Illustration: Sarah Grillo/Axios
Recruiters and employers are starting to warn candidates against getting too many cybersecurity training certifications, they tell Axios.
Why is this important: Cybersecurity training certifications aim to show specialist knowledge in everything from securing corporate networks to the basics of responding to a cyber incident. And entry-level candidates may be encouraged to get as many as possible to appear more employable.
- But these trainings are expensive and many managers see no point in having “an alphabetical soup” of references.
The big picture: The United States currently has more than 769,000 open cybersecurity jobs, with only enough applicants to fill 68% of those positions, according to the nonprofit organization CyberSeek.
- This has led to more students pursuing cybersecurity education and more mid-career professionals transitioning into the field.
Between the lines: Hiring managers prefer to hire entry-level candidates based on their experience and the initiative they’ve taken to learn more about cybersecurity, says Renee Small, recruiter at Cyber Human Capital.
- Dray Agha, head of cybersecurity at Huntress, tells Axios that when he conducts interviews, he always focuses on candidates’ underlying career goals, rather than the “alphabet soup” that’s on the screen. their resume.
- “You really only need to get certified when you specialize, and that’s something we’ve forgotten as an industry,” says Agha.
By the numbers: 64% of e-professionals see acquiring a new certification as a way to deepen their skills, rather than a requirement for landing a job, according to a survey released in October by certification provider (ISC)².
- Yet 55% said their organizations require their employees to have vendor-neutral cybersecurity certification, which focuses on core security topics; 38% said they needed vendor-specific certification.
Yes, but: Many employers see security certifications as a great equalizer between candidates because they establish a base of knowledge and know-how in the field, Clar Rosso, managing director of (ISC)², tells Axios.
- (ISC)², which just established early-career certification this year, updates its programs every three years based on conversations with employers, practitioners and other industry players, says Rosso. .
- Most government contractors also require cyber candidates to have at least one certification, such as CompTIA Security+, says Small.
The plot: A path still exists for mid-career candidates who don’t have a cyber degree or don’t have the resources to pursue a certification: learn it yourself.
- Small, which also hosts the “Breaking Into Cybersecurity” podcast, recommends those currently working in large organizations speak with their company’s security teams to see what they can do to learn the necessary skills and help. It could help them land a job down the line, she says.
- Agha notes that many of the best candidates are those who have taught themselves how to analyze malware strains or write blogs on the various cyber topics that interest them.
- “Money is a huge factor in all of this,” says Agha. “If you can afford to do these things, then you’ll have alphabet soup, and that says something we’re not talking about.”
And after: The Office of the National Director of Cybersecurity is reviewing feedback from the first U.S. cyber workforce strategy, which will likely address issues of cyber education and early-career hiring.
Sign up for the Axios Cybersecurity Codebook newsletter here.