I have held a CISSP, a Security+, and four CCNA tracks. I used certifications deliberately — the first CCNA to pivot from finance into technology, subsequent ones to validate work I was already doing, Security+ to make the move into security, CISSP when I reached senior management. Every certification I pursued served a specific purpose at a specific moment. None of them taught me how to do my job. They validated that I already knew how.
That distinction matters enormously and it is one the certification industry has every incentive to obscure.
How the machine works
The certification industrial complex is a self-reinforcing ecosystem with four participants who each benefit from the current arrangement — everyone except the candidates paying for it.
Certification bodies — ISC2, CompTIA, EC-Council, Offensive Security — generate revenue from exam fees, renewal fees, continuing education requirements, and official study materials. A single CISSP exam costs $749. Renewal requires annual maintenance fees and ongoing continuing professional education credits. The incentive is to make certifications prestigious enough to be required and complex enough to require paid preparation.
Training companies — bootcamps, online platforms, corporate training providers — sell preparation for certifications that bodies have made sufficiently difficult to require preparation. Prices range from a few hundred to several thousand dollars per course. The incentive is to position certifications as essential credentials that cannot be passed without their specific preparation program.
Employers — particularly HR departments and non-technical hiring managers — use certifications as filtering mechanisms. "CISSP required" in a job posting for a role that does not actually require CISSP-level knowledge is not cynical — it is lazy. Certifications are a legible proxy for competence in a field where competence is genuinely difficult to evaluate without expertise. The incentive is to outsource the evaluation of candidates to a third party.
Job seekers — particularly career changers — are told repeatedly that certifications are the path into the field. They pay for them. Some of them work. But the pathway from certification to employment is less reliable than the industry implies, and the skills developed through certification study are often insufficient for the work that actual security roles require.
"A certification tells an employer that a candidate could pass a test about security. It does not tell them that the candidate can actually do security. Those are different things, and the gap between them is where the skills shortage lives."
What certifications actually test
Most security certifications are knowledge tests. They measure whether a candidate can recall definitions, identify correct answers from multiple choice options, and demonstrate familiarity with frameworks, concepts, and best practices. This is not useless — foundational knowledge matters. But it is a different thing from the ability to respond to an active incident, identify novel attack patterns, build a detection rule that works in a specific environment, or think like an adversary.
The certifications that test actual ability — OSCP being the clearest example — are the ones the industry most widely respects precisely because they cannot be passed through memorization. The OSCP exam is 24 hours of live exploitation on a network. You either compromise the machines or you do not. There is no multiple choice option for "what would you do if you encountered this vulnerability."
The gap between knowledge tests and capability tests is where the certification industry is most exposed. A candidate who has passed six multiple choice certifications may be significantly less capable in a real security role than one who has spent the same time running a home lab, completing TryHackMe rooms, and working through retired Hack The Box machines. The former has credentials. The latter has skills. They are not the same thing.
Who actually benefits
The specific failure modes
Entry-level roles requiring senior certifications. CISSP requires five years of verified work experience to sit the exam. It is a management and architecture credential designed for senior practitioners. Job postings listing CISSP as a requirement for entry-level security analyst roles are not describing a realistic candidate — they are describing an HR template that was written by someone who Googled "cybersecurity certifications." This is not a rare occurrence. It is endemic.
Certifications as a substitute for experience. Career changers are told that the path into security is to collect certifications. Some respond by spending years and thousands of dollars on an ever-expanding collection of credentials while doing no hands-on security work. They arrive at interviews with impressive-looking resumes and cannot answer basic questions about how an attack actually unfolds, what a real incident looks like, or how to investigate a suspicious process. The certifications signaled readiness. The candidate was not ready.
The bootcamp premium for commoditized content. The content required to pass CompTIA Security+ is freely available. Professor Messer's complete Security+ course is on YouTube at no cost. The practice exams are available for a few dollars. A motivated candidate can prepare for and pass Security+ for under $500 including the exam fee. Bootcamps charging $10,000–$15,000 for Security+ preparation are extracting premium pricing for delivering content that is otherwise essentially free. The premium is not for the content — it is for the credential of having attended and the community of fellow students. For most candidates, it is not worth it.
Renewal requirements that prioritize revenue over learning. CISSP requires 120 continuing professional education credits over three years plus annual maintenance fees. The CPE requirement in theory ensures practitioners stay current. In practice it creates a market for low-quality webinars, vendor presentations, and conference attendance that counts toward CPE without necessarily improving competence. The requirement benefits certification bodies and CPE providers. It is not obviously correlated with better security outcomes.
What a better path looks like
I am not arguing that certifications have no value. They demonstrably do — for specific purposes, at specific career stages, for specific roles. Security+ is genuinely useful as a first security credential because it is widely recognized, covers foundational knowledge that matters, and satisfies DoD 8570 requirements that open government and defense contractor roles. CISSP is genuinely useful as a senior management credential because it signals a breadth of knowledge across security domains that employers can rely on. OSCP is genuinely useful as an offensive security credential because it proves actual capability.
The argument is that the current system oversells certifications as the primary path into and through a security career, and that this overselling harms candidates who invest heavily in credentials at the expense of the hands-on experience that actually makes them effective practitioners.
A more honest path looks like this: get one foundational certification to establish credibility and satisfy HR filters. Spend the rest of the time building real skills — home lab, TryHackMe, Hack The Box, capture the flag competitions, contributing to open source security projects, building detection rules in a practice SIEM. Get a second certification when a specific role or career move requires it, not as a general investment in your resume.
The certification industrial complex is not a conspiracy — it is a market that evolved to serve its own participants. Certification bodies, training companies, and to a lesser extent employers all benefit from the current arrangement. Candidates benefit less consistently.
The skills gap growing despite increasing certification rates is the clearest evidence that the system is not working as advertised. You cannot close a skills gap by producing more people who can pass multiple choice tests about security. You close it by producing more people who can actually do security work.
The solution is not to abandon certifications — it is to use them correctly. Get the ones that open specific doors. Invest the rest of your time in building real capability. The lab hours matter more than the exam hours. The employers who understand security will recognize this. The ones who do not are probably not organizations you want to work for anyway.