Should You Trust Cybersecurity Certifications?

There’s a major discrepancy between the number of organizations that are investing in cybersecurity certification programs and the number that feel prepared for an attack, according to an Immersive Labs report.

While almost all organizations encourage industry certifications, fewer than a third (32%) of the 570 senior security and risk leaders surveyed said they were effective at mitigating cybersecurity threats, and most companies lacked a framework with metrics to measure and demonstrate cybersecurity resilience.

The survey also revealed that despite 86% of organizations having a cybersecurity resilience program, more than half (52%) of respondents said their organization lacked a comprehensive approach to assessing cybersecurity resilience.

A Lack of Confidence

Max Vetter, vice president of cyber for Immersive Labs, said it is concerning to see that for two out of three organizations, there was a lack of confidence that the other 95% of the workforce would know how to recover from a cybersecurity incident.

“The significant disconnect between leaders’ expectations and their teams’ capabilities can potentially leave organizations in an incredibly vulnerable position,” he explained.

That means it is up to security leaders to ensure they have the support and capabilities to measure and prove that their teams are prepared to respond effectively to threats and not crumble under the pressure of an inevitable cyberattack.

Vetter points out that while cybersecurity certifications may offer baseline knowledge, they do not incorporate the real-life experience necessary to handle the ever-evolving threat landscape.

“Certifications may beef up a resumé, but they do not guarantee someone is prepared to handle an active security threat,” he cautioned. “Costly and time-consuming industry certifications simply cannot work at the speed of cybersecurity, so they’re proving ineffective at mitigating threats.”

Since they’re refreshed much less frequently, certifications may be able to provide a general direction on how to approach threats, but they cannot be relied on to drive awareness and preparedness to mitigate emerging threats.

“Lastly, given the existing disconnect in confidence and abilities, the check-box method of industry certifications signals a general knowledge gap in gauging readiness, preparedness and overall cybersecurity resilience,” Vetter added.

George Jones, CISO at Critical Start, said he was most concerned about the apparent need to prioritize workforce preparedness and the lack of standardized metrics to demonstrate cybersecurity resilience.

“There is significant concern that employees will not be able to effectively handle critical tasks without core systems and the lack of process to ensure that compromised systems are not connected to networks, causing further damage and hindering recovery efforts,” he said.

From his perspective, the lack of metrics and the absence of a universal framework highlighted a general inability to quantitatively evaluate and communicate cybersecurity resilience to boards and executive teams.

The Impact of Remote Work on Cybersecurity Certification Requirements

He added that shifting patterns in work locations significantly impacted cybersecurity certification and training requirements.

“The emphasis on endpoint security awareness and data protection have created higher workloads for security teams,” Jones explained.

This has highlighted the importance of better training programs to help staff recognize emerging threats and the increasing risks associated with phishing and social engineering.

Shawn Surber, senior director of technical account management at Tanium, said organizations need to continue to invest in their workforce, but they need to ensure that their IT staff is being educated on the key company goals and initiatives.

“They must then tie their continued IT training to the tools and processes that will enable support of those goals and initiatives,” he said. “In other words, teaching your staff what matters to the organization and how to use the tools they’ve got is more important than generic certifications.”

He added that it’s impossible for an organization to have a comprehensive approach to assessing its cybersecurity resilience or tracking the effects of an implemented program without a complete view of its cybersecurity environment.

“Companies that are successful at assessing and improving their cybersecurity resilience are the ones that are converging their teams, tools and processes onto common technical platforms with common goals,” Surber said.

Vetter said it was encouraging to see that cybersecurity resilience is top of mind for many organizations, as it is the highest-ranked strategic priority and spending priority in 2023.

“There is certainly room for improvement in terms of the effectiveness of their resilience strategies, but the desire to improve is there,” he said.

He noted that organizations are starting to embrace the idea that resilience comes down to their people—not just their tech stacks.

“If we’re going to improve our defenses against the dynamic threat landscape, it comes down to investing in our people and their technical and cognitive acumen,” Vetter noted.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy