The True Value of Cybersecurity Certification

(The Agony of Hiring Cyber Talent — PART 2)

In part one of this series on “The Agony of Hiring Cyber Talent”, I delved into the shortage of talent and some of the main problems with finding a hire for the cyber security industry (although it is certainly not limited to this field.)

In this part, we will explore the various methods on how to obtain certifications, the pros/cons and methods to obtaining these, and the perceived value to the employee as opposed to the actual value of hiring those who have obtained said certification.

“Do I actually need certification?”

According to a recent report by the US Bureau of Labor Statistics, the average salary for an information security analyst in the US is $98,350. Because of the shortage of trained cybersecurity professionals (see my previous article), many organizations rely on the potential candidate’s obtainment of industry certificates as an indicator of legitimacy and applicable knowledge. This niche certification, along with demand, is what is driving up the price of the position and other security roles in cybersecurity.

Now I’m not going to discount the benefits of University or any post-secondary education. The attendance of these often helps towards obtaining career goals or even getting one’s foot in the door. However, we can’t ignore the fact that no matter how recently the course was completed, by the very nature of the cyber security business the textbooks and teachings are already out-of-date by the time he or she hits the workforce. On top of that, post-secondary education is expensive and generally takes up to four years of commitment.

In lieu of the more traditional training routes such as universities and colleges, many of those looking to get into the cybersecurity field are going online to get certification. This is a viable route, and much like university it does require the student to invest significant time and money, around $2–5000 from an accredited online learning academy. Some of these are GIAC, SANS, CAPSLOCK, cybary, and udemy, although this list is by now means complete and is constantly growing. Additionally, consider looking into ISACA, ISC(2), ISSA, and The SANS Institute. Of course certification can also be done for free, or for a nominal amount, but bear in mind you get what you pay for.

“What are the best cybersecurity certs?”

As expected, the skills required to work in cybersecurity vary depending on the position and company, but generally will include penetration testing, risk analysis, and security assessment. Certified in Risk and Information Systems Control (CRISC), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP) are generally the most sought out by hiring cyber security companies. Others include:

• CEH — Certified Ethical Hacker (EC-Council)
• CHFI — Computer Hacking Forensic Investigator (EC-Council)
• CyberSec First Responder: Threat Detection and Response (Logical Operations)
• Security+ — (CompTIA)
• CCSP — Cloud Security Certification ((ISC)2)
• CySA+ — Cybersecurity Analyst+ (CompTIA)

“It’s better to give your employees a 20K raise than to buy them certs”

Anytime one invests money and time into advancing career knowledge it should reflect on one’s paycheque. I’m not arguing that point and indeed most employers have no problem with that, either. But, the problem is that the training is dated, or not relevant to the organization, so the employer has to re-train regardless. Or at least they should; recent breaches certainly suggest otherwise. The bottom line is that the cost of the cert investment is often not reflected in the actual value delivered.

So, is it any wonder that many companies are reluctant to invest in industry certification given how expensive they are, especially when the person who gets the cert(s) tend to get an inflated sense of worth as market value for them increases — even though the certification doesn’t necessarily represent the skill and capacity of that individual.

In fact, from a risk perspective, an employer is better off taking the, say $20K or so in certificate costs and giving it straight to the employee as an incentive or raise, then instructing them to do tailored self-training, focused specifically on the company’s needs. In this scenario, an employee may be more likely to stay than if you give them $20K of certs in lieu of the pay raise.

We have learned first-hand on more than one occasion that hiring a university or online academy graduate still required training the hire from scratch, because the teaching wasn’t strong enough or even remotely real world applicable/relevant. Plus, we’ve encountered an occasional reluctance to do the training, because they’ve “already done it. What’s the point?”

The truth is, one needs neither a bachelor’s degree in a specific field nor any certifications to be great at security. Cybersecurity is a learned skill, best absorbed through hands-on experience.

So what are the options? Well, having an internal training program to develop our own tailored “certs” is the route we’re exploring, and it seems to work. We will delve into this deeper in the finale of this series…