Dec 6, 2022 - Technology

Employers warn cyber job seekers away from certification "alphabet soup"

Illustration of popup screens with dollar signs on them surrounding a closed lock

Illustration: Sarah Grillo/Axios

Recruiters and employers are starting to warn applicants against getting too many cybersecurity training certifications, they tell Axios.

Why it matters: Cybersecurity training certifications aim to show specialized knowledge in everything from securing enterprise networks to the basics of responding to a cyber incident. And entry-level candidates can be swayed into getting as many as possible to appear more employable.

  • But those trainings are costly, and many managers don't see any value in having "an alphabet soup" of credentials.

The big picture: The U.S. currently has more than 769,000 open cybersecurity jobs, with only enough candidates to fill 68% of those roles, according to nonprofit CyberSeek.

  • This has led to more students pursuing cybersecurity degrees and midcareer professionals transitioning to the field.

Between the lines: Hiring managers prefer to hire entry-level candidates based on their experience and the initiative they've taken to learn more about cybersecurity, says Renee Small, a recruiter at Cyber Human Capital.

  • Dray Agha, a cybersecurity manager at Huntress, tells Axios that when conducting interviews, he always focuses on the underlying career goals applicants have, rather than "the alphabet soup" that's on their resumes.
  • "You only really need to get a certification when you're specializing, and that's something I think as an industry we've forgotten," Agha says.

By the numbers: 64% of cyber professionals see acquiring a new certification as a way of deepening their skills, rather than as a requirement to land a job, according to a survey released in October by certification vendor (ISC)².

  • Yet 55% said their organizations require employees to have a vendor-neutral cybersecurity certification, which focuses on foundational security topics; 38% said they need a vendor-specific certification.

Yes, but: Many employers consider security certifications a great equalizer among candidates since they establish a baseline knowledge and know-how in the field, Clar Rosso, chief executive officer of (ISC)², tells Axios.

  • (ISC)², which just established an early-career certification this year, updates its programs every three years based on conversations with employers, practitioners and others in the industry, Rosso says.
  • Most government contractors also require that cyber candidates have at least one certification, like CompTIA Security+, Small says.

The intrigue: A pathway still exists for midcareer candidates who don't have a degree in cyber or lack the resources to pursue a certification: Learn it yourself.

  • Small, who also hosts the podcast "Breaking Into Cybersecurity," recommends those who currently work at large organizations can chat with their companies' security teams to see what they can do to learn necessary skills and help out. Doing so could help them net a job down the line, she says.
  • Agha notes that many of the best applicants are those who taught themselves how to conduct analysis of malware strains or write blogs about the various cyber topics they're interested in.
  • "Money is a huge factor in all of this," Agha says. "If you can afford to do these things, then you'll get the alphabet soup, and that says something we don't talk about."

What's next: The Office of the National Cyber Director is reviewing comments for the first U.S. cyber workforce strategy, which will likely touch on cyber education issues and early-career hiring.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper