Should Certification For Cyber Security Professionals Be A Requirement?

It’s never been a more challenging time to be a cyber security professional. Phishing and ransomware attacks are up, record numbers of employees are working from home and CISOs are stressed to the max. On the flip side, companies recognize and value the critical role cyber security plays in protecting an organization. At a time like this, how important is it for security professionals to be certified?

Like most issues, there are pros and cons. Perhaps the most compelling reason in favor of certification is in salary disparity. Cyber security professionals with certifications in North America can earn an average of $93,000 compared to an average of $76,500 for professionals without certification, according to a 2019 study by the International Information System Security Certification Consortium (ISC)².

The pay disparity is not as great for European security pros, who can earn an average of $59,000 with certifications compared to an average of $52,000 for those without, (ISC)² says.

People typically don’t pursue certification just because a job demands it, notes Wesley Simpson, chief operating officer of the (ISC)² .

“Most professionals pursue certification not based on a particular job requirement, but as a differentiator that validates their knowledge and career experience,’’ Simpson says.

However, having a cyber security certification in the U.S., especially for someone who might be competing for a new role, is a differentiator, says Paul Farnsworth, chief technology officer of DHI Group, parent company of IT job site Dice.

“Many employers see certifications as a differentiating factor when reviewing technologists’ skills and experience,’’ Farnsworth says. “Having cyber security certifications can also help attract recruiters since automated resume scanners and other AI tools are often keyed to pick up certain certification titles.”

In addition to the higher salary a cyber security certification garners, the other inherent value is that it enables hiring managers to establish the credibility of a job applicant, “knowing that certification affirms a broad knowledge base, endorsement by other professionals and adherence to a code of ethics,” adds Simpson.

The Case For Not Getting Certified

 But there’s also a compelling reason why cyber security professionals might opt not to get certified, Simpson says.

“While we believe accredited cyber security certification is extremely valuable for practitioners to validate their expertise and for employers to have confidence in the staff they hire, certification should not be a blanket prerequisite for all cyber security positions,’’ he says. “Globally, we are facing a cyber security skills shortage of more than four million professionals. Our profession, as well as hiring organizations, need to be flexible and creative when it comes to building the ranks of qualified cyber security professionals around the world.”

The reality is that many entry-level and even mid-level positions will be appealing to candidates without the years of experience required to earn many of today’s in-demand cyber security certifications, Simpson says.

“That’s where we are going to pull in new talent to help fill the skills gap. Ultimately, these individuals will be eager to pursue certification as they advance in their new careers,’’ he says. “While certification plays a vital role in professionalizing the workforce and creating necessary global standards, making certifications a blanket requirement for all positions may ultimately further delay our abilities to fill the ranks of cyber security professionals around the world.” 

The topic of whether cyber security professionals should be certified was discussed on a recent Task Force 7 radio episode between host George Rettas, and his guest, Adriana Sanford, a senior fellow at the Center of Intelligence and National Security at the University of Oklahoma.

Commenting that “Singapore actually requires licensing for security,’’ Rettas said, “in the United States, just about anybody can say that they are a security expert or security professional and that they have a license. There's been questions and talk about, should we require the same?”

Sanford said she was not sure, although she agreed that “if you are looking for a cyber expert and you hire somebody, they can make a mess of your business. Licensing might be an option for us here in this country.”

But Sanford added, “The argument on the other side is that there are a lot of people that are very, very good at this and actually may not want to get licensed.”

Under the Singapore Act for Information Security, organizations can be fined up to $1 mn if they fail to secure their customers details, according to EC-Council Singapore, a provider of IT security certification and training.

Other industry observers believe that the question of whether to pursue a cyber security certificate depends on what a security professional’s end goal is. Do they want to enter the manager track and eventually become a CISO? Or does a candidate want to specialize in a particular field, such as containers or Kubernetes?

If you do opt for a cyber security certification remember that not all certifications are created equal. The  Certified Information Systems Security Professional (CISSP) certification is considered the “gold standard” by many organizations, but there are others that command respect as well, such as:

• Information Systems Security Architecture Professional (CISSP-ISSAP).
• Information Systems Security Engineering Professional (CISSP-ISSEP).
• Information Systems Security Management Professional (CISSP-ISSMP).

The bottom line: Make sure the one you are putting time, money, and energy into obtaining is worth it.

Photos Courtesy: ISC² 2019 Cybersecurity Workforce Study