Key Factor in Cybersecurity Hiring: Skills, Certifications or Experience?

Written by

If you have a large stack of resumes from qualified cybersecurity professionals to review, then you are doing well in this competitive market. More likely, you are finding it next to impossible to find a candidate who has everything on your wish list.

Given that, how do you evaluate the vitae you do have in hand? Here are some insights regarding prioritizing skills, certificates and experience.

Skills, certifications and experience all have potential value – as long as they are relevant to your environment. A candidate's vitae may list impressive accomplishments, but if the work was done five years ago, it may not apply today.


Don’t get bogged down in long lists of technology on the vitae. The candidate may have used some only once or twice, but be intimately familiar with others. Make sure you know which is which. 

Another point to consider is the rapidly changing nature of technology. The most important skill to look for may be the ability to quickly learn and apply new knowledge. In addition to asking for an example demonstrating that skill, ask candidates about their overall practices for staying current. Top candidates will describe a robust, proactive approach.


Recent certifications can be helpful, particularly if they are relevant to the technologies your company uses. They also can indicate a passion for learning and a commitment to the profession. However, you can’t count on a certification to be the litmus test for actual on-the-job prowess.

You may have to decide between two scenarios: Candidate A has a relevant certificate and a year of general experience, while Candidate B has three years of relevant experience but no certificate. Unless you feel it is important to tell clients that your team members are certified, Candidate B may be the better choice.


Of the three, recent relevant experience is probably the factor to prioritize. After all, one doesn't acquire skills without some experience, and the book-learning in a certificate program isn't a match for getting hands-on in the real world. In addition to evaluating length and type of experience, look for evidence the candidate researched the most current threats in the course of contributing to a project.

Consider asking candidates to describe their most challenging project or experience related to the open position. Listen for details like the scope and difficulty of the work, what candidates consider "challenging" and how they handled those challenges. You're trying to gauge how their experience demonstrates resiliency as well as how it will add insight to your organization.

Attract Top Talent by Offering All Three

To compete in today's talent market, you need a compelling employment value proposition. One way to become an employer of choice among cybersecurity professionals is to offer the opportunity for high-potential candidates to gain skills, experience and/or company-paid certification.

You can't, of course, hire people with no skills, certificates or experience whatsoever. Instead, consider loosening the requirements of a search and sweetening the deal with the promise of professional development. For example, an open senior security engineer position may call for seven to ten years of experience. You'll probably have better luck offering the position as a security engineer, asking for four to six years and marketing it as a chance to grow into a senior role.

To stay current, your whole cybersecurity team needs to be retrained on a regular basis anyway. Develop a training program, whether you do it in-house or engage a third-party provider. While some classes are expensive, there are organizations offering free online courses covering current topics, like and SANS CyberAces.

Identifying High-Potential Candidates

A defining characteristic of high-potential candidates is the ability to think like the hackers in the virtual badlands. That enables the best cybersecurity professionals to anticipate attacks and identify gaps in system defenses. Insiders joke that superstars have an "evil bit" (as in bits and bytes) in the code of their personalities. Ask candidates to describe a situation in which they "thought like a hacker" to strengthen security measures.

In addition, high-potential candidates are passionate about technology and tend toward hobbies that are an extension of their work. Some have elaborate home systems or pet projects allowing them to "play" in areas outside of the enterprise scope. Hobbies like these add value and perspective to the work they'll do for you. Ask candidates about their home network or relevant off-the-clock projects. You'll gain deeper insight into what they bring to the table, and candidates will appreciate that you value their passion.

One last note: make sure your environment offers the opportunity for high-potential candidates to channel their passion. By offering a chance to earn skills and experience, acquire certifications and exercise passion, you will be a quadruple threat to competitors in the job market.

What’s hot on Infosecurity Magazine?