Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/13/2016
10:50 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Certifications Highly Valued But Not Always Verified

New study shows IT leaders place the greatest value on cybersecurity certifications, but nearly half rarely confirm legitimacy of new hires' credentials.

Employers often require tech certifications to gauge the expertise of new hires. Unfortunately, many businesses fail to verify credentials before extending job offers - a dangerous move when seeking cybersecurity talent.

This finding comes from a new pool of research from IT staffing solutions provider TEKsystems. Researchers polled more than 300 IT leaders (CIOs, IT VPs, IT directors, hiring managers) and 900 IT managers to gauge the perceived value, legitimacy, and compensation impact of tech certifications.

Just 52% of IT pros always/often accurately present certifications on their resumes. Many embellish their certifications to avoid having their applications automatically filtered during the hiring process. Some "self-certify" and add credentials because they believe their work experience has given them sufficient technical knowledge for the role.

It's not hard to get away with this, either: nearly half (49%) of IT leaders rarely/never verify employees' certifications, and only 26% always/often do. Some skip the verification process to quickly secure talent in the competitive IT landscape, explains TEKsystems market research manager Jason Hayman.

"If someone checks all the boxes, they're going to have more offers," he says. "The employer has to move quickly, and taking the steps back to verify will slow the process."

For some types of certifications, failure to verify doesn't have a tremendous impact on the organization, he says. If you hire a developer who doesn't have the right expertise, you might end up being slow to market or exceed your budget.

However, the same mistake can be disastrous when recruiting security talent.

"With security in particular, it can have such a huge impact on the organization if [you] make a bad decision," Hayman explains. If a security architect comes in and builds a framework without the right expertise, your business could be making news headlines as the latest breach.

Cybersecurity certifications are most valuable, 45% of survey respondents say. Security far outranks programming/development, in second place with 22%, as well as project management (21%); software engineering (10%); data analytics (7%); and cloud (7%).

Some security credentials are valued more than others. TEK systems found the most in-demand InfoSec certifications include Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Comp TIA Security+, GIAC Security Essentials (GSEC), and Certified Information Security Manager (CISM).

In order to hire the right talent, it's essential for IT leaders to brainstorm the specific skills they need and means of verifying whether employees have them.

"Every organization wants to get what they pay for when it comes to hiring talent," says Hayman. "A certification might prove knowledge, but it doesn't necessarily prove competency."

It doesn't make sense to demand certifications for the sake of it. IT leaders should consider the responsibilities of each role, and the requirements of each certificate, to determine whether the two align.

They should also be more diligent about screening candidates to ensure their skills meet business requirements. This means going beyond the traditional job interview to test potential hires and check references from their superiors and colleagues.

Respondents agree employers should pay for these certifications, a trend Hayman believes is on the uptick as competition for talent increases. Businesses will need to find ways to differentiate themselves to become more attractive to a small pool of skilled employees, and they can use education to appeal to IT pros.

This could potentially inspire more tech employees to enter the security field. "IT pros really value the long-term career growth that certifications provide," says Hayman. He encourages businesses to offer these educational opportunities to current employees and potential candidates to retain and recruit talent.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ThanN666
50%
50%
ThanN666,
User Rank: Apprentice
9/14/2016 | 5:03:50 PM
IT Recruiting
With technology continuing to evolve, IT security professionals must ensure that their skill set remains comprehensive and able to meet challenges as they arise. CIOs and IT managers must develop strategies that appropriately consider both the internal importance of particular roles and the availability of external talent when it comes to cybersecurity.

Than Nguyen

Houston IT recruiters
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21273
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key va...
CVE-2021-21274
PUBLISHED: 2021-02-26
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to...
CVE-2021-23345
PUBLISHED: 2021-02-26
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.
CVE-2021-21297
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default beh...
CVE-2021-21298
PUBLISHED: 2021-02-26
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via th...