STOP ASKING FOR THE CISSP: Aligning Certification Requirements with Real Job Needs

Forgive me if I seem a little frustrated.

But in a world where cybersecurity threats are growing exponentially (in scope, frequency and sophistication) and the demand for skilled professionals is high, you’d think organizations would be prioritizing accessible entry points for new talent. However, we continue to see job descriptions for entry-level cybersecurity positions requiring advanced certifications like CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager).

As the managing partner of Edmondson Group , I’m genuinely puzzled by this trend.

And looking at the growing number of posts and comments on this topic on LinkedIn , I know I am not the only one.

Why are we setting the bar so high for those at the start of their cybersecurity careers? And more importantly, what can we do as hiring managers and recruitment experts to bridge this misalignment between role requirements and realistic candidate qualifications?

In this article, I am going to attempt to unpack why this happens, why it’s problematic, and how a well-crafted hiring strategy (ideally supported by a specialized search firm) can prevent this scenario.

The Reality of CISSP and CISM: Who They’re Actually For

The CISSP and CISM certifications are widely respected in cybersecurity circles—and for good reason. These certifications validate a comprehensive understanding of information security principles, governance, and management, and they carry the weight of a professional standard. But they’re also designed for experienced professionals, typically with at least five years of hands-on experience.

Both certifications demand extensive knowledge of advanced cybersecurity concepts and the ability to apply these concepts in real-world scenarios. In short, they were never intended as entry-level qualifications, and expecting an early-career candidate to possess either one is like asking a recent law graduate to have already passed the bar in three states.

Why Are We Setting Such High Entry-Level Standards?

Understanding the?why?behind these requirements can help us address and rectify them. In our experience, here are the top reasons companies cite for requiring advanced certifications for entry-level roles:

1. Misunderstanding the Nature of Certifications Many HR departments, and even some hiring managers, don’t fully understand the scope or intended audience of certifications like CISSP and CISM. Without direct experience in cybersecurity, they may see these certifications as a "stamp of approval" that validates a candidate's skills across the board.
2. A Shortcut for Vetting Skills Hiring managers are often looking for a fast and reliable way to gauge candidate quality, and certifications seem to offer a simple solution. However, this approach can create a bottleneck, excluding otherwise-qualified individuals who may have the right skills but lack the advanced certification.
3. Automated Systems Filter Based on Keywords Applicant tracking systems (ATS) are often programmed to filter candidates by keywords, including certifications. This means that a candidate without CISSP or CISM on their resume might be screened out by software before a human even sees their application. This automated approach can be highly limiting and counterproductive.
4. Compliance and Risk Aversion Companies, particularly in regulated industries like finance or healthcare, may see these certifications as necessary to meet compliance requirements or to manage risk. But demanding them from junior employees ignores the fact that risk mitigation is usually a team effort and often more dependent on senior staff and oversight.
5. Template-Based Job Descriptions Many job descriptions are recycled or borrowed, sometimes across departments or even organizations. When a previous role required a CISSP, that qualification often carries over to new job descriptions without much scrutiny or adaptation to the role’s actual requirements.

Why This Approach Needs to Change—and Quickly

This trend of overqualification has several negative impacts, not only on the candidates but also on the companies themselves. Here’s how:

1. Shrinking the Talent Pool The cybersecurity skills shortage is a well-documented issue. By demanding advanced certifications for entry-level roles, companies are further limiting their candidate pool. Talented and eager professionals without a CISSP or CISM may be overlooked simply because they don’t yet have a credential they could obtain after gaining a few years of experience.
2. Missing Out on High-Potential Candidates Early-career professionals with the right skills and passion for cybersecurity often bring fresh perspectives and a willingness to learn. However, if they’re automatically excluded for lacking an advanced certification, companies miss out on the potential contributions of promising talent.
3. Talent Gaps in Public Sector Organizations, Especially Higher Education The public sector, including higher education institutions, is particularly affected by these high qualification requirements for entry-level roles. These organizations often have limited budgets compared to the private sector, making it difficult to compete for seasoned professionals with advanced certifications. By maintaining rigid qualification standards, public sector employers are missing out on capable, trainable individuals who could step into entry-level roles, learn on the job, and contribute meaningfully to campus or institutional cybersecurity.
4. Risk of Disillusionment in Cybersecurity When entry-level roles demand unachievable qualifications, new talent may feel unwelcome in the industry, leading to frustration, burnout, or even a career pivot before they’ve truly begun. This disillusionment only compounds the existing shortage in the cybersecurity workforce.

A Call for Realignment: How Specialized Search Firms Can Help

As search professionals, we’re committed to helping clients find the right talent in a way that makes sense for both the company and the candidates. One of the key steps in this process is aligning job descriptions and job ads (because the two modes are very different) with the realistic qualifications required for success in a given role. Let’s explore how a specialized search firm can assist in aligning expectations with the right talent.

1.?Crafting Role-Specific Job Descriptions

A well-crafted job description is more than a checklist of skills and certifications. It should accurately convey what a candidate will do in the role, the growth trajectory, and the specific skills they need. This is where we work closely with hiring managers to understand not only the technical needs but also the company culture and career progression.

We take pride in drafting job descriptions that reflect the actual demands of the role rather than relying on overused templates. This approach ensures that entry-level positions attract entry-level talent, leaving advanced requirements to mid- or senior-level roles.

2.?Writing Engaging Job Ads

Job ads differ from job descriptions in that they serve as a candidate’s first impression of a role. While the job description lays out role expectations, the job ad is an invitation, highlighting the opportunity and growth potential. We help our clients write job ads that resonate with the kind of candidates they want to attract, focusing on passion, curiosity, and the willingness to grow rather than demanding years of experience and credentials out of reach for entry-level applicants.

3.?Prioritizing Skill-Based Assessments Over Credentials

Through our experience, we know that hands-on skills are often a better indicator of a candidate’s potential than a certification. We encourage companies to consider practical assessments to gauge cybersecurity skills, particularly for entry-level candidates. This approach can demonstrate a candidate’s technical aptitude, creative problem-solving, and adaptability without filtering out those who simply haven’t acquired an advanced certification yet.

4.?Creating Pathways for Development

We advocate for "hire for attitude, train for skill" whenever possible. When companies are open to hiring individuals who may lack one specific certification but show promise, they open the door for internal development and certification sponsorship. By investing in the professional growth of their employees, companies build loyalty and retain talent in the long run.

5.?Leveraging Frameworks

The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework offers guidelines on roles, skill levels, and expected competencies for cybersecurity positions. Utilizing this or similar frameworks can help organizations standardize roles and make more accurate hiring decisions, especially when it comes to aligning certifications and experience with the correct role level.

Moving Forward: The Importance of Strategic Hiring

Requiring CISSP or CISM for entry-level positions is often more a symptom of a hiring strategy that’s out of sync than a deliberate decision. Working with a specialized search firm can help companies avoid these pitfalls by creating a hiring process that is clear, aligned, and ultimately more effective.

By tailoring job descriptions and job ads to attract the right level of talent, focusing on practical skills over certifications, and creating pathways for professional growth, organizations can build a cybersecurity team that is competent, committed, and motivated.

Cybersecurity is one of the most critical fields of our time, but we need to create entry points for talent—not walls. If you’re struggling to find the right candidates for your cybersecurity roles or unsure how to best structure your hiring process, reach out to a specialized search firm. We’re here to help make sure you find the talent that matches both your needs and theirs, creating a win-win solution for everyone involved.

Let’s stop setting unrealistic standards and start building a more inclusive, effective cybersecurity workforce—one thoughtful hire at a time.