Forrester: Rethink Reliance on Professional Certifications
To many IT and security professionals, industry certifications are a necessary evil. Primarily due to common—yet increasingly questioned—hiring practices, certifications are vital for entry-level cybersecurity workers who need to establish a baseline understanding to potential employers. However, Forrester concluded such certifications might hurt the cybersecurity talent pool in both the short and long term.
Forrester reached these conclusions after conducting a six-month social media sentiment analysis of workers at various levels of professional seniority in cybersecurity. Overall, online sentiment revealed that most workers in the field were unenthusiastic about certifications.
Forrester found that attitudes toward cybersecurity certifications skewed negatively, with 52% of analyzed posts categorized as such. “Those expressing positive feelings made up 20% of posts, and 27% were neutral. Of that negative majority, 46% explicitly stated that they have already abandoned their certifications or are planning to do so, and 41% stated that they don’t believe their certifications are useful in their jobs,” according to the Forrester report, titled Rethink Your Reliance on Cybersecurity Certifications.
Not surprisingly, as security professionals get more experience and specialized skills, the perceived value of their certifications decreases accordingly.
“In our analysis, 39% of security professionals expressing negative sentiments stated that their certifications were either not useful or applicable in their current roles,” Forrester concluded.
While the sentiment analysis found that 22% of security professionals did believe that certifications provided value to those just beginning their careers, Forrester concluded that the ‘Certification Industrial Complex’ continuously choked the security talent pipeline.
Forrester examined how certification requirements for entry-level or early-career positions varied significantly across job postings, as did the total costs associated with preparation, test taking and certification renewals, potentially excluding many candidates. “In addition to our sentiment analysis, we analyzed early-career job postings and descriptions to understand common requirements better and reviewed the costs associated with certifications to get a sense of how much investment is required from security professionals or their employers,” Forrester wrote.
Forrester’s analysis found that certification requirements often didn’t align with the specific job and compensation levels sought. For instance, ISC2’s CISSP and ISACA’s CIS and CISA required a minimum of five years of experience to take the exam. “But our July 2022 analysis of cybersecurity job postings on Indeed found that 42% of 300 randomly selected job listings that required the CISSP, CISM, CISA, or some combination of the three were listed as entry-level. This disconnect significantly reduced the likelihood of a diverse pool of applications,” added Forrester senior analyst Jess Burn in an interview with Security Boulevard.
Additionally, the study found that applicant tracking systems (ATS) that automatically reject those who do not meet requirements (however misaligned they may be) make the problem worse. Burn also noted that using certifications as job requirements in an ATS leaves behind a vast pool of candidates, primarily women and minorities, who would self-select out of the process. During their research, Forrester found one chief security officer who failed to make the cut within their own company’s ATS.
The costs associated with early-career certifications are also high. They exclude underprivileged candidates who might not be able to pay for their college education, BootCamp and certification prep courses that cost thousands of dollars. While their research found that the average testing fees were lower, the average cost for entry-level certification exam prep was 2.5 times higher than similar courses for management-level and specialty certifications.
Removing these barriers to entry could help increase the number of diverse candidates into the cybersecurity field, as well as ease the cybersecurity skills gap.
“I want to dig down and start thinking about how we remove these barriers for early career positions. And look at how we can think about hiring differently because we’re facing a huge talent shortage,” said Burn.