Beginners often see cybersecurity certifications as a way to stand out to potential recruiters by proving technical skills and know-how.
However, as a former full-time IT & cybersecurity professor at Mitchell Community College who helped students optimize their resumes (and even supported pathways into US-based Fortune 500 companies), I learned that cybersecurity certifications alone don't always improve a candidate's chances of being recruited.
When speaking to hiring managers and recruiters at different companies, I noticed they all expressed a similar struggle:
“We are finding an endless number of candidates who appear qualified on paper, but not many that can actually do the job.”
This is when I fully realized that in this field….
Don’t get me wrong, anyone who worked hard to get a cybersecurity certification or degree should be proud of their accomplishment, especially if they gained valuable knowledge or experiences from it.
Certain credentials and degrees, if respected by organizations and recruiters, can even help applications get noticed and candidates negotiate higher salaries.
Search the web for cybersecurity jobs and you’ll find many companies require the same degree and certification requirements. These certifications generally use widely adopted multiple-choice exams to assess a student's knowledge against hiring standards.
While this has been the case for a long time, a piece of paper or digital badge alone (especially one earned via a multiple choice exam) does not mean you have the skills to be successful in the job.
When I taught students, I'd often tell them that “skills are more important than degrees and certifications.”
This may have sounded odd coming from a professor who was helping students acquire their degrees, but I stressed this point because focusing on skills development ensures long-term career success. It keeps beginners and advanced professionals ready for the ever-evolving cyber landscape.
I continue to emphasize a skills-first approach today because I see many aspiring cybersecurity professionals rush through a degree or certification, and unintentionally neglect essential learning in the name of speed and immediate gratification.
Whenever you're considering taking a degree or certification to improve employability (or if you’re a recruiter, using them to help assess candidates), pay careful attention to:
The training provided
The examination process
Most IT & cybersecurity certifications are in the multiple-choice test format, which doesn’t prepare you for real-world scenarios and problem-solving. For example, as a Penetration Tester on an engagement, you won’t normally be provided with a series of potentially correct answers to check.
You’re expected to apply information security concepts and use tools to uncover vulnerabilities in IT environments or applications. You must possess a vast array of technical knowledge and understand how it all fits together to unpack a (sometimes massive) corporate network and identify flaws and misconfigurations above and beyond what scanning tools can find. You must then provide evidence of findings in a professionally written and organized report, framing your findings and recommendations in a way that conveys the business risk of leaving them unremediated.
As a Security Operations Center analyst or Incident Responder, when a malicious hacker finds their way into a network you'll need to act quickly to cut off their access, determine how they got in, gather evidence; then start building more secure systems and processes, conduct security awareness training, and more.
While you’ll have multiple choices to make, these jobs don’t operate in a multiple-choice test format. In fact, very few disciplines do.
Does this mean that multiple choice exams are bad?
Not necessarily. But I personally believe multiple choice exams are good for becoming familiar with the basic language and terminology used in the industry, not so much for building a demonstrable, advanced skill set that impresses recruiters and deems a candidate as “job-ready.”
If you really want to learn how to become a penetration tester and be better prepared for real-world cybersecurity jobs, I suggest investing time and energy into practical certifications.
Interested in landing a job as a pentester? Brush up on these 30 critical cybersecurity interview questions!
Practical cybersecurity certifications have a hands-on component alongside theoretical training that requires students to apply learned concepts in a simulated or live (often virtualized) lab environment.
This can make them more intimidating when compared to multiple-choice-based certifications, but the valuable experience you gain is worth the effort.
Candidates are usually better prepared for the real world because the training and assessment process closely matches real-world environments. The skills acquired also transfer to actual scenarios that will surface on the job.
And as we’ve seen from interviews with beginners who’ve entered the industry, practical cybersecurity certifications are favored by recruiters for the reasons mentioned above.
It’s hard to match formal qualifications and CVs to on-the-job performance. That’s why I pay attention to a candidate’s attitude and extracurricular activities.
One example is HTB activity on a resume when hiring juniors. It shows that a candidate is deeply motivated and invested in developing their skills.
Jeremy Chisamore, Senior Penetration Tester, Oracle
With a practical exam, you’ll be provided with an engagement letter similar to one that you would receive from a real client on a real pentest.
You will also be provided with a means of remotely accessing the virtual lab exam environment to begin the testing from wherever you choose. Once you start the exam, you will be testing every target that is in-scope.
As you go, ideally you would document and submit your findings in a report at the end of the exam. This kind of exam truly tests what you are technically capable of, as well as your ability to clearly and professionally articulate your findings.
(Summary page of the penetration testing rules of engagement template in our CPTS certification. Even if students hack everything successfully, they'll still need to professionally fill in the rest of this template to pass the exam)
Our Certified Penetration Testing Specialist (CPTS) certification is a great example because candidates:
Are required to perform actual web, external, and internal penetration testing activities against a real-world Active Directory network hosted in HTB’s infrastructure and accessible via VPN (using Pwnbox or their own local VM).
Will have to think outside the box and chain multiple vulnerabilities to achieve exam objectives. Like real-world engagements, creativity, and in-depth knowledge will be necessary for success.
Must be able to go beyond exploiting known CVEs and dig into misconfigurations and abuse built-in functionality to move laterally and vertically.
Will submit a commercial grade report at the end of the examination period (using a provided report template) nearly identical to the level of detail required when preparing a penetration test report for an actual customer.
If one can pass the exam and obtain this kind of certification, an employer will know that at least the candidate has some relevant hands-on experience within a lab environment. In other words, it gives the employer more to work with than terminology and definitions.
Consider the kind of talking points a practical certification can give you in an interview and assessment as well. You'll be able to speak authoritatively from a place of experience, rather than just reciting a definition.
This is vastly different from having passed a multiple-choice exam. I’ve personally passed several recognized multiple-choice-based IT & cybersecurity certifications and never felt like they actually prepared me for the job.
They helped my resume get through Applicant Tracking Systems, but didn’t really help me build applicable skills.
Imagine if an interviewer asked you a question or presented a scenario like this:
Explain how you would enumerate a target host on a network?
If one only ever took theoretical certifications with multiple-choice exams, your answer would likely be limited to a definition of enumeration and explaining what it means.
Enumeration is about gathering information about a target. There are different types of enumeration like Passive & Active enumeration. One is focused on gathering information without direct interaction with a target, while the other is focused on actively interrogating a target.
While this could be a sound answer from a textbook, it may not actually help much on the job or convey expertise to an interviewer.
If one went through the process of practicing the concepts through training for and taking a practical certification, they could answer from a place of experience:
“I’ve enumerated Windows & Linux machines while preparing for Hack The Box’s Certified Penetration Testing Specialist exam. When practicing I would normally start by running a few Nmap scans to see if I could receive any information regarding any open ports and services in use on the target systems.
I may try to browse the target’s IP using a browser to see if it’s acting as a web server. If I can find any software version numbers, I’d then look up any public vulnerabilities discovered and shared online.”
The second answer, while it isn't perfect, gives the interviewer more to work with and starts to show the candidate has some applicable hands-on experience.
As a candidate, you could even screen share and demonstrate your enumeration skills on a HTB Starting Point target, retired box, or target machine used within a HTB Academy module.
With any IT/cybersecurity certification, it is not just the exam experience itself that is important but also the preparation for the exam. Cybersecurity job interview preparation should be a hands-on experience throughout, especially if the exam in question is practical.
At Hack The Box, we intentionally build hands-on training experiences alongside detailed theoretical material to prepare students for skills-building exam experiences based on realistic cyber environments.
When we designed the Bug Bounty Hunter and Penetration Tester job role paths we obsessed (and still obsess) over making sure the majority of the modules have a hands-on focus so students have to apply the concepts that are presented and demonstrated throughout training and preparation.
We ensure the modules are hands-on by creating realistic challenge machines & labs with accompanying challenge questions that students must solve while completing modules.
This is how we make sure students are actually learning, by making it a requirement to complete challenges before they can officially finish modules. It’s also one way we stand behind the quality of our work. We require each student to complete 100% of every module in the paths before unlocking the ability to sit for the associated practical exam.
Our focus is on helping our students get better by developing job-ready and marketable skills that give them (and the organizations they work for) a competitive advantage in the field.
One more thing before we come to the end of this blog post. There's a popular debate about the value of cybersecurity certifications vs. degrees. Since we're talking about practical cybersecurity certifications I would like to weigh in.
First of all, it doesn’t have to be a battle. Degrees can absolutely provide a more holistic learning experience than certifications alone. Think about writing, communication, and presentation skills for becoming a professional.
With a degree, you may take some classes that seem completely useless, but most of them are going to be beneficial as long as you focus, avoid cheating, and attend an institution that prioritizes the success of its students.
Before you even decide on a school, you should first:
Realize the degree is just a piece of paper or digital badge; reason from there.
Meet some of the professors, check reviews of the school, and research the IT & cybersecurity-related courses.
If you are going in person, visit the labs. If there are no lab environments, that's not the right school to prepare students for the industry.
Shop around for high-quality education. If you aren’t getting one, then demand it. Everyone deserves a high-quality education.
Colleges normally have complete control over what courses and curriculum they teach so they can map degree programs in such a way that students are preparing for and getting certifications on the way to a degree.
So it doesn’t have to be degrees vs. certifications, it can be both.
Now there is the subject of cost. In some countries like the US, colleges can be quite expensive (averaging between $7,000 - $10,000 yearly) and typically require loans and financial aid to attend.
Community colleges are a more affordable option and students can graduate in 2 years rather than 4 or more.
There's also the option of not going to college at all, and instead, focusing on skill-building, certifications, and networking to get employed. (This is becoming more of a possibility as more and more organizations focus on attracting candidates with diverse educational backgrounds and practical skills.)
Whatever path you choose to take in your training, hiring, or on your journey to break into the cybersecurity field, we’re here to support you. Feel free to reach out to us or join our Discord to learn how HTB is helping individuals, governments, and organizations succeed in cybersecurity.
Author bio: Robert Theisen (LTNB0B), Training Developer, Hack The Box
Robert loves learning, but he loves to empower others even more. He never takes off his IT/infosec professional hat and never will so long as he is preparing others to succeed by mastering the various tactics, techniques, procedures, and tools at their disposal. None of his accomplishments would be possible without great mentors, friends, family, the internet, and God.
You can connect with him on LinkedIn.