Feeling outnumbered in the cybersecurity war where the level of evolving threats and attacks loom larger than the workforce you have to combat them?
It’s totally understandable to feel that way, given the dearth of available cybersecurity workers. The number of unfilled cybersecurity roles across the globe has soared from 1 million in 2013 to a whopping 3.5 million in 2021, according to a report from Cybersecurity Ventures. And that level of shortage is expected to continue through 2025.
“Cybersecurity professionals are very much in demand right now and there is a clear shortage of them. One avenue of getting more of them is through certifications,” Dhaval Parekh, director of information for cybersecurity company Zscaler, told Built In.
5 Popular Cybersecurity Certifications
- Certified Ethical Hacker (CEH)
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified Information Systems Security Professional (CISSP)
To address their cybersecurity needs, employers typically hire seasoned cybersecurity professionals and recent entry-level cybersecurity college and bootcamp graduates. And while cybersecurity certifications have been around for decades to help existing cybersecurity professionals advance in their careers, certifications are emerging that target an even larger pool of entry-level workers who are seeking to break into cybersecurity but who can’t afford college or expensive bootcamp programs.
Cybersecurity trade group and certification program (ISC)2, for example, created a free entry-level program earlier this year to train up to 1 million people on the fundamentals of cybersecurity to prepare them for an entry-level position.
October is Cybersecurity Awareness Month and it’s a good time for you to not only help train your workforce on good cybersecurity practices, but also educate yourself on how cybersecurity certifications can help you expand your cybersecurity team.
Why Cybersecurity Certifications Make a Difference
“Cybersecurity certifications allow us to understand that this particular candidate is up to date in all the recent security trends because the threat landscape is constantly changing,” Parekh said.
Cybersecurity certifications account for approximately 5 to 15 percent of the weight Parekh gives on whether to hire a candidate.
“Cybersecurity certifications allow us to understand that this particular candidate is up to date in all the recent security trends because the threat landscape is constantly changing.”
And if a job candidate is making a career transition from a totally different field, such as a pastry chef or account manager, the cybersecurity certifications will be given greater weight, he added, noting the certifications are a sign that the candidate is interested in and willing to learn about cybersecurity tools, techniques, procedures and concepts.
Cybersecurity certifications also serve as tools to develop entry-level to experienced employees, Harpreet Sidhu, global managed security services lead at Accenture Security, told Built In.
“You continuously need to develop talent at both the entry level and also experienced higher level to give folks a good career progression,” Sidhu said.
When Cybersecurity Certifications Matter Most
Cybersecurity certification programs are not only important to employers, but so is determining when they are crucial in making a decision to hire and under what circumstances.
IT Professionals Transitioning Into Cybersecurity Roles
“Historically, the majority of people who move into cybersecurity come from IT,” said Clar Rosso, CEO of cybersecurity trade group and certification training organization (ISC)2.
Indeed, 47 percent of the 4,753 survey participants in (ISC)2’s 2021 Workforce Study said they started in IT and moved into cybersecurity.
Network administrators and folks who oversee an organization’s infrastructure with a cybersecurity certification would likely be of particular interest to employers, said Dermot Williams, senior director of engineering at cybersecurity firm BeyondTrust.
Hiring a former network administrator or infrastructure professional who wants to transition to cybersecurity brings onboard someone who is already familiar with keeping the organization’s IT operations running but has an even deeper knowledge of keeping it secure via the certification.
Existing Employees Jumping Into Cybersecurity Positions
Employers can score a double win in offering to cover some or all of the cybersecurity certification costs of employees interested in transitioning to a different role. It not only offers employees career development opportunities but also potentially addresses vacant cybersecurity positions at the company.
For Sidhu, upskilling an employee with cybersecurity certifications has paid off.
One of his employees, a client visit program lead for Accenture’s Advanced Technology Center in India, worked in a non-technical area managing customer visits to the center. In attending many of these visits, she would hear about customers’ cybersecurity concerns and try to understand where these concerns were coming from and what they were trying to protect.
“She reached out to ask for cybersecurity coaching and also certifications she should take,” Sidhu recalled.
The employee took CompTIA’s entry-level Security+ certification program and later (ISC)2’s CISSP program, which is designed for experienced cybersecurity professionals to advance their cyber careers. She’s now a lead for security business solutions on Sidhu’s team and helping to create solutions for Accenture’s clients, a role she has held for over five years now, Sidhu said.
Newbies Joining Your Cybersecurity Workforce
Consider augmenting your existing cybersecurity workforce by bringing in entry-level workers who have undergone a cybersecurity certification program.
This will not only get tasks like alert and event monitoring, incident response, user awareness training and developing, and producing reports covered by these cybersecurity newbies, but it also frees up your more senior cybersecurity workers to focus on more advanced responsibilities like data security and risk assessment.
Top 5 In-Demand Cybersecurity Certifications
Along with knowing when a job candidate needs a cybersecurity certification, so is identifying the type of certification they should hold.
The trouble is cybersecurity certifications have no set parameters. However, employers should ideally look for job candidates with certifications that involved rigorous coursework and testing, as well as requirements to remain current via recertification training and also a code of ethics to abide by, said Rosso, of (ISC)2.
More specifically, depending on your organization’s cybersecurity needs, you’ll likely find your needs addressed by one of these popular cybersecurity certifications.
Certified Information Systems Security Professional (CISSP)
This certification is geared towards experienced cybersecurity professionals and covers a wide breadth of the entire industry and its core fundamental elements from network security to risk management to security testing and operations.
CISSP is a rigorous program where applicants have to have at least five years of cybersecurity experience by the time they wrap up their certification program.
Employers often seek this level of certification in their cybersecurity job postings and while it makes sense to ask for this of experienced cybersecurity professionals, companies will also seek this certification from entry-level candidates, Rosso said, whose (ISC)2 issues the CISSP certifications. She noted one of the requirements to get a CISSP certification is that you have to have at least five years of cybersecurity experience, which entry-level workers don’t have.
“They’re asking for people to be overqualified for these positions, which makes it hard to hire people,” Rosso added.
Certified Information Systems Auditor (CISA)
The CISA certification, issued by IT industry trade group and certification organization the Information Systems Audit and Control Association (ISACA), is aimed at junior and mid-level IT auditors, cybersecurity professionals, internal auditors and project managers.
In order to receive this certification, a job candidate must have five years of information system auditing, control, assurance or security work experience.
Someone with a CISA certification audits and assesses your IT infrastructure, so it’s not necessarily someone who’s going to be the person that’s helping create your cybersecurity strategy within your organization. They’re more likely to be assessing the quality of your systems that you have in place in your organization, Rosso said.
Certified Ethical Hacker (CEH)
CEH certifications, administered by e-commerce and cybersecurity certification trade group International Council of E-Commerce Consultants (EC-Council) and various Authorized Training Centers (ATC), cover hacking tools and methodologies used by cyber attackers so information security professionals can lawfully hack into systems to find their vulnerabilities.
Ethical hackers, also known as white hats, then share the information with the company that developed the software so these organizations can fix the vulnerabilities and bugs.
CEH has a code of ethics that requires certificate holders to keep the information confidential that’s gained through the course of hacking a company’s system. This certification may ease the concerns of the employer’s customers when the CEH-certified employee shows up at the client’s site ready to hack their system.
Certified Information Security Manager (CISM)
A CISM certificate is focused on preparing experienced cybersecurity professionals to develop and manage an enterprise information security program, handle incident and risk management and demonstrate expertise in information security governance.
The CISM certificate, issued by ISACA, requires certificate holders to have a minimum of three years of information security management work experience.
“CISM is really focused on the management side of cybersecurity and doesn’t require the technical depth and breadth that a CISSP certification does,” Rosso said.
A Security+ certification is targeted toward tech professionals looking to land an entry-level cybersecurity position. The certification, issued by CompTIA, covers various threats, attacks and vulnerabilities, along with operations and incident response and governance, risk and compliance.
Security+ certifications are among the most ubiquitous in the marketplace, Rosso said, noting they serve as a viable way to increase the pool of cybersecurity professionals because it is often a more affordable route for people to go than attending college or boot camps.
Find a Balance That Works for You and the Job Candidate
As much as employers may want to see cybersecurity certifications for those they hire onto their security teams, they are at a disadvantage when it comes to making such demands.
“They still value certifications and it’s on their wish list, but they are having to be a lot more flexible.”
“Where some organizations in the past have been very demanding that they have to have a certification for a particular position, they are now willing to be more flexible,” said Thomas Vick, regional director at Robert Half Technology, adding that has led to creative solutions. “They still value certifications and it’s on their wish list, but they are having to be a lot more flexible.”
For example, consider striking an agreement with a candidate that you will cover the cost of their cybersecurity certification program once they are hired and that they will complete their training within a specified timeframe, he suggested.