IT certifications for security pros: Still valuable?

The security community debates the value of some IT certifications – and sniffs out pretenders quickly. Which certifications are worthwhile?
367 readers like this.
CIO Security

Credible IT certifications are typically considered a net positive. They’re not the backbone of a successful career, but they can be useful complementary pieces. This is especially true when you’re just starting out, when you’re looking to boost your profile in an emerging technology area, or simply when your employer sponsors or requires it.

But there’s debate about the worth of certifications in the security community: The value of a particular certification can rise and fall over time, and one person’s “must-have” credential is another’s “why bother?”

[ Read also: 13 top-paying IT certifications for 2019. ]

“Certifications are a contentious topic among those in the security community,” says Brian Wilson, CISO at SAS. “Some professionals have torn up their certifications to protest how the governing bodies have devalued certain credentials. They’ve raised the barriers to entry for many enthusiasts by requiring expensive courses or mandatory maintenance fees while not always showing value for the investments.”

Security certifications are not cheap

Eric Poynton, lead network threat hunter at Awake Security, also notes the cost factor. A self-taught security practitioner himself, Poynton says he values front-line experience over certifications.

“I have met many individuals who hold certifications that cannot apply that knowledge coherently,” he says.

Wilson says he also seeks a much broader picture of a candidate than certifications. It’s a healthy reminder for job-seekers to not treat such credentials as Exhibit A in your case for why you’re the right fit for the job.

Pay attention at live events and in online discussions to how peers and hiring managers view certain credentials.

“[We focus] first and foremost on what the person has done during their career, and less on certifications,” says Brian Johnson, CEO of DivvyCloud. “Certifications are a great way that someone can demonstrate their competency in a technical area, but we are more interested in how they have demonstrated capability…and commitment to their field. We look carefully at these elements in terms of resume construction and also during interviews.”

This doesn’t mean security certifications have no value. As Johnson notes, they’re a calling card that can demonstrate competency and give you a boost in skill areas like security that have well-known talent shortages. Just keep in mind that the debate over the value of a particular cert can be especially fierce in the security industry. Fakers are likely to be sniffed out quickly.

So pay attention at live events and in online discussions to how peers and hiring managers view certain credentials. Here are several certifications that appear to be running especially hot right now in the security field.

1. Offensive Security Certified Professional (OSCP)

“For security analysts, I am interested in seeing the OSCP and not much else,” Poynton says. “The OSCP is a 24-hour, hands-on exam, which proves an individual is technically capable and understands how to hack, and therefore can spot hackers more easily in networks.”

Poynton says the Certified Ethical Hacker credential is also good, but he notes that it tilts more toward theoretical knowledge than technical chops.

Entry-level security certifications can be fine for beginners, in Poynton’s view, but they are more about understanding basic topics than hands-on practice. A self-taught practitioner himself, Poynton says he learned more from a year on the job than from two of the entry-level security certs combined.

2. Offensive Security Certified Expert (OSCE)

Wilson from SAS is also a fan of the OSCP, as well as its more intensive sibling, which requires a 48-hour exam.

“There are specific, sought-after certificates that require a hands-on mastery of skills,” Wilson says, and OSCP and OSCE are two of them. “In most cases, you know you’re going to get a highly qualified professional if a person has earned these designations.”

3. Platform-specific cloud security certificates

Multiple cloud service providers, especially public cloud vendors, offer security-specific credentials. As cloud – and especially multi-cloud – adoption grows, so does the need for qualified IT pros who can secure an increasingly distributed threat landscape. Platform-specific certifications can be particularly valuable among employers who use those particular platforms, or in organizations where those platforms are core to the business – such as DivvyCloud. In fact, Johnson says he even values CSP security certification among non-technical roles.

“Because we build security software that protects enterprise customers using major cloud service providers, we do appreciate candidates – from all areas of the business – who have attained one or more certifications from a major CSP,” Johnson says. “We think this demonstration of competency is equally valuable for candidates in engineering as with other business areas, like customer success or sales and marketing. We encourage our team to pursue these types of CSP certifications."

This is one reason why you’ll continue to see cloud-specific certifications – including those focused on the security of these clouds – grow in popularity.

4. Certified Information Systems Security Professional (CISSP)

This certification isn’t new or trendy, but Mahesh Ramachandran, vice president of product management at OpsRamp, recently told us it still makes an impact for potential hires.

Its relevance to various IT priorities – from cloud services to AI and machine learning to big data – isn’t getting enough attention, according to Ramachandran. This may be especially true when you’re seeking (or hiring) management or executive-level roles.

“This certification is often overlooked in the face of other cloud security certifications, but it’s every bit as important.”

“I believe this certification is often overlooked in the face of other cloud security certifications, but it’s every bit as important, particularly because this specific certification is built for management-level expertise,” Ramachandran says.

“Whereas most security certifications are obsessed with ‘bottom-of-the-network’ intrusions and hackers, this certification is focused on how to actually engineer security into an overall solution or department, which is often overlooked. Most IT teams are still looking at specific tools to protect against vulnerabilities without focusing on the larger infrastructure issues.”

[ Read the related article: 15 IT certifications worth watching. ]

Other avenues for ongoing professional development

Depending on the skill area you’re looking to boost, Poynton advises looking to online education platforms such as or and similar sites.

“I’d rather have my teammates earn several CEUs (Continuing Education Units) in the areas that they are interested in, rather than a certification that does not necessarily guarantee that they technically understand the material at hand,” Poynton says. “Application is key, and I think CEUs and spending time in lab environments is the best way to gain knowledge in a way that is easily applicable to one’s job.”

What else are security leaders looking for?

So what other elements are CISOs like Wilson looking for in prospective hires?

“What we look for is real-world experience, an ability to think outside the box, and the poise and confidence to support your stance on a variety of IT and security topics,” Wilson says.

“We also value other tangible qualities that we can research before meeting with a prospective team member," Wilson says. "Has the candidate made contributions to the security community? Does the candidate volunteer for security education programs like various STEM and student hackathon programs? That gives us insight into the talents of prospective new hires.”

That’s a valuable tip: Volunteer work can not only help you demonstrate experience, but also tell the potential employer a little about you as a person.

[ Are you searching for a new job? We have expert advice from leading technology recruiters. Download our IT job interview cheat sheet. ] 

Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.