Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:50 AM
Connect Directly

Security Certifications Highly Valued But Not Always Verified

New study shows IT leaders place the greatest value on cybersecurity certifications, but nearly half rarely confirm legitimacy of new hires' credentials.

Employers often require tech certifications to gauge the expertise of new hires. Unfortunately, many businesses fail to verify credentials before extending job offers - a dangerous move when seeking cybersecurity talent.

This finding comes from a new pool of research from IT staffing solutions provider TEKsystems. Researchers polled more than 300 IT leaders (CIOs, IT VPs, IT directors, hiring managers) and 900 IT managers to gauge the perceived value, legitimacy, and compensation impact of tech certifications.

Just 52% of IT pros always/often accurately present certifications on their resumes. Many embellish their certifications to avoid having their applications automatically filtered during the hiring process. Some "self-certify" and add credentials because they believe their work experience has given them sufficient technical knowledge for the role.

It's not hard to get away with this, either: nearly half (49%) of IT leaders rarely/never verify employees' certifications, and only 26% always/often do. Some skip the verification process to quickly secure talent in the competitive IT landscape, explains TEKsystems market research manager Jason Hayman.

"If someone checks all the boxes, they're going to have more offers," he says. "The employer has to move quickly, and taking the steps back to verify will slow the process."

For some types of certifications, failure to verify doesn't have a tremendous impact on the organization, he says. If you hire a developer who doesn't have the right expertise, you might end up being slow to market or exceed your budget.

However, the same mistake can be disastrous when recruiting security talent.

"With security in particular, it can have such a huge impact on the organization if [you] make a bad decision," Hayman explains. If a security architect comes in and builds a framework without the right expertise, your business could be making news headlines as the latest breach.

Cybersecurity certifications are most valuable, 45% of survey respondents say. Security far outranks programming/development, in second place with 22%, as well as project management (21%); software engineering (10%); data analytics (7%); and cloud (7%).

Some security credentials are valued more than others. TEK systems found the most in-demand InfoSec certifications include Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Comp TIA Security+, GIAC Security Essentials (GSEC), and Certified Information Security Manager (CISM).

In order to hire the right talent, it's essential for IT leaders to brainstorm the specific skills they need and means of verifying whether employees have them.

"Every organization wants to get what they pay for when it comes to hiring talent," says Hayman. "A certification might prove knowledge, but it doesn't necessarily prove competency."

It doesn't make sense to demand certifications for the sake of it. IT leaders should consider the responsibilities of each role, and the requirements of each certificate, to determine whether the two align.

They should also be more diligent about screening candidates to ensure their skills meet business requirements. This means going beyond the traditional job interview to test potential hires and check references from their superiors and colleagues.

Respondents agree employers should pay for these certifications, a trend Hayman believes is on the uptick as competition for talent increases. Businesses will need to find ways to differentiate themselves to become more attractive to a small pool of skilled employees, and they can use education to appeal to IT pros.

This could potentially inspire more tech employees to enter the security field. "IT pros really value the long-term career growth that certifications provide," says Hayman. He encourages businesses to offer these educational opportunities to current employees and potential candidates to retain and recruit talent.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/14/2016 | 5:03:50 PM
IT Recruiting
With technology continuing to evolve, IT security professionals must ensure that their skill set remains comprehensive and able to meet challenges as they arise. CIOs and IT managers must develop strategies that appropriately consider both the internal importance of particular roles and the availability of external talent when it comes to cybersecurity.

Than Nguyen

Houston IT recruiters
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.