Why are there so many Cybersecurity certifications?

The rise of the Cybersecurity Certification Industrial Complex

I am going to explore the rise of what I call, “the Cybersecurity Certification Industrial Complex.” The situation has gotten out of control. In this article, I will explain it and debunk some common mis-beliefs about certifications, along the way.

There are simply too many cybersecurity certs to take them serious. The number of certifications have exploded in the last 10 years and as a result, hiring managers are left confused and worst, those new to cybersecurity are left wondering where to start. In this article, I have you covered. I will explore this issue in depth and give you clarity on where to begin and what to focus on.

Most people get this wrong, they put too much stock in cybersecurity certifications. The truth is:

Employers Don’t Really Care as Much about Cybersecurity Certifications… as you do.

Here is what you will get out of this article:

• Reasons for so Many Cybersecurity Certifications
• History of Cybersecurity Certifications
• Not All Certifications are Created Equal
• Employer Perspective
• Recommended path forward

Note: you may obtain free cybersecurity mentoring at my website.

Reasons for so Many Cybersecurity Certifications

How did we get here? There are a number of reasons.

Certification Business is Good Business

There is no doubt, that the cybersecurity training market has exploded. As shown in a report by Grand View Research, the market was valued at “4.53 billion in 2023 and is anticipated to grow at a CAGR of 17.4% from 2024 to 2030.”

Well, that explains in part why there are so many certifications. After all, you need something to show for all that money you are spending on training, right?

Industrial Demand and Skill Validation

The cybersecurity industry has grown in similar numbers over the last 10 years and we should not be surprised that training and skills are not keeping up. Again, this fosters a supply and demand situation, whereby certification vendors swoop in to fill that skill gap. They provide a certification to “attest” or validate the holder’s skill in that particular area.

Diverse Needs and Specializations

The cybersecurity field has a diverse set of needs and specializations, from GRC, to Cyber Threat Intel, to SOC Analyst, to Penetration Tester, to Security Engineer, to name only a few. There are 52 work roles defined in 7 categories, outlined in the NICE Framework. You can see the problem, in theory, there is room for a certification in each of these work roles. This is a big part of the problem.

Professional Development and Career Advancement

As we have covered, we have a growing field. Many in the field are looking for professional development and career advancement. That environment also fosters a demand for training and certification to show progress and justification for advancement.

The cyberseek.org site shows the size of the field (in the US only), and also predicts a continued growth. The field has grown, year after year, in an increasing percentage, since they started measuring in 2010. Last year, the field grew 55%. There is no reason to think this trend will reverse, so this pressure will continue.

Psychological and Personal Professional Validation

We cannot ignore the psychological, personal, and professional validation obtained by achieving a certification. It is a big deal in ones career, and that factor cannot go unnoticed. However, I submit the value perception of the holder and the employer are different, we will get to that later.

Market Saturation and Over-Certification

For all these reasons, I feel, the cybersecurity training market is saturated, and we are in a state of over-certification. I call this the “Certification Industrial Complex” as it seems to grow each year, and feeds on itself, as certification vendors are competing for more and more of that market share.

Paul Jerimy has done a great job cataloging this phenomena, in his Security Certification Roadmap.

History of Cybersecurity Certifications

It has not always been this way, where the market is saturated with cybersecurity certificates. In fact, only 10 years ago, there were far less certifications: approximately 10 serious security certifications.

So, lets briefly cover the history of cybersecurity certifications, building upon information provided by Alpine Security and my further research.

• 1967 — ISACA, previously known as the Information Systems Audit and Control Association, was founded.
• 1982 — Association of Better Computer Dealers (ABCD) was founded as a membership organization.
• 1989 — International Information Security Certification Consortium or (ISC)² was formed with the purpose of standardizing infosec certifications.
• 1990 — ABCD changes its name to Computing Technology Industry Association (CompTIA).
• 1992 — CompTIA introduces vendor-neutral IT certifications.
• 1994 — (ISC)² launches its most popular certification, Certified Information Systems Security Professional (CISSP).
• 2001 — EC Council founded.
• 2001 — The SSCP certification was first introduced by (ISC)² as a response to the growing demand for skilled cybersecurity professionals.
• 2002–10,000th person receives CISSP certification.
• 2002 — The Certified Information Security Manager (CISM) certification was launched by ISACA, targeting management-level professionals responsible for overseeing an organization’s information security.
• 2002 — CompTIA launches Security+
• 2003 — The Certified Ethical Hacker (CEH) certification was introduced by the EC-Council, focusing on penetration testing and ethical hacking skills.
• 2004 — The Payment Card Industry Data Security Standard (PCI DSS) was introduced, leading to the development of certifications related to payment security.
• 2004 — The Certified Information Privacy Professional (CIPP) certification was introduced by the International Association of Privacy Professionals (IAPP), focusing on privacy laws and regulations.
• 2006 — The Offensive Security Certified Professional (OSCP) certification was introduced, emphasizing hands-on penetration testing skills.
• 2010 — The Cybersecurity Maturity Model Certification (CMMC) was developed to enhance the protection of sensitive data within the defense industrial base.
• 2015 — The Certified Cloud Security Professional (CCSP) certification was introduced by (ISC)², reflecting the growing importance of cloud security.
• 2018 — The General Data Protection Regulation (GDPR) came into effect in the European Union, leading to increased demand for certifications related to data protection and privacy.
• 2023 — The Google Cybersecurity Professional Certificate was launched, providing an entry-level pathway into cybersecurity with a focus on practical skills and Google technologies.

Not all Cybersecurity Certifications Are Created Equal

Level of Expertise

Some certifications are based on the level of expertise and career experience of the candidate. For example, some certifications are for beginner, some for intermediate, and some are reserved for expert cyber professionals. See the chart above from Paul Jerimy for how these are broken out.

Specialization

Some certifications are for particular specializations, like offensive security, defensive security, forensic security, etc. In other cases, the certification may be due to a field specialization, such as healthcare, or manufacturing (IoT), or financial (banking) systems. In those cases, professionals in those specialties seek those certifications, or perhaps someone looking to enter that specialization, seeks out those certifications to validate their skills.

Vendor-Specific

Some certifications come for a particular vendor, and are normally maintained by that vendor, to indicate a certain proficiency with that product. These may be useful, but you need to realize that it is also used as a marketing tool, by those vendors and contributes to vendor lock-in, on a particular product.

Prerequisites and Experience Requirements

Some certifications, require a number of years of experience, others do not. Some require another certification prior to obtaining the new one, others do not. Each certification will list those pre-requisites and experience required.

Hands-On Experience

In my opinion, the most important distinction between certifications is whether there is a hands-on component or not. Some certifications will require you to use actual tools and environments, to complete task required to obtain the certificate. Those certifications tend to be valued more than those which do not. This is true for both holders and employers, more on that in a moment.

Exam Format and Cost

Finally, there are different formats and methods of administration for the certifications and a varied range of cost for each. Some certifications will require a proctored exam, others will require a submitted project (paper deliverable), others will not. Most will involve some form of multiple choice question exam, of varying length. Again, your mileage will vary, but each certificate vendor will publish the administration requirements for that certification.

Employer Perspective

Value of Certifications

Although, there is certainly value in obtaining certifications, for the reasons listed above, an Employer may not appreciate it as much as you think. There are some reasons for this, as follows.

Quality vs. Quantity

As we have discussed, not all certificates are created equal. In particular, the certificates that do not have a hands on component are discounted by employers.

Client Requirements

Employers have clients. Now, some clients, in particular the US Government have requirements for certain certifications, to perform certain roles. However, the importance of this is often overstated. You will often find that the job listings that do list a certain certificate, often say, “or similar certificate,” or “similar work experience may be substituted,” or “may be obtained within 30 days.”

Certification Diversity

Employers know there are many certificates out there, and that you may not have the one they are interested in. They will value certificates that best align with the technology stack they have or desire to have, but certificates in general, are indicators of your ability to take an exam, not necessarily perform the role.

Caution Against Excessive Certifications

Employers and recruiters caution agains excessive certifications. It may be a sign that you are good at taking test over skills. Hands on skills are more important than a long list of certifications. Besides, taking certification exams are expensive. It is best to be targeted in your approach and not over do it.

Hands-On Skills Always Beat Certifications

Overall, while certifications are important, employers tend to value practical skills and relevant experience more highly. You should focus on obtaining certifications that align with your career goals and the specific requirements of potential employers. However, you should prioritize hands-on skills over certifications.

Recommended Path Forward

Simplicity is the Key

I recommend you keep things simple. You need a strong foundation of hands-on skills, as I have spoken about in my previous news letters. Then, I recommend you prepare for and take one exam, the Google Cybersecurity Certification. That certification will fill in the gaps from your learning on TryHackMe and will provide other useful information, like how to prepare for an interview and job hunting skills.

Google Cybersecurity Certification

The Google Cybersecurity Certification is objectively a more comprehensive certification than other entry level certifications, such as Security+. This is because it has hands on components, that introduce you to, or reinforce your skills in Linux, SQL, and Python. There is also financial assistance available for those in need. They occasionally run promotions and allow enrollment for free!

Trust me when I say, as a hiring manager myself. Hands-on skills coupled with the Google Cybersecurity certification will make you stand out from the crowd and have more confidence in answering a wider range of questions in the interview, to land the job! That is what you are here for, right?

I will be covering the Google Cybersecurity Certification in an upcoming article, so I will save most of that content for that article. However, the topics covered by the Google Cybersecurity Certification include:

• Foundations of Cybersecurity
• Play it Safe: Manage Security Risks
• Connect and Protect: Networks …
• Tools of the Trade: Linux and SQL
• Assets, Threats, and Vulns
• Sound the Alarm: Detection and Response
• Automate Cybersecurity Task w/Python
• Put it to Work: Prepare for Cyber Jobs

Security+ Pending

One of the most popular certifications is the Security+. Although it is one of the least technical certifications out there. Even though it is popular, to put things in perspective, according to cyberseek.org, only 15% of open job listings ask for Security+. So, the popularity of this certification seems to be fading.

The US Government made Security+ popular, as part of the DoD 8570 instruction and subsequent DoD 8140 — DoD Cyber Workforce Framework (DCWF) requirements (2023) and associated DoD Joint Cyberspace Training and Certification Standards (JCT&CS). Both of these new standards are aligned to the NICE Framework.

The key thing to know about these new frameworks, is the ability and “flexibility” in obtaining the Knowledge, Skills, and Ability (KSAs) required for a given work-role. Yes, you heard that right, the Government is moving away from strict adherence to certifications and preferring hands on skills!

I expect the rest of the industry to follow, over the next couple years.

Now, if you still feel that Security+ is important, a good hack is to simply say on your resume, Security+ in progress, assuming that is true, or can be true before the interview. For a certificate like Security+, simply watching some videos on youtube will make that statement true, unfortunately.

Also, after completing the Google Cybersecurity Certification, they will give you a coupon for a 30% discount on the Security+ exam, which you should be able to easily pass, as the Security+ content is a subset of the content in the Google cybersecurity certification.

As a bonus, if you get both certifications, using this coupon, it may be cheaper than just getting Security+.

TL;DR

In this article, we have covered:

• The saturated cybersecurity certification market
• How we got here and the history of those certifications
• The difference between the certifications available today
• What employers think about it
• Recommended way forward, for you

I do hope you have enjoyed this article and learned a few things about the “cybersecurity certification industrial complex.” In any event, don’t become overwhelmed with your options, keep it simple, focus on hands on training and one certification, the Google Cybersecurity Certificate. That will give you what you need to not only get the interview, but land the job.

Check out my blog for other topics on the Cybersecurity career field. You may obtain free cybersecurity mentoring, at my website.