Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:50 AM
Connect Directly

Security Certifications Highly Valued But Not Always Verified

New study shows IT leaders place the greatest value on cybersecurity certifications, but nearly half rarely confirm legitimacy of new hires' credentials.

Employers often require tech certifications to gauge the expertise of new hires. Unfortunately, many businesses fail to verify credentials before extending job offers - a dangerous move when seeking cybersecurity talent.

This finding comes from a new pool of research from IT staffing solutions provider TEKsystems. Researchers polled more than 300 IT leaders (CIOs, IT VPs, IT directors, hiring managers) and 900 IT managers to gauge the perceived value, legitimacy, and compensation impact of tech certifications.

Just 52% of IT pros always/often accurately present certifications on their resumes. Many embellish their certifications to avoid having their applications automatically filtered during the hiring process. Some "self-certify" and add credentials because they believe their work experience has given them sufficient technical knowledge for the role.

It's not hard to get away with this, either: nearly half (49%) of IT leaders rarely/never verify employees' certifications, and only 26% always/often do. Some skip the verification process to quickly secure talent in the competitive IT landscape, explains TEKsystems market research manager Jason Hayman.

"If someone checks all the boxes, they're going to have more offers," he says. "The employer has to move quickly, and taking the steps back to verify will slow the process."

For some types of certifications, failure to verify doesn't have a tremendous impact on the organization, he says. If you hire a developer who doesn't have the right expertise, you might end up being slow to market or exceed your budget.

However, the same mistake can be disastrous when recruiting security talent.

"With security in particular, it can have such a huge impact on the organization if [you] make a bad decision," Hayman explains. If a security architect comes in and builds a framework without the right expertise, your business could be making news headlines as the latest breach.

Cybersecurity certifications are most valuable, 45% of survey respondents say. Security far outranks programming/development, in second place with 22%, as well as project management (21%); software engineering (10%); data analytics (7%); and cloud (7%).

Some security credentials are valued more than others. TEK systems found the most in-demand InfoSec certifications include Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Comp TIA Security+, GIAC Security Essentials (GSEC), and Certified Information Security Manager (CISM).

In order to hire the right talent, it's essential for IT leaders to brainstorm the specific skills they need and means of verifying whether employees have them.

"Every organization wants to get what they pay for when it comes to hiring talent," says Hayman. "A certification might prove knowledge, but it doesn't necessarily prove competency."

It doesn't make sense to demand certifications for the sake of it. IT leaders should consider the responsibilities of each role, and the requirements of each certificate, to determine whether the two align.

They should also be more diligent about screening candidates to ensure their skills meet business requirements. This means going beyond the traditional job interview to test potential hires and check references from their superiors and colleagues.

Respondents agree employers should pay for these certifications, a trend Hayman believes is on the uptick as competition for talent increases. Businesses will need to find ways to differentiate themselves to become more attractive to a small pool of skilled employees, and they can use education to appeal to IT pros.

This could potentially inspire more tech employees to enter the security field. "IT pros really value the long-term career growth that certifications provide," says Hayman. He encourages businesses to offer these educational opportunities to current employees and potential candidates to retain and recruit talent.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/14/2016 | 5:03:50 PM
IT Recruiting
With technology continuing to evolve, IT security professionals must ensure that their skill set remains comprehensive and able to meet challenges as they arise. CIOs and IT managers must develop strategies that appropriately consider both the internal importance of particular roles and the availability of external talent when it comes to cybersecurity.

Than Nguyen

Houston IT recruiters
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.