There is a debate among cybersecurity professionals about "certification (cert) stacking." Many people are impressed by someone with a fat stack of certs, while some think
"cert collection is a scourge on our industry."
This article will discuss the different viewpoints on cert stacking. What opinions do I think are valid concerns? What opinions do I think are rooted in jealousy and envy? What are the pros and cons of having a lot of certifications? Why do people cert stack? Why do cert haters exist? and much more. As someone with 12 certifications (and working on more), I can definitely be seen as a "cert stacker" by many. I will do my best to defend my position as a cert stacker and explain why it makes sense for my career. Hopefully, I can change cert hater opinions or, at the very least, highlight the cert stacker's (my) point of view and rationale behind wanting to collect a fat stack of certifications.
Summary
Acknowledging Criticisms: I recognize that some view certification stacking as merely theoretical knowledge without practical applicability. Critiques often focus on certifications that rely heavily on multiple-choice questions and accuse them of lacking real-world relevance. I also recognize the perception of cybersecurity certifications being "cash grabs" by the certifying organizations. These are very valid concerns.
Defending Certifications:
Job Market Demand: Employers frequently list multiple certifications in their job postings, making a broad certification portfolio almost a necessity for meeting various job requirements. This trend alone motivates many, including myself, to continually seek new certifications to match the diverse expectations of different employers.
Skill Verification and Professional Growth: Certifications provide a structured way to verify skills and competence. Beyond simply proving technical abilities, they demonstrate a commitment to continuous learning in a rapidly evolving field. Each certification I pursue is an opportunity to deepen my expertise and adapt to new challenges within the cybersecurity landscape.
Personal and Professional Recognition: Achieving and maintaining a wide array of certifications boosts my professional profile and visibility within the cybersecurity community. This not only helps in building a robust social network but also significantly enhances my job prospects and credibility. Each new certification is not just a personal accomplishment but a step towards establishing a distinguished career marked by lifelong learning and dedication to the field.
Challenging Critics:
Economic and Envy Factors: Certifications can be expensive, and not everyone can afford them, which may lead to envy from those who can't invest in multiple certifications. Additionally, ongoing maintenance fees may be perceived as financially burdensome, fostering resentment towards certifying organizations and possibly certification holders.
Misconceptions About Skill Validation: Some critics argue that certifications only prove theoretical knowledge ("book smart") and don't reflect practical skills. Moreover, older cybersecurity professionals often argue that certifications weren't necessary in the past, underestimating the evolving job market that now frequently requires these qualifications.
Cultural and Generational Resistance: A segment of critics might be unable to pass certification exams or unwilling to commit the time, using their stance as a way to rationalize their own shortcomings or laziness. Others may fear being overshadowed by the new generation of certified professionals, leading to gatekeeping behaviors that resist acknowledging the value and necessity of modern certification standards.
Conclusion: Despite some opposition, I wholeheartedly believe in the value of certifications for enhancing a cybersecurity career. I will continue to advocate for and pursue further certifications as part of my commitment to personal and professional growth.
Valid Concerns
I want to start by acknowledging the valid points of view of people who don't agree with me (and other cert stackers). To some, a stack of certifications comes off as someone who is only "book smart" and has no practical skill and experience in the real world. This is a valid argument because no certification is 100% practical, and no certification emulates the real world 100% either. Especially certifications that are all or mostly all multiple-choice questions. The common critique of these certifications is "they are rote memorization" and don't provide much real-world value. While most of these types of certifications involve extensive term and definition memorization, many of the questions for these exams are scenarios that may show up in the real world. These certifications may not be 100% practical in the real world, but they still provide a baseline knowledge of information technology (IT) and cybersecurity fundamentals. The certifications that I have that fall under this category are CISSP, PenTest+, CySA+, CEH, CCNA, Cloud+, Linux+, Security+, and Network+. The other type of certifications that are much more respected are those that have few to no multiple-choice questions and can only be obtained by doing hands-on activities in a virtual lab environment that aims to emulate a real-world network. Furthermore, many of these types of certifications require a professionally written report on the lab in order to successfully pass the certification exam. The certifications that I have that fall under this category are OSCP, OSWP, and eJPT. CompTIA certifications are mostly multiple choice, but they all have "performance-based" questions that are not multiple choice and require some sort of exercise. Basically, it's almost impossible to "guess" your way through these questions. Performing badly on the performance-based questions significantly reduces your chance of passing the overall exam. Even though I would classify the eJPT as a "hands-on certification," it still has multiple-choice and fill-in-the-blank questions. However, you can only get the correct answers by doing hands-on hacking. Furthermore, it doesn't require a report, making it less practical than the ones that do. I have many "fundamental" and "definition-based" certifications under my belt, and for the past year or so, I've been seeking to obtain more "practical, hands-on" certifications that require a professionally written report. I believe that these are the best measures of real-world skills outside of real-world experience itself. While I can understand why someone might say that a person without any practical certifications (such as CompTIA, ISC2, EC-Council certs) is only "book smart," I disagree with the notion that a person who has multiple practical (non-multiple-choice) certifications (such as OffSec, HTB, and TCM Security certs) lacks real-world skills and is only "book smart." Another "Valid Point" I want to address is certification organizations profiting from expensive training and credentials. While I understand that certifications are expensive and not everyone can afford them, I don't believe certification organizations are predatory. Although I can understand why some people feel that way. Furthermore, the return on investment (ROI) for a certification, even the expensive ones, is very high. This means that I believe most certifications are worth the cost in both time and money. I argue that colleges and universities are more predatory than certification organizations. College degrees are much more expensive, offer less quality training, are not as practical, and have a much lower ROI. This comes from someone with a cybersecurity bachelor's (BS) degree and is actively pursuing a cybersecurity master's (MS) degree. While I do think college has some value, I don't think it's the best value. But this blog article is about certifications, so I digress. For my full opinion on college degrees, read my article Is a Cybersecurity Bachelor's Degree Worth It? and don't get me started with cybersecurity bootcamps... (spoiler alert: I think they offer the least value out of all training options. Again, you can read my full opinion in my article Are Cybersecurity Bootcamps Worth It? Why do people cert stack?
I can't speak for every cert stacker in our industry, but I can certainly speak for myself. Let me explain why I (Kyser Clark) like stacking certs.
1. Employers are asking for a stack of certifications in most job postings.
Almost every cybersecurity job posting lists at least one certification, and many list five or more certifications. Even though I have 12 certifications under my belt, it's not uncommon for me to see a job description where I have 2 out of the 7 certifications they are looking for in a job candidate. Employers will seek a certain set of certs, while another employer will seek a candidate with a different set of certs. Even for the same type of job, with the same exact job title. This alone is reason enough to collect as many certifications as you have time and money for. 2. Outside of real-world experience, I think certifications are the best way to prove skill competency.
Who would you trust more? The person who said, "Yeah I know XYZ skill. I watched a ton of YouTube videos, and I practiced in my home lab". Or the person who passed a certification exam that requires XYZ skill to pass? The point I'm trying to make is that you can't be certain that the self-taught person actually has a home lab. Did they practice for 5 minutes? or did they practice for 200 hours? Most certifications (especially the hands-on type I discussed earlier) require 100+ hours of training. A person who doesn't know their stuff simply can't pass the certification exam. It's next to impossible to fumble your way through and accidentally pass certification exams. Granted, most jobs in our field require a technical interview, and candidates will prove themselves or get exposed in that technical interview. Still, it's nice to gauge the person's skills before they get into the technical interview. In my opinion, the easiest and fastest way to do that is through certifications. 3. Every certification is different
While some certifications may have many similarities, no two are exactly the same. That's why there are so many options to choose from, and that's why employers keep asking for the alphabet soup (stacks of certifications). Each one has a different focus area. With employers expecting job candidates to know everything about everything these days, having a wide variety of certifications is a great way to learn the breadth (or depth) of the cybersecurity industry. 4. Cert stacking is how I prove that I'm a lifelong learner
I have never heard anyone say that you don't have to continuously learn in the cybersecurity industry. Everyone says lifelong learning is critical to your success in this field. Why not prove that I learned something new with a new certification? As an extension to my last point, since every certification is different, each new certification proves that I learned something new. 5. I enjoy challenges Certification exams are not easy. They generally require 100+ hours of focused study and training. It's easy to jump from topic to topic on YouTube or read random blog articles without purpose. It's a lot harder to study the same thing every day for multiple months straight. Personally, I learn a lot more if I know I'm going to be tested on something. Plus, certifications force you to learn the things you don't like. I love cybersecurity, but there are simply some boring yet critical topics we have to learn to be successful. Lastly, the victory of passing a certification is such a rush for me. I love a hard-fought win. With general self-taught material, what am I fighting against? Nothing. With certifications, the exam is a challenge and a fight that I continuously enjoy putting myself through.
6. Earning a new certification draws a ton of attention to me Some of my most engaging social media posts, YouTube videos, and blog articles are about sharing my success story of a new certification. With each new certification comes more attention to my profile and content, which means more connections and opportunities. It's a widely accepted fact that your social network is your net worth. It's also a widely accepted fact that most opportunities come through social networking. As they say, "It's not what you know; it's who you know." You might not care about the attention, but my self-brand is everything for me. Certifications, without a doubt, have been the number 1 driving force in building up my self-brand. Gary Vaynerchuk continuously says, "Attention is the number one asset." I'm pretty excited to read his new book, which is coming out next month. Day Trading Attention: How to Actually Build Brand and Sales in the New Social Media World.
7. A fat stack of certifications is one of the many ways I differentiate myself in the job market
There's really no way to say this without tooting my own horn too much, so I'm just going to say it. There are very few people who have as many certifications as I do. I believe this to be true because very few people can match my work ethic and dedication to the field. I'm not trying to say that I'm better than everyone else, but I like to think that my certification stack proves I care about my profession more than most in the field. Passion is typically one of the most important things hiring managers look for in employees, and there shouldn't be a person on the planet who doubts my passion for cybersecurity. My certification stack is one of the many ways I like to prove my passion in the field and that this isn't a job for me. It's a career and life purpose. I enjoy fighting cybercrime to protect the innocent. 8. Many people are impressed by a fat stack of certs.
As an extension to my last point, many people are simply impressed by the many certifications I've obtained in such a short period of time. A fat stack of certifications most definitely repels the certification haters away from me, but more people are attracted to my résumé than repelled by it. Having a long list of certifications is always a talking point in job interviews and conversations with peers. People recognize and respect my work ethic and hustle. As I said in reason number 6 of this section, certifications draw a lot of attention to me. People want to connect with me because of my hard work and dedication to my craft. Why do some people scoff at cert stackers? This section is my attempt to explain why some people look down on or are repelled by cert stackers. Some of these reasons cert haters have openly stated in conversations. However, some of these reasons are a hot take on how I feel these haters feel deep within themselves, even though they never explicitly stated these reasons. I've seen too many people bash certifications and cert stackers, and I've held my tongue long enough. Get ready for a JUICY conversation. 1. Certifications are expensive
This is a fair reason to dislike certifications in general and a reason (although not a good reason) to dislike the cert stacker. I understand not everyone can afford a certification. And most people can't afford several certifications before entering the field. However, if you can save up money for a few certifications, I highly recommend it. For reasons from the last section, certifications are usually worth every penny. This is just a guess, but perhaps some envy cert stackers simply because they can't afford certifications. Furthermore, many certification organizations require certified members to pay maintenance fees to "maintain" certification. This can definitely be seen as a "cash grab," and I almost let my CEH certification expire this year because I didn't feel like paying the $80 annual fee. So I get it.
2. Some people think certifications only prove you are "book smart" I won't get into this much here since I already covered it in the first section of this article. But this is a valid point, and I completely understand where it comes from. I don't think it's right, but I get why some will feel this way. 3. Old-school cybersecurity professionals didn't need certifications While you don't "need" a certification today, it certainly helps, and as time goes on, certifications are slowly becoming a requirement. Some job postings require a certification or two nowadays. This wasn't the case in the past. Many of today's senior-level cybersecurity leaders entered the field without needing any sort of certification. In fact, most, and if you go back far enough, all, cybersecurity certifications didn't exist in the past. What these old-timers don't understand (and maybe they do understand if they are the ones setting the high entry barrier) is that one of the major problems with landing a cybersecurity job nowadays is that the requirements are set ridiculously high. Companies want years and years of experience, and no one hires at the entry level. In fact, many people (myself included) say entry-level cybersecurity jobs simply don't exist. So, how does one get experience without a prior full-time cybersecurity job? In my opinion, certifications are the answer. The days of getting into cybersecurity with only a few years of sysadmin or help desk experience are gone. I don't think a lot of the seasoned cybersecurity professionals understand that.
"I’ve been working in cybersecurity for almost 8 years and I’ve never ever needed a single certification to get hired anywhere."
Now it is time for the hot takes...
4. Some certification haters can't pass the exams If cert exams were as easy to obtain as the cert haters claim, why don't they have them? If they were easy to get, everyone would have them. But they don't. Coincidence? I don't think so. 5. Some certification haters are lazy
As I have said a couple of times now, certifications are not only extremely challenging but also a massive time commitment. Some people are unwilling to put in the time and effort to earn a certification, and because of that, they make excuses to avoid hard work. I believe some people bash certifications and certification stackers as a way to cope with their own laziness. 6. Some certification haters are afraid the next generation is going to pass them up
I believe some cert haters may be jealous, envious, or even intimidated by the next generation of cybersecurity professionals. Maybe they think we will pass them up in skills and knowledge. They are in their mid to late careers. They are ready to slow down but can't stand to see the next generation coming in to replace them with fresh new ideas. These people are also known as "Gatekeepers". Note that I say "Some" in each of these hot takes. These don't apply to all cert stack haters, and these are just what I think some people feel deep within themselves. I think the average cert stack hater is just an old-timer who didn't need certs to get hired "back in my day" or someone who got their first cyber job from pure luck because they "knew a guy." There are probably very few cert stack haters who can actually afford all the certs, pass all the exams, aren't lazy, aren't gatekeepers, and aren't old-timers. I believe most certification stack haters fall into one or more of the 6 categories in this section of the blog post. Conclustion
While collecting a ton of cybersecurity certifications has pros and cons, the cons are typically rooted in negativity from other professionals, whether that would be jealousy, envy, or even a way to cope with their own laziness or lack of skill. The pros far outweigh the cons, and I will continue to stack certifications until they don't make sense anymore. This is unlikely to happen any time soon because I have dedicated myself to lifelong learning and want to be the best cybersecurity professional I can be. Certifications are my preferred learning method, and people can disagree with me all they want. I recognize that my point of view isn't necessarily right; it is just an opinion, after all. However, the blatant disrespect and hostility towards cert stackers and certification holders are unnecessary and unproductive.
Disclaimer: The Amazon link in this post is an affiliate link. This means that if you make a purchase through this link, I may receive a commission at no additional cost to you. Your support through these purchases helps me continue providing valuable content. Thank you!