Discover more from Venture in Security
The rise of cybersecurity certifications and why we should take an engineering approach to security education instead
Looking at professional designations in cybersecurity - why we have them, what they are expected to do, what the problem with having so many certifications is, and where we can go from here
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
The rise of cybersecurity certifications
It’s hard to find a person in the industry who would not be bitter about the number of cybersecurity vendors, and it’s even harder to judge those who feel fed up with 3500+ companies trying to reach out to schedule a demo. We have the right to demand the reduction of complexity even though I have explained why it’s not as simple as waiting until the industry consolidates.
While almost everyone is vocal about the number of vendors, very few people have questioned the problem of the proliferation of security certifications. It’s fascinating that in the field in which one’s performance is determined by their ability to secure their organization, reducing the probability of incidents and their impact, we as an industry spend so much time, money, and efforts to pursue 470+ professional designations (this number doesn’t even include the vendor-specific ones).
Source: Security Certification Roadmap
In this piece, I am looking at professional designations in cybersecurity - why we have them, what they are expected to do, what the problem with having so many certifications is, and where we can go from here.
Talking about the value of professional designations is tough for many reasons. First, not all certifications are created equal: some require candidates to demonstrate hands-on skills, others ask for several years of experience, completion of a 100+ questions exam, and an endorsement from experienced practitioners, while quite a few are just a matter of paying money and passing a multiple-choice test. Any generalizations that cover all of these and other types of credentials are of limited value. Second, people in the industry tend to self-assign to one of the three camps: those pursuing cybersecurity designations and listing tens of them on their LinkedIn profiles, those who achieved one or two most recognized designations, and those who don’t have any. The motivations of each segment also vary:
A large number of practitioners enjoy lifelong learning and look for ways to stay up to date with the ever-changing security landscape
Many people seek something that would give them a sense of achievement and find that attaining certifications fulfills this need
A large number of security professionals are required to pass one or more certifications to meet the requirements for being hired in the public sector
Quite a few want to check off the certification box for recruiters and hiring managers who are looking for those few letters on the resume
Some people see little to no value in paying for credentials and spending time preparing for multiple-choice tests
A small subset of folks who tried and failed to achieve the certification they wanted, ended up bitter about the value and the need for professional designations
This list doesn’t reflect the full variety of personal situations and subjective opinions. Instead of trying to figure out what different people think of security certifications, let’s look at the major reasons why cybersecurity certifications are a thing and the problems they are supposedly designed to solve.
The intent of this piece is to take an objective look at the proliferation of cybersecurity certifications; it is not to declare that credentials are “critical” or “useless”, nor is it to say that people who achieved them are using their time unwisely. I myself have attained a bunch of certifications throughout my career including Chartered Property Casualty Underwriter (CPCU), Associate in Risk Management (ARM), Risk Management Professional (PMI-RMP), Certified Product Manager (CPM), Certified Scrum Product Owner (CSPO), Security+, etc. For the sake of clarity, I must add that I have let all of them expire, and I do not add certifications behind my name. On the list of things I am most proud of in my professional life, there is no place for certifications, no matter what’s required to achieve them.
Common drivers to pursuing cybersecurity certifications
Cybersecurity certifications for learning and talent development
One of the biggest challenges of cybersecurity is the fact that the body of knowledge a security practitioner needs to understand is evolving daily. Moreover, the smallest gap in one’s understanding of a security area can hinder their ability to defend the organization they were hired to protect. The cost of making a mistake or not knowing something can be very high.
When a software engineer makes an error, misses a critical scenario, or overlooks an important business requirement, there is a system in place designed to address the gap. A typical flow looks as follows: someone will report the issue, a quality assurance or a product person will reproduce, triage, and prioritize it, after which the software engineer will fix it. A quality assurance team will test the fix, and once everything is done, it will be released to production. More important than the process is the shared understanding that mistakes do and will happen, but most of them can be addressed in a relatively calm and painless manner.
For security professionals, the perceived tolerance for gaps and mistakes appears to be lower: any “bug” they introduce or fail to catch can get the company compromised. In many organizations, security people are not allowed to make a mistake, which creates an unhealthy relationship with failure and learning. Unlike software engineers encouraged to “fail fast and fail often”, security teams are too often asked to operate with the “fail never” mindset.
Anyone who works in the tech space knows that fear of missing out (FOMO) is real: there is always a new technology, a better way of doing things, a new tool, a new go-to-market approach, and so on. While feeling under pressure to learn and stay current is a healthy response to the reality of the technology industry, for many security practitioners it translates into a constant fear that unless they take every certification, every class, and every course available, they will fail to protect, fail to detect, fail to respond, and ultimately - fail to fulfill their responsibility. Most cybersecurity organizations understand the importance of continuous learning and provide employees with budgets which many use to attain stack-up security certifications.
The reality of cybersecurity is that certifications aren’t the only, and most importantly - the best way to keep up with the fast-changing industry. First, security is a technical discipline so being hands-on, and continuously trying and testing new approaches and techniques in the home lab is the best way to stay relevant. Second, by participating in Discord, Slack, and similar online communities for practitioners, and by attending and speaking at practitioner-focused events such as Defcon, FIRST, Blue Team Con, and BSides, security professionals can keep their hand on the pulse of what’s happening daily. Certification standards and content, on the other hand, typically get updated every few years. Third, once one has achieved the most recognizable and comprehensive one or two certifications, they typically find that many others will repeat the same material and/or offer marginal additional value (the same cannot always be said about people who tailor their learning journey to acquire new and complementary skills).
Cybersecurity certifications in hiring and talent evaluation
Hiring and evaluating cybersecurity professionals is hard, and this fact has been one of the driving reasons for the proliferation of security designations. Following decades of experience hiring software engineers, we have learned to assess what truly matters, namely, their ability to solve hard problems, build quality code, and work well with others. This level of maturity goes well beyond software engineering: a good infrastructure engineer with experience in GCP will be able to reasonably quickly get up to speed with AWS, and a data engineer doesn’t have to be proficient in Scala to learn it on the job. In cybersecurity, on the other hand, we still haven’t mastered hiring, and in the absence of a generally accepted hiring process, we are relying on external validation - certifications and degrees - to decide if we want to bring a person in for an interview.
What increases the reliance on cybersecurity certifications in hiring, even more, is the talent mobility between the government and the private sector. The government, known for bureaucratic processes and formalities, requires anyone who wants to work in the public sector to meet certain requirements as evidenced by achieving professional designations. Since people in security move between the government and private companies all the time, hiring managers in businesses started asking for the same certifications as their public sector counterparts. It doesn’t help that cybersecurity in most places is seen as a fairly hierarchical discipline (we’ve even brought the tiered support model to the SOC), and in order to earn a promotion, people in many organizations need to check the box and show that they have a senior-level security certification.
This reliance on formal stamps of approval from external bodies can be especially painful for those trying to pivot their careers into cybersecurity and find that coveted entry-level security role. For someone new to security, learning the security language, picking up basic concepts, and showing their dedication by passing one or two certifications is typically a good idea. The reality is that beyond that, to demonstrate that they are ready for the job, people looking to break into the industry would greatly benefit from gaining hands-on skills and experiences. Contrary to popular belief, it can be done while job hunting. Eric Capuano, CTO & founder of Recon InfoSec and a SANS DFIR Instructor, wrote a great series I would highly recommend to anyone looking to get started in security:
One way or another, certifications do often play an important role during the hiring process. It’s worth noting that typically, less is more, and listing more than 3-5 credentials can be perceived as a sign that a person is more interested in passing tests than actually securing their organization.
As the industry evolves, I think we need to develop ways to evaluate skills, passion, and abilities people bring to the table more objectively, without relying on certifications or other external signs of validation. There are many reasons for that. First, we are competing with adversaries who invest in developing their hands-on skills while we go to Prometric centers to sit multiple-choice exams. If the defense wants to win, it needs to start prioritizing what matters. Second, the skills needed to read a book, memorize flashcards, and pass a test are very different from the skills required to recognize unusual behavior and execute effective responses. By promoting people based on certifications instead of merit, we are creating wrong incentives and advancing those who may not be the best fit for their new role. Third, certifications aren’t cheap, and by discarding resumes that lack some arbitrary four-letter abbreviations we are very likely making it harder for hardworking, motivated, resourceful candidates from less fortunate backgrounds to get into the industry. I would argue that a single mother passionate about the industry who spent hours learning practical skills and won a CTF competition may be a better and certainly more motivated candidate than someone lucky to have had their certification and a week-long preparation course fully paid for.
Companies that require prospective applicants to show tool-focused certifications are the biggest offenders. As the industry matures, we need to move away from asking for and relying on vendor-specific certifications. Technology is constantly evolving, and we need people in security who can keep up with this evolution, which can only be done by those with a good vendor-agnostic understanding of the space. Similar to how we are expecting people to have a generic driver’s license instead of simply graduating from a course on “navigating a self-driving Tesla on a sunny day within ten blocks of San Francisco”, we need security practitioners who can do the job with any tool, not simply rely on a specific self-driving product and only in perfect conditions. This is when taking inspiration from software engineering can help us again. The number one skill top companies look for when hiring software engineers is the ability to solve complex problems. Tasks such as solving algorithms are designed to demonstrate critical thinking, the ability to break down problems into small parts, prioritization skills, and the like. The best engineering teams know that a good engineer will quickly pick up new tools (languages, tech stack, etc.), and familiarity with a specific framework is nice to have, not a requirement. Security can and should borrow the same mindset when it comes to hiring.
Cybersecurity certifications as a source of dopamine and psychological relief
Despite what some people in the industry may say, I would argue that one of the main reasons for the proliferation of cybersecurity certifications has to do with the psychology of the industry.
Securing people and organizations is hard, and doing all that while knowing that a single mistake, a single gap can undo months and years of hard work is even harder. Worse yet, security often feels like a losing battle: no matter what you do, something will break, and when it does, the consequences can be catastrophic. The constant threat of a destructive cyber attack takes a toll on security professionals regardless of their tenure, area of work, or job title. In this sea of uncertainty, security certifications give people some sense of accomplishment, some validation that they are not worse than their peers, that they do know what they are expected to know, even if everyone everywhere is screaming “You know nothing, vulnerabilities are everywhere, and everything can fail”.
Having something to be recognized for and something to celebrate is especially important when we consider how many people in the industry suffer from imposter syndrome. Those who don’t have an educational background in security have it even worse. There are very few ways to give security professionals who pivoted from other fields into cybersecurity some assurance that they are indeed good enough and that they do have a level of knowledge similar to that of their peers who studied security and security-adjacent disciplines. Security certifications are one of the ways in which this can be done: by achieving recognizable and respected industry credentials, many security practitioners become more confident in their jobs and learn to better understand the importance of their hard work.
Professional validation from a certifying body isn’t the only thing security professionals crave. Even more than that, security leaders and practitioners are looking for recognition of their work. In most companies, it’s those responsible for generating revenue and meeting financial goals - sales, marketing, product, software engineering, and alike whose work gets celebrated. People on security teams learned to see their work as a never-ending stream of events, logs, threats, and attackers. Security certifications provide them with milestones, points of celebration, and small victories they can be proud of.
Most people have the same needs - we crave a community of peers, some form of recognition for our efforts, and a validation that we are indeed progressing in life. Security certifications help fill some of these voids, and in the absence of any alternatives that might be a good thing. When we finally start recognizing the titanic security professionals put in to make us safer, when we improve our hiring practices to be more objective, and when (and if) security will become less stressful, we can then be more active in discussing the need for 470+ security certifications. As it stands, they might just be one of the very few things left to make security professionals deal with crippling imposter syndrome and keep their heads up.
One alternative that may enable security practitioners to satisfy the same needs without becoming addicted to passing exams and stacking security certifications is getting involved with their community. Almost every mid-size city these days has a Meetup, a BSides event, or a similar community they can connect with. Becoming active in the community makes it easier to learn, build relationships with peers, and get recognized for the experience and expertise by helping others, mentoring, and speaking at security events.
Going into the future: taking an engineering approach to cybersecurity education
Due to the demand for cybersecurity certifications, we see more and more education providers jumping on the bandwagon to offer a “must-have” acronym people can put behind their names. To their credit, the vast majority of institutions are ethical, focused on teaching important skills, and are overseen by security practitioners of high integrity. Unfortunately, that cannot be said about all.
The biggest challenge with certifications in my view has nothing to do with the integrity of the education providers; instead, it is a result of the core of what professional designations represent. Certifications are tools to demonstrate a certain level of knowledge. As such, they can be used to establish a foundational understanding of the space and controls for entry-level security professionals, but they are not as helpful to defend against the adversary. Attackers are highly motivated, skilled, and technically proficient adversaries looking for holes in the organization’s environment. To defend against the adversary, it’s not enough for practitioners on the defense side to know the theory of security; instead, they need to have the ability to think and problem-solve on their feet - something that certifications do not necessarily help to develop.
I often talk about the need to take an engineering approach to cybersecurity. I am convinced that taking an engineering approach to security is changing what security is, and how it is being done. Most importantly, it changes our approach to knowledge and cybersecurity education.
Taking an engineering approach to cybersecurity education means valuing knowledge over credentials, hands-on skills over theoretical ideas, and the ability to learn daily over the ability to complete structured courses.
Software engineers know that the skills they get in university when pursuing a computer science or software engineering degree are foundational for their careers. Getting an understanding of foundations, whether through school or self-study, is critical: programming languages come and go, but understanding the core of how technology works and how to solve technical problems will propel people’s careers throughout their lifetime. The undergraduate computer science degrees often do not prepare the graduates for the real world: I have seen many students go to bootcamps and coding schools, or join college clubs to learn how to prototype and ship functional products.
Very few educational programs in cybersecurity provide a holistic foundational understanding of security. Instead, they often focus on either job-ready skills, or using specific tools to accomplish a task at hand. The gap is real: we have people graduating with diplomas and degrees in cybersecurity who learned how to do vulnerability scanning with tool X but have no understanding of the underlying technology, and what constitutes vulnerability management without tool X. Security vendors that position courses about using their products as “cybersecurity education” don’t make the situation any better. Security practitioners have to understand that tools are just that - tools; they are needed to do the job but they are not the job itself. Tools should be interchangeable (if what you want is a ticketing platform, then GitHub can do the job as well as Jira), and security practitioners should be able to evaluate different options and find the best tool for the job. Without a foundational understanding of how security works, they are likely to become dependent on specific widgets and vendors.
Software engineers are learning new skills daily - there are always new approaches, new frameworks, new programming languages, and new tools. To learn, they talk to their peers, do online research, ask questions on Stack Overflow, contribute to open source repositories, and pursue their own ideas by building passion projects on the side. Security practitioners need to embrace this approach of continuous learning, and realize that the skills they build when working on something in their home lab, participating in capture the flag (CTF) competitions, taking part in “villages'' at security conferences, taking hands-on training such as that by Chris Sanders, contributing to open source initiatives, and staying on top of new ideas and perspectives are much more useful than passing a yet another multiple choice test and becoming “certified”. In the past years, we have seen more and more conferences featuring accessible hands-on labs and training, and some organizations such as Antisyphon Training even provide free or “pay-what-you-want” courses. That combined with the rise of open source tools, makes it possible for security practitioners to learn the practical skills they will need to use in their day-to-day jobs, often for a fraction of the cost of security certifications.
The defenders of our digital world are up against adversaries who are continuously mastering their hands-on skills, finding new gaps in our environments, and moving fast to exploit them. They are not pursuing certifications, not taking multiple-choice tests, and not spending money on keeping their designations “in good standing”. I previously talked at length about the importance of adopting a security-first mindset and why compliance is a bad substitute for security. Following the same thought, we must invest in helping people develop solid foundations in security, coupled with strong practical, hands-on education. We need people who understand how the code works, how it can be subverted into doing what it wasn’t designed to do, what the intricacies of the organization's infrastructure are, and how to defend that. We need those who can do the work needed to secure our future; any professional training is only useful insofar as it helps us get there.
The changes are already underway. In the past several months, I have been seeing more and more security practitioners come out to say that certifications are not enough. Here are just some of the examples.
Source: Jay Jay Davey
Source: Gwyneth Peña-Siguenza
It’s not that certifications are not useful, it is that they are not enough and that overly focusing on credentials doesn’t help people build the skills they need to be successful in cyber defense.
There is nothing inherently bad or great about pursuing cybersecurity designations. Someone looking to pivot their career to cybersecurity may find that most HR and hiring managers prefer candidates who can show their dedication to the field (even in that case, the time when a certification alone would make the candidate stand out is long gone). Someone looking to get promoted in a large organization may need to get that senior-level professional designation before that can happen. Everyone’s experiences are different, and what makes sense in one situation, may be a bad idea in another.
The debate about the value of professional certifications is akin to the debate about compliance vs security: checking the FedRAMP, SOC2 or similar compliance box can be a requirement to stay in business, but a company isn’t going to become great at doing business because it’s certified. Pursuing professional designations will not make anyone worse at their job; the question is to what degree will it make them better. The marginal value of stacking certifications one on top of another diminishes pretty quickly. At the same time, the psychological benefits of achieving security credentials can be quite impactful.
Cybersecurity professionals looking to grow and become great at their area of focus may be better off investing their time and money in developing practical skills. This may mean building products or offering services on the side, assembling tools and doing research in their home lab, participating in capture the flag (CTF) competitions, taking part in “villages” at security conferences, contributing to open source initiatives, helping non-profit organizations with their security, speaking at security conferences and alike. The practical skills built by staying active, combined with the power of meaningful networking, and the warmth of the community of professional peers, greatly outweigh the value of putting three-to-five-letter abbreviations on one’s LinkedIn page.