This preference suggests that even though current professionals followed a more traditional, vendor-specific path when gaining experience in the field (55% of current professionals entered cybersecurity from IT backgrounds), they see greater value in pursuing broader professional qualifications for people starting their careers now. This is a perspective that may be informed by their own lessons learned over the years.
Cybersecurity professionals also emphasize the importance of cloud security in recommending certifications for pursuers. This is smart, practical advice considering most IT environments are hybrids or increasingly cloud-first with multiple private and public clouds.
Pursuers Study
The Pursuers Study polled 2,034 cybersecurity professionals and cybersecurity jobseekers (pursuers) in the U.S. and Canada with the goal of advising organizations on developing effective recruitment and professional development strategies. Respondents were almost evenly divided between professionals (1,024) and pursuers (1,010).
Professionals tend to be highly educated: 73% hold a bachelor’s degree, including 40% with a master’s. Professionals with up to three years of cybersecurity experience have an average of five certifications or certificates from three organizations. In contrast, those with three to seven years of experience hold an average of nine certifications or certificates from four organizations.
Those credentials involve a wide variety of vendors and organizations, but the two vendors with the greatest reach are Cisco (39% of respondents) and Microsoft (37%). Amazon Web Services (AWS) and Google Cloud are tied for third place, at 22%, and closely followed by IBM (21%). The list also includes vendors Oracle, McAfee, Symantec and VMware, as well as organizations such as CSA (Cloud Security Alliance), ASIS International, CompTIA, ISACA and (ISC)².
Vendor-Neutral Preferred
Even though the vendor-specific credentials professionals have earned outnumber those from independent bodies, of the 200 credentials or professional designations respondents had to choose from, four of the top five they recommend for pursuers are vendor-neutral, including three from (ISC)²:
- Associate of (ISC)² (pursuing the CCSP) – (ISC)²
- Associate of (ISC)² (pursuing the CISSP) – (ISC)²
- CCSE Check Point Certified Security Expert – Check Point Software
- CCSP Certified Cloud Security Professional – (ISC)²
- CPP Associate Protection Professional – ASIS
Despite the strong showing of (ISC)² certifications and its Associate of (ISC)² designation, only 6% of professionals in the study hold a certification from the organization. This suggests that based on their own experience and observation, they see value in those certifications. Early in their careers, professionals likely were steered toward vendor-specific certificates to prove their expertise to support the systems and solutions deployed within their organizations. As the cybersecurity profession has evolved, it has largely been shaped by necessity rather than formal, standards-based education and career advancement pathways.
Recommendations to focus on vendor-neutral credentials suggest a new way of thinking for veteran professionals, with an “if they had to do it again” subtext. Further evidence is the fact that the certifications professionals are pursuing for themselves tend toward the vendor-neutral type, even though Check Point Certified Security Expert tops their list.
Cloud Gets Stronger
Professionals also expressed significant interest in cloud security skills – both for themselves and for those trying to get into the field. Cloud certifications and certificates account for one-third of the top 20 list of recommendations (bolded below) for pursuers, and appear in two of the top five slots:
Top 20 Certifications Cybersecurity Professionals Recommend for Pursuers
- Associate of (ISC)² (pursuing the CCSP, Certified Cloud Security Professional) – (ISC)²
- Associate of (ISC)² (pursuing the CISSP, Certified Information Systems Security Professional) –(ISC)²
- CCSE Check Point Certified Security Expert – Check Point Software
- CCSP Certified Cloud Security Professional – (ISC)²
- CPP Associate Protection Professional – ASIS
- Professional Cloud Security Engineer – Google Cloud
- AWS Certified Security - Specialty - AWS
- CISSP Certified Information Systems Security Professional - (ISC)²
- CCSA Check Point Certified Security Administrator - Check Point Software
- APP Certified Protection Professional - ASIS International
- Associate CSSLP Certified Secure Software Lifecycle Professional - (ISC)²
- PCI Professional Certified Investigator - ASIS
- CCSK Certificate of Cloud Security Knowledge – Cloud Security Alliance
- AWS Certified DevOps Engineer- Professional - AWS
- CCA-N Citrix Certified Associate - Networking - CITRIX
- CCIE Security - CISCO
- Associate SSCP Systems Security Certified Practitioner - (ISC)²
- CCAK Certificate of Cloud Auditing Knowledge – Cloud Security Alliance
- AWS Certified Cloud Practitioner – AWS
- Associate of (ISC)² (pursuing the HCISPP HealthCare Information Security and Privacy Practitioner) - (ISC)²
The cloud focus is a reflection on the reality of today’s IT environments. Nearly all organizations (96%) currently use the cloud, mostly in a combination of public and private clouds. Therefore, the need to acquire and prove cloud security skills is inevitable for anyone entering the industry. In planning their careers, it makes sense for newcomers to pursue cloud-related skills, especially security.
The cloud emphasis reflects earlier (ISC)² research. In the 2020 Cybersecurity Workforce Study, professionals across all roles, age brackets and organization sizes cited cloud security as a priority skill to acquire.
Conclusion
Professionals’ certification recommendations provide valuable clues for organizations in shaping their recruitment programs and preparing job descriptions. It’s clear that professionals are drawing on lessons learned early in their careers to provide meaningful advice to pursuers.
Employers would do well to heed that advice in building their cybersecurity teams, and that includes deciding what certifications to prioritize. Just as importantly, employers should recognize that new recruits are likely to hold no certifications and will need to earn them while on the job. Offering them a career path that includes help with earning certifications benefits both employee and employer, so that together they can build the best cybersecurity team possible.