What’s more important when hiring for cybersecurity roles?

When building a cybersecurity team, you likely asked yourself, “Should I focus on certifications or real-world skills?”

And since you rarely encounter entry-level candidates who can hit the ground running, naturally, you’d consider a candidate with both. But that’s not always the best option unless you have the time, money, and patience. One of these factors usually has a priority over the other.

skills certifications

Your starting point or a nice-to-have?

ISACA’s State of Cybersecurity 2024 Report found that 73% of participants decided that prior cybersecurity experience is important for candidates to qualify.

Before you jump to the same conclusion, first decide whether the position requires experience or the required skills can be taught. Many companies request entry or junior-level candidates to have unrealistic amounts of experience, which only serves to decrease the talent pool available to them.

Once you’ve figured that out, question whether a certification is mandatory for that candidate to do the job. That’s because certifications are non-negotiable in heavily regulated industries, like government contracting.

For instance, government contracts often require workers to obtain and maintain certifications that are DoD 8570 compliant. In those cases, certifications are less about skill and more about meeting contractual requirements.

But if that doesn’t apply to you, contemplate these secondary considerations:

Which is better, theory or practical knowledge?

When you hire someone with proven skills, that person can start adding value immediately. But that doesn’t negate the value that academic knowledge brings to the table.

Continuously updated certifications ensure the holder’s knowledge stays current. They bring awareness of new security concepts, mitigation strategies, and evolving technologies that more experienced candidates might not be familiar with.

Do I need to worry about training?

Unskilled, certified candidates need to become familiar with their role, forcing you to spend resources on training.

Training includes either corporate boot camps or working alongside experienced employees who must take time away from their normal duties to accommodate the trainee. This could mean several weeks to months of investment to get that candidate up to speed.

For example, assume it takes a mid-to-senior-level professional roughly 240 hours to train a cybersecurity analyst on a part-time basis. According to Zippia, the median salary of a cybersecurity analyst in the US is about $42.50/hour. That means your company is allocating $10,200 (240 hours x $42.50) of that professional’s time toward training.

On the other hand, skilled employees only require minimal training to get them caught up.

What about recruitment efforts?

Certifications help streamline the recruitment process. When you’re short on time and trying to fill several roles, certifications are an easy way to find candidates with the necessary foundational knowledge.

A 2024 CompTIA Workforce and Learning Trends Report indicated that about 50% of HRs value certifications as a means to ensure candidates have the requisite skills for a role.

Certifications provide an industry “stamp of approval”, giving you a sense of a candidate’s understanding of core security concepts. In a way, you let the certifying body do the heavy lifting for you.

Contracts that request certifications prevent highly skilled, uncertified candidates from applying. This causes the talent pool to shrink even further, making the recruiters’ work more difficult and possibly extending the time to hire.

What’s my risk tolerance?

After considering all the previous factors, you have to decide: “Should I pay less now and train the applicant, or pay more now and worry less later?”

Which is more important, immediate risk or upfront cost?

If risk mitigation is your priority, then skilled candidates have the hands-on experience to resolve issues faster; however, they come with a higher initial cost.

If the up-front cost is more important, hiring only certified candidates is your better choice. However, that won’t mean your total cost of employment will be cheaper; as discussed earlier, you still need to account for costs associated with training and the loss of productivity.

Conclusion

Certified candidates have a solid baseline of theoretical knowledge. Because this knowledge is standardized and easily verified, it provides peace of mind for hiring teams. Certifications also fulfill the need for regulatory compliance or an understanding of current best practices.

Skilled candidates, on the other hand, can handle real-world problems with a focus on practical outcomes. They provide immediate impact with little to no training, and as time permits, they can even mentor or train inexperienced employees. As a side benefit, they’ve accumulated skills that never expire, unlike certifications.

Ultimately, certifications provide a solid foundation, but the actual value often lies in skills. And the truth is, it’s not about picking certifications over skills or vice versa. It’s about recognizing the strengths of both and tailoring your approach to the role and the needs of your organization. Sometimes, you’ll need certifications; other times, you’ll need skills, and if you’re lucky, you’ll get a good mix of both!

download CISSP guide

Fill out the form to get your guide:

Don't miss