Cybersecurity Certifications: Why it is important to obtain and maintain them.

If learning is the only objective, you can find most content on the internet for free (or very affordable at least). You can even purchase official certification study material. However, when you embark on a certification journey, the objective is often bigger than just learning. You either require it as part of your employment requirements, or you want to validate and/or demonstrate your skills and knowledge (to yourself, a current or future employer).

When it comes to security certifications and the value thereof, there will always be different views. This is primarily due to a lack of standardisation in the industry. Some people respect certifications, while others don’t. Both groups can make compelling arguments to support their position and we respect that. The objective of this article is not to support either viewpoint, but rather to share my opinion and experience.

Certifications remain important because the majority of job adverts require candidates to have specific certifications, in addition to university degrees and experience. Again, we can argue that skills and experience matter more, but skills and experience will be of little value if you do not get shortlisted for a job interview because you do not meet the ‘minimum’ job requirements. I am aware that there are organizations that adopt a ‘skills and experience over certification’ view, but they are in the minority.

Choosing the right certification

If you are committing to certification, you are about to invest time and money, therefore the prospect of a return on investment must be clear.

Certifications should be selected based on what is in demand in the industry. This is important, because something only becomes in demand if the industry has accepted and adopted it, and job adverts are asking for it. For example, I have never seen a job advert asking for a Mile2 certification, but every second job advert is asking for a CompTIA Security +, CISSP, CISA, CEH, or CISM certification. Naturally, I won’t spend my time and money doing a Mile2 certification; there is no perceived return on investment for me based on my assessment. I am in no way saying that Mile2 is a poor-quality certification, I am highlighting that I have never seen a job advert listing it as a requirement for a role.

If you are unsure about where exactly you want to be in security, there are certifications that are a safe option regardless of where you eventually decide to specialize. In my opinion, the following certifications are a good idea if you are still finding your way in security: ITIL Foundation, Security +, SSCP, CISSP, and CISM. They will almost certainly benefit you, irrespective of the domain you eventually specialize in.

Are certifications truly valuable?

If you choose the right certification, and commit to immersing yourself into the content, it will be valuable. Exactly how valuable will depend on how you obtain them; brain dumps vs. actual research and labs; it truly is what you make of it. I use certifications as a springboard for further learning; I study the syllabus, which then leads to additional research and learning outside of the syllabus. The certification process provides structure; it forces you to cover the body of knowledge, which will often include areas where you are not strong. Without doing certifications, we can easily focus on what we know, and the unknown unknowns, will remain unknown.

In closing, to win the game of cybersecurity, you must play the game with its current rules until you reach a level where you can change the game. If you are trying to break into the cybersecurity industry or get promoted in this field, do not spend your time and energy arguing about whether certifications are important or not, how expensive it is, and so forth. Right now, most jobs require certification, therefore it is important to the job seeker and worth investing in.

Disclaimer: I list examples of specific certification examples. I am fully aware that there are many alternatives. I am sharing my opinion based on my experience. I am not considering the cost of certifications and affordability, only the perceived value, based on demand in my experience.?