exploit Developer (OSED), Mosse Institute’s Certified Vulnerability Researcher and Exploitation Specialist (MVRE) and OffSec’s Offensive Security Certified Professional (OSCP).

Five Essential Cybersecurity Certifications to Consider for Your Career

To help people looking to pass cybersecurity certifications, Infosecurity has selected five of the most prestigious credentials with different levels and specializations.

Each entry comes with a minimal certification price, the level of skill required, a salary range expectation, the number of people certified in the US, an estimate of job openings requiring the certification in the US as of November 2024 and potential alternatives.

This data has been collected from various sources, including Paul Jerimy, Coursera, CyberSeek, StationX and the certification bodies. These are only estimates and should be considered purely indicative.

Certifications provided by tech and/or cybersecurity vendors are not included. Many trainings and courses dedicated to preparing for these certifications are available online at different prices. Some companies, like SationX, offer matchmaking assessments to help candidates choose the certification that suits them best.

CompTIA Security +, The Go-To for Beginners

CompTIA’s Security + certification is considered one of the best entry-level certifications for aspiring cybersecurity professionals. It provides entry-level knowledge to the area of information security.

• Certification body: CompTIA
• Minimum price: $404
• Skill level: Beginner
• Salary range expectations: $70,000-$157,000
• Number of people certified: ~266,000
• Job openings: ~63,000
• Other notable alternatives: ISC2’s SSCP; GIAC’s GSEC; CIISec’s ICSF

CISSP, The Unbeatable Reference

Sometimes dubbed the “hardest certification in the world,” ISC2’s Certified Information Systems Security Professional (CISSP) has established itself as the number one reference in cybersecurity.

It is a go-to for advanced and high-level cybersecurity roles and the certification is seen as one that can help improve your resume.

• Certification body: ISC2
• Minimum price: $749
• Skill level: Expert
• Salary range expectations: $80,000-$217,000
• Number of people certified: ~92,000
• Job openings: ~70,000
• Notable alternatives: ISACA’s CISM; CompTIA’s CASP; GIAC’s GSP

CCSP, To Learn Cloud Security Fundamentals

For those interested in getting into cloud security, the Certified Cloud Security Professional (CCSP) certification is a leading option.

• Certification body: ISC2
• Minimum price: $599
• Skill level: Intermediate
• Salary range expectations: $120,000-$170,000
• Number of people certified: Unknown
• Job openings: Unknown
• Notable alternatives: CSA’s CCSK; CompTIA’s Server +; Mosse Institute’s MCSF

OSCP, For Aspiring Offensive Cyber Practitioners

For candidates wanting to get hired as penetration testers, red teamers, or any other offensive cyber role, most experts Infosecurity spoke with mentioned OffSec’s Offensive Security Certified Professional (OSCP) and EC Council’s Certified Ethical Hacker (CEH) certifications.

It is seen by many as a highly regarded certification in the industry. OSCP includes an exam that simulates a live network on a private VPN, lasting up to 23 hours and 45 minutes.

• Certification body: OffSec
• Minimum price: $1499
• Skill level: Intermediate-Expert
• Salary range expectations: $100,000-$130,000
• Number of people certified: Unknown
• Job openings: Unknown
• Notable alternatives: EC Council’s CEH; GIAC’s GPEN; Mosse Institute’s MCP

CISA, For Auditing Security Roles

ISACA’s flagship certification, Certified Information Systems Auditor (CISA), has established itself as a globally recognized credential. It prepares individuals for cybersecurity roles which often involve assessing and monitoring security measures and how secure system architectures are.

• Certification body: ISACA
• Minimum price: $760
• Skill level: Intermediate-Expert
• Salary range expectations: ~$150,00
• Number of people certified: ~36,000
• Job openings: ~46,000
• Notable alternatives: GIAC’s GCIA; ISC2’s CSSLP; Mile2’s C)ISSA

Read more: Top 10 Cybersecurity Certifications

The Cyber Job Demand Debate

Aspiring cybersecurity professionals must navigate a complex landscape where recent debates about the actual demand for cybersecurity professionals have challenged traditional perceptions.

In a series of October LinkedIn posts and articles viewed by over 200,000 people, Ira Winkler, Field CISO at cybersecurity optimization company CYE and one of the veteran holders of ISC2’s CISSP, criticized statements made in ISC2’s 2024 Cybersecurity Workforce Study, published in September.

He questioned the report for “pushing a false narrative of a plentiful job market” when many cybersecurity professionals are being made redundant.

“ISC2 refers to a ‘Workforce Gap’ of 4.8 million people while specifically and wrongly using the word ‘demand’ for the 4.8 million people. This is an imaginary gap based upon what ISC2 assumes employers need, not what employers actually want and will pay for, which is the definition of demand,” Winkler said.

“Worldwide cyber employment is flat. Their own numbers show a total increase of 4442 cybersecurity professionals globally, which is a year over year increase of .08%. This trend appears to be going on for at least 3 years. Again, there is not a ‘demand’ gap,” he added.

In this context, Gadd said certifications can be crucial to enhance new entrants’ career prospects as long as they know they are not direct tickets to well-paid jobs.

“Don’t believe certification bodies when they claim a certification will secure you anything,” he said.

Tips on How to Secure Cybersecurity Jobs

Winkler shared some recommendations that certification bodies and hiring companies should implement to help unemployed cybersecurity professionals and new entrants get a job in the industry.

These include:

• Waiving certification fees for unemployed members
• Providing discussion groups specifically for unemployed members
• Providing pins that say ‘Looking’ and ‘Hiring’ at cybersecurity events
• Providing training on how to optimize for ATS

Gadd recommended that hiring companies move away from exclusively relying on ATS for the first rounds of the cybersecurity hiring process.

He also said this disconnect highlights the need for more accessible pathways into cybersecurity roles, including better mentorship, internships and training opportunities focusing on real-world skills.

In an article dedicated to certifications, Ross Haleliuk, founder of the Venture in Security newsletter, argued that certifications are insufficient to prove one’s ability in cyber defense and advocated for what he called an engineering approach to cybersecurity education and hiring.

Haleliuk described this approach as “valuing knowledge over credentials, hands-on skills over theoretical ideas, and the ability to learn daily over the ability to complete structured courses.”

Speaking to Infosecurity, two users of the ‘InfoSec Prep’ Discord server said certifications are over-estimated, especially for people outside the field wanting to land a job in offensive cybersecurity.

“Certifications can be a great way to learn something new, shore up technical weaknesses, or gain foundational knowledge. However, they do not provide nor prove experience. It is easy to find new people who have earned a shiny new certification and struggle to land their first position due to a lack of real-world experience,” one InfoSec Prep community member who asked to remain anonymous told Infosecurity. “[In an ideal world], entry-level certifications should be replaced by getting hands-on experience through any IT position.”

On Reddit, other users suggested to Infosecurity that new entrants try to get a non-security IT job before looking for a role in cyber.

Conclusion

While cybersecurity certifications have undoubtedly played a role in elevating the industry's standards and recognizing individual expertise, their effectiveness in addressing the persistent talent shortage remains a subject of debate.

As organizations continue to grapple with escalating cyber threats, it is imperative to explore innovative approaches to talent development and workforce diversification.

By investing in comprehensive training programs, fostering collaboration between academia and industry, and promoting diversity and inclusion, we can bridge the cybersecurity skills gap and secure a more resilient digital future.

Read now: Tackling the Cyber Skills Shortfall – A Multipronged Approach