Cybersecurity Certifications Are Doing More Harm Than Good
Using cybersecurity certifications to identify cyber talent is not an effective talent management strategy. The practice does more harm than good. Any benefits from employee certification are quickly undermined by other worrisome trends occurring today.
Many cyber leaders today use cybersecurity certifications as a minimum viable qualification. Unfortunately, this practice promotes three negative trends:
- It fosters undesirable mindsets and behaviors by the employees;
- It encourages poor resource management by the managers; and
- It bars entry into the field by aspiring professionals.
It’s not overly dramatic to say that these trends are slowly crushing the life out of our cyber ecosystem. And taken as a whole, the outcomes far outweigh any benefits.
Requiring certifications diminishes the talent pool.
Early on, cybersecurity certifications served a purpose.
Even today, there are benefits gained by sending employees through a certification training program. But hiring managers place more importance on cybersecurity certifications than they should.
In his book The Smartest Person in the Room, author Christian Espinosa points out that the current certification process misleads the industry.
Espinosa says the cybersecurity certification process doesn’t add talent to the larger cyber talent pool. While some certifications may produce better-equipped practitioners, other cybersecurity certifications are relatively easy to obtain and do little to increase an employee’s ability –or have much to do with their current role.
Paper tigers
Relatively speaking, passing a cybersecurity certification exam is equivalent to passing a college course exam. Both are mere “indicators” of knowledge and or some capability.
The value of all knowledge/skills-based assessments is short-lived. The long-term value is an employee’s ability to learn and apply to produce value continuously.
So what if the premise that cyber certification is founded is false? What if, as Espinosa suggests, certification programs aren’t producing better-equipped practitioners. Instead, they create paper tigers?
Think the idea is nonsense?
Practical application
Throughout my career, I’ve worked with many of these paper tigers. These individuals held a Certified Information Systems Security Professional (CISSP) credential but had zero ability to securely design and build systems we were under contract to produce.
The most frustrating part is that they were my customer! They could not effectively evaluate our designs because they lacked the functional knowledge and skills needed to apply their certification knowledge.
Cyber certifications lead to undesirable behaviors.
The misplaced importance placed on certification has led to several undesirable mindsets and behaviors.
Sadly, a subculture of elitism exists in our community that is directly linked to the number and type of certifications a practitioner holds. And within this subculture, an unspoken hierarchy has evolved.
Elitism
Rather than simply valuing certifications as signposts of achievement, there is the widespread belief that the credentials bestow *prestige* on their holder. And the more certificates you hold, the more prestige you have. The fallout is that there is not just an attitude of superiority but an obsession to get even more credentials.
Unfortunately, this phenomenon is fueled somewhat by the importance placed on educational degrees. Employees with advanced university degrees are typically promoted to a higher authority, responsibility, and compensation positions than those with only undergraduate degrees. And while certifications are not advanced degrees, many companies have begun treating them almost the same.
Cert chasing
The other insidious problem with elitism is that it feeds on itself.
In my experience, far too many cybersecurity practitioners are motivated to acquire additional certifications beyond what they need for their current roles. This “cert chasing” is a bit like big game hunting. It’s done to satisfy the cert hunter’s desire to mount another “trophy” on their email signature wall.
One argument favoring collecting certs is that the training increases an employee’s value. And this is true — immediately following the course. But learning and knowledge have shelf lives. Numerous studies report that within six months of training, as much as 50% of the benefit of the training is lost if it is not reinforced by consistent application.
And finally, there is a growing concern over the integrity of various certification processes. Rumors consistently abound about the possibility of cheating.
And while credentialing organizations continue to invest heavily in solutions to protect the integrity of their examination process, doesn’t this issue speak to the heart of the problem? Isn’t it the disproportionate importance placed on certifications by employers that leads people to cross those ethical and moral boundaries?
It’s hard to discount the idea that the requirement for certification is fostering undesirable behaviors and mindsets in the workforce.
Encouraging poor resource management by the managers
The second issue involves employers who rely on certification programs as a means of talent management. They’ve forgotten that certification alone doesn’t guarantee a good fit for any position. Nor does it provide any indication of success — or competence.
Existing employees may perform well in their current roles and environment. But take them out of that familiar setting, and place them in a different position with different infrastructure, and the same level of performance is not guaranteed. This explains why managers rely on certification as a measure of competence or talent, and they tend to make poor decisions regarding resource management.
Managing people resources efficiently requires a clear understanding of the talent slate for the organization. Including certifications in the view often clouds the manager’s perspective.
A talent mindset
Understanding the organization’s talent slate is crucial to making sound investment decisions regarding training budgets. Sending employees who already possess a couple of certifications is often a poor use of financial resources. Beyond making the employee happy, the return on that investment will be marginal at best, given the lack of knowledge retention discussed earlier.
If the employee requires re-skilling or up-skilling because of a job change, certification training programs are often not the best alternative. It’s likely the employee needs more in-depth training over a more extended period than is typically provided in the certification program.
In my organization, most of our employees must have a basic certification. Depending on their role, some may require additional certification, such as when the employee has elevated administrative privilege.
But once the basic certification requirements are met, all further investment in training and development is driven by the needs of the business, my organization, and the employee’s career path needs. Does that necessitate sending them to a conference or another certification training program?
Barriers to entry
The last issue is probably the biggest. The requirement for certification before being hired is, without a doubt, the single most significant contributor to the number of unfilled positions in the industry today.
And it is arguably unnecessary.
Many organizations have allowed themselves to be trapped into “must-hire” situations. Either by design or by accident, the organization has become ‘reactive’ in recruitment and hiring. When this happens, hiring managers have few options besides hiring experienced, certified practitioners.
Unfortunately, they haven’t yet taken the difficult but necessary step of building a talent pipeline. This step is essential to break free from the “must hire” quagmire. It is the only one that affords the space and flexibility to hire high-potential candidates who lack hands-on experience and certification; but possess the foundational knowledge and, most importantly, the intangibles to be successful.
Final thoughts on cybersecurity certifications
Cybersecurity certifications are a double-edged sword. There are several benefits to both employees and employers. But the current practice has taken on a life of its own, spawning some undesirable trends.
Business and technology are transforming at incredible rates without slowing down. The pace and scale of change promise to diminish the long-term value of individual certifications, making them on par with a bachelor’s degree in their ability to prepare and predict success.
The practice of certification probably will not go away completely, so here are three recommendations that cybersecurity leaders can take to improve our culture and our community significantly:
- Disconnect certification to hiring decisions. Begin building pipelines that will feed your organization with talented professionals who can learn, perform, and grow with the organization.
- Discourage any notions of superiority connected with certifications. Recognize, reward, and advance, based on performance and contribution to the organization. Kill the paper tigers.
- Refrain from using certifications as a metric for competency and talent. Certifications do not correlate with performance.
Talent drives high performance. Figure out what is for the organization, and then recruit and hire the talent. Teach everything else.
Nothing is going to change until we take action. It’s time for some leadership around the systemic problem.
(No affiliate links were used in this post)
