ThorstenSchmitt - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are cybersecurity certifications a key requirement for new hires?

Cybersecurity certifications are attractive qualifications in a candidate, but hiring managers should always look for other traits when hiring security professionals.

In the past, when hiring for my security team, I've chosen candidates with various cybersecurity certifications. But I've been let down by their actual ability to perform the required duties, which leads me to believe that perhaps certifications don't really matter. Should I, as a security hiring manager, continue to gravitate toward candidates with certifications? Are they really representative of a person's skills? Are there any particular certifications that are better to have than others?

According to the 2015 Global Cybersecurity Status Report, the global survey of more than 3,400 ISACA members in 129 countries, 86% of respondents see a global cybersecurity skills gap -- and 92% of those planning to hire more cybersecurity professionals this year say they expect to have difficulty finding a skilled candidate.

Candidates with cybersecurity certifications are an obvious solution to this demand. Certifications can assure the hiring manager that the candidate at least has foundational knowledge required for the job. Some of the certifications that provide this assurance are CISSP, CISA, CISM, SSCP, as well as more specialized certifications, such as for healthcare, fraud examiners and computer forensics. However, there are some caveats to certifications. When certifications such as CISA, CISM, CFE and others from CompTIA were first introduced, experienced applicants were extended a grandfather option that would waive the examination. It is not necessarily wrong, but the candidate might have grandfathered the exam and not have kept up with technology or current protection techniques.

Unfortunately, many hiring managers have been disappointed by a certified new hire's actual ability to perform the required duties, which leads them to question whether certifications are sufficient or even make a difference. Cybersecurity certifications do matter, but they should not be the only criteria managers look for when hiring skilled security talent. Instead, look for a well-rounded candidate with other qualifications that include:

  • Interviews well: During the interview process, the hiring manager needs to ask the right questions. The resume will list job experience, certifications, educational background and any awards or accomplishments, but the hiring manager needs to ask direct questions that would clearly demonstrate the candidate's ability to do the job. For example, resumes that list knowledge of firewalls, IPS, DLP, privacy, security monitoring and other skills must be subject to specific questions about the product, its implementation, management and benefits to the enterprise. Additionally, the candidate should be given real-life scenarios to respond to that would provide confirmation of stated skills.
  • Clean background check: Most companies limit background checks to criminal records and for the most part that may be sufficient. However, information security positions control access to critical assets. Trust should never be an issue for security professionals.
  • Relevant and real work experience: Work experience can be more valuable than academic degrees or professional certifications but many times these candidates are never given the opportunity to demonstrate their skill set. The certifications and academic degrees create that opportunity.
  • Strong work ethic: Working harder and longer hours does not necessarily translate to a good work ethic. Working smarter and with resolve and passion are key elements of a good worth ethic. These can be asked during the interview process and demonstrated during the probationary period.
  • Probationary period: All new hires should undergo a probationary period, which is typically 90 days. This allows the hiring manager sufficient time to confirm skill sets purported by the new hire are competently true.

Cybersecurity certifications clearly are important to have and to maintain with continuing professional education (CPE) credits, but they are only one of several criteria used in hiring security professionals. Interviews are critical in identifying key prospects; asking the right questions to sift out the strictly academics and good exam takers from experienced practitioners, and ensuring the candidate is a good fit in the organization will provide hiring managers the necessary information to hire the desired skilled information security professionals.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Take a closer look at the Certified Information Security Manager certification and find out if the Certified Cloud Security Professional certification is worth pursuing

This was last published in August 2015

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What specific qualifications do you look for as a security hiring manager?
Many certifications are becoming easier and easier for candidates to pass and obtain due to the huge number of walk through study guides - more than 800 pieces available on Amazon for the CISSP alone. Of course its not difficult for nearly anyone to pass now.
I'm sorry... How does CISM or CISSP prove any type of technical competence in security? It's a general knowledge exam on Security topics. One that doesn't go into any depth on the subject matter. Knowing WHEN AES was first adopted (which really has no value on any job outside of teaching CISSP) shows one can memorize facts, not that one can do a security job. It's HR people or poor managers who don't know any better that focus on this garbage, rather than use technical assessments to find out skills.

If you want Certs that matter, then look at ones that use a lab based component to show competence. OSCP, OSCE, GRE, CCIE, etc. THOSE are certifications that might prove long term technical value to an organization. Otherwise, certs are a money making gimmick, and there value in our industry should be significantly diminished. Too many paper tigers because people like Villegas help prop up a failing system.
This is sticking point for lots of professions. Do we need certifications for journalists, social media folks, Web designers? Perhaps some exist, but I think the author is spot on when saying other traits might carry more weight. I would want a smart, resourceful and personable candidate. Don't give me someone who can't communicate, either. So just relying on a certification is short-sighted.

Thank you all for your comments. Admittedly, there are more specialized certs that require and demonstrate more technical abilities than the CISM (for managers) and the CISSP (foundational), but I have been in information security, technical auditing and IT risk management for over 30 years. I have seen and had highly technical staff that are excellent in what they do but unfortunately could not speak, write, communicate or understand company business objectives. Conversely, there are those with PhD's in CIS and infosec but technically have not kept up with technology. My certs are CISA, CISSP, GSEC, CEH, PCI QSA, PA QSA and, until recently, PCI ASV. None of these were grandfathered, which is a personal choice.

If you need SME's, the clearly relevant technical certs is what you look for. If you need infosec practioners, ask specific questions, regardless of the certs and make sure they know the topic well.

When I was CISO at Newegg in the LA area, I managed 40 proof of concepts (POCs) for numerous security solutions for the purpose of becoming PCI DSS level 1 compliant. Now I perform and manage these PCI assessments. I share this only to address the "paper tiger" comment. BTW, my CEH is expiring in 2016 and my plans are to take the OSCP. It's called "offensive" for a reason. Thank you for your input.

We actually agree more than you might think.
If you are taking the OSCP, then make sure your hacking skills are up to snuff. That is one of the hardest tests I've ever taken. 24 hour to hack up to 5 machines in the lab, most taking multiple exploits to do (so initial penetration and then priv escalation).

The CEH is a joke and honestly, anyone serious about security should put their money back in their pocket and go look at something from SANS, eLearnSecurity or Offensive Security when looking to learn about Ethical Hacking. They have great marketing, but terrible education and skills demonstration.

I again question the statement that a CISM or CISSP or similiar cert means one can speak to a C-Level. It doesn't. That's a soft skill that is NOT certification derived at all. It just seems like you are making a lot of erroneous correlation between a cert and so-called soft skillsets like writing, speaking and other communication forms. Don't get me wrong, I think those are one of the most important skill sets someone can learn to advance their career... but the security certs have NOTHING to do with them obtaining those skill sets.

I look for candidates with strong soft skills vs technical skills. I can train up the tech skills. It isn't difficult. Soft skills are a lot harder to develop.
The point of the article is whether certifications are a key requirement for new hires.
• The certs get him through the door.
• The interview gives him a seat.
• The 90-day probationary period assures he can stay.
• His technical abilities determine what kind of work I give him.
• His communication skills determine whether I give him management visibility.
Staying technical and strutting technical prowess is impressive but the Peter Principle might apply such that the technician will still wind up working for the one with a mere CISM or CISSP. Great speaking with you.

• His communication skills determine whether I give him management visibility.
Staying technical and strutting technical prowess is impressive but the Peter Principle might apply such that the technician will still wind up working for the one with a mere CISM or CISSP. Great speaking with you.