CyberWire Daily — CISO Perspectives: “Do Certifications Matter?”

Date: March 6, 2026
Host: Kim Jones, N2K Networks
Guest: Simone Petrella

Episode Overview

This episode tackles a perennial debate in cybersecurity: Do certifications matter? Kim Jones welcomes industry leader Simone Petrella for an in-depth exploration of certifications' pros, cons, and impact on hiring, careers, and diversity in cybersecurity. They discuss the value of certifications, their limitations, economic and social implications, and how the industry might align certifications with real-world skills and workforce needs.

Key Discussion Points & Insights

1. The Value & Limitations of Certifications

Certifications as "Passports":
- Simone compares certifications to passports: they open doors but don't guarantee crossing the finish line.
- “They matter in the sense that if you want a passport to go to another country, you need one, but it’s not going to be the plane ticket to get you there.” (Simone, 12:47)
Door Openers, Not Golden Tickets:
- They signal baseline knowledge, effort, and ambition to hiring managers.
- Certain jobs require tool- or vendor-specific certs, but most cybersecurity roles use certs as proof someone’s "in the ballpark." (Simone, 14:12)
Concerns About Overemphasis and Weakening Standards:
- Kim tells how retaking the CISSP became easier—suggesting business interests may be lowering barriers.
- “As they have become more important passports… there's a question as to whether or not the certifying bodies have made it easier... I wonder if the exam had gotten easier in order to increase the number of people who would take it and pass.” (Kim, 17:00)

2. The Business (and Blurred Lines) of Certification

Certification Ecosystem Critique:
- Simone describes the “cottage industry” of certifications, where the same entity creates, delivers, and monetizes exams and prep.
- She contrasts with law: “The bar exam is created, maintained, and run by a completely separate body…” (Simone, 21:33)
- “In cybersecurity, the lines are completely blurred.” (Simone, 22:19)
Potential for ‘Hacking’ the Exams:
- Simone recounts her Chief Product Officer (from outside cyber) passing the CISSP in a month—showcasing that test-savvy, rather than field expertise, can sometimes be enough. (Simone, 19:14)

3. Skills-Based Hiring and the “Wicked Gate” Problem

[Segment: 26:09 – 29:29]

The industry’s reliance on certifications as hiring filters is questioned:
- “Being able to rely on a credential alone can’t be indicative of someone’s true competence to perform the job.” (Simone, 26:09)
- Labels (“must have CISSP”) are not tailored to actual job skills, leading to bad matches and lost candidates.
- Professional certs often end up too general—or sometimes, if specific, too siloed.
- Hiring managers tend to reuse job descriptions with old checkboxes (like certs), creating unintentional entry barriers.
- As Simone puts it: “We’ve created these jobs that don’t match the packaging for the labels that they’ve created.” (Simone, 27:00)

4. Entry-Level Certifications & Core Knowledge

What Should Entry-Level Aspiring Cyber Pros Know?
- Simone’s Top 3–5 foundational knowledge areas (33:57–35:10):
  - Networking and computing basics (including the OSI model)
  - Understanding of adversarial threats and primary attack vectors
  - Context: Why cybersecurity matters for the specific organization being protected

5. Hidden Barriers: Cost, Diversity & Opportunity

[Segment: 37:10 – 41:49]

Economic Hurdles:
- Certifications, prep, study materials, and ongoing maintenance (like CPEs) can collectively cost thousands.
- “It does not only become a wicked gate, but there’s an economic component to it that gets in the way, even for entry level certifications…” (Kim, 37:13)
Impact on Diversity:
- Entry bars (including time-in-service for advanced certs) perpetuate the existing lack of diversity.
- “The workforce only looks 20% like you.” (Kim, 39:32)
- “We have more qualified entry level candidates than actual available jobs... then in order to get the certification that’s kind of in demand for the next level, they have to have the five years… you've just given them a—you’ve closed the door in their face and walked away.” (Simone, 41:02)

6. The Broken Pipeline & Industry Shortcomings

There is a surplus of diverse, entry-level talent—but not enough roles. The requirement for years of experience before advancing (and before qualifying for advanced certs) blocks upward mobility and perpetuates underrepresentation.
Both Kim and Simone agree that:
- The industry has gotten "lazy," overly reliant on check-the-box hiring.
- Certifications provide very incomplete and sometimes misleading pictures of a candidate’s skill or readiness.

Notable Quotes & Memorable Moments

| Timestamp | Quote | Speaker | |-----------|-------|---------| | 12:47 | “They matter in the sense that if you want a passport to go to another country, you need one, but it’s not going to be the plane ticket to get you there.” | Simone | | 14:12 | “It tells us that you’re kind of like in the ballpark, but it’s, you know, like you’re qualified to get on this flight, but… this doesn’t put you at the boarding gate…” | Simone | | 19:14 | “He took, you know, a book and a bunch of research materials. Zero experience in cyber. Zero. And I think it took him about a month and he passed the CISSP.” | Simone | | 22:19 | “In cybersecurity, the lines are completely blurred … we’ve misaligned the incentives and this profession has grown … we’re still kind of in our like pre-teen years, if you think about how long it takes for professions to mature.” | Simone | | 39:46 | “You’re just keeping that pipeline going and you’re continuing to set up this almost impossible barrier to those who want to get into the field…” | Simone | | 41:02 | “We have a surplus of entry level professionals and not enough entry level roles out there. But then in order to get the certification that’s kind of in demand for the next level, they have to have the five years… you've just given them a—you’ve closed the door in their face and walked away.” | Simone | | 42:11 | “Cybersecurity is a long term game, but we’re playing it with short term incentives… If we’re going to play this long-term game, which is actually getting better at security, then we’re going to have to focus on the things that are frankly, hard—the hardest things—which are how do we have the right people with the right skills doing the right things…” | Simone |

Important Segment Timestamps

[10:52] — Introduction of Simone Petrella & background
[12:47] — Passport analogy: what certifications really do
[17:00–19:20] — Kim's CISSP story and debate over exam 'gatekeeping'
[19:14–22:19] — Simone on the “hackability” of exams and certification industry structure
[26:09–29:29] — Skills-based hiring, the “wicked gate,” misalignment of certs to job realities
[33:57] — Entry-level core knowledge recommendations
[37:10] — Economic/demographic hurdles amplifying systemic bias
[39:46–41:49] — Diversity pipeline problem and the closing of doors for non-traditional candidates
[42:11] — Long-term vs. short-term incentives in building a cyber workforce

Takeaways & Closing Thoughts

Certifications do hold value as a baseline signal, but they are insufficient for judging a candidate’s competence.
The certification ecosystem is deeply conflicted—driven by business incentives that often run counter to establishing true professional standards.
The overuse of certifications in hiring perpetuates homogeny, creates unnecessary hurdles, and especially impacts diverse, early-career, or under-resourced candidates.
True progress demands redefining both entry and advancement: industry-accepted core knowledge, skills-based hiring, and alignment between the cert creation community, employers, and labor market needs.
Final Thought for Listeners:
“Cybersecurity is a long term game, but we’re playing it with short term incentives... Certifications can help, but only if they’re tied to what the industry really needs and if the economic and systemic barriers are addressed.” (Simone, 42:11)

Suggested Actions (per guest & host)

If hiring: Don’t default to certifications as requirements unless you can defend why they're necessary for a specific role.
If job seeking: Select certs aligned with your career objectives—not for resume padding.
For all: Advocate for skills-based, not checkbox-based, hiring and advancement.

This summary omits non-content segments (ads, intros, outros). All timestamps and attributions refer to original episode audio.

CyberWire Daily — CISO Perspectives: “Do Certifications Matter?”

Date: March 6, 2026
Host: Kim Jones, N2K Networks
Guest: Simone Petrella

Episode Overview

Key Discussion Points & Insights

1. The Value & Limitations of Certifications

Certifications as "Passports":
- Simone compares certifications to passports: they open doors but don't guarantee crossing the finish line.
- “They matter in the sense that if you want a passport to go to another country, you need one, but it’s not going to be the plane ticket to get you there.” (Simone, 12:47)
Door Openers, Not Golden Tickets:
- They signal baseline knowledge, effort, and ambition to hiring managers.
- Certain jobs require tool- or vendor-specific certs, but most cybersecurity roles use certs as proof someone’s "in the ballpark." (Simone, 14:12)
Concerns About Overemphasis and Weakening Standards:
- Kim tells how retaking the CISSP became easier—suggesting business interests may be lowering barriers.
- “As they have become more important passports… there's a question as to whether or not the certifying bodies have made it easier... I wonder if the exam had gotten easier in order to increase the number of people who would take it and pass.” (Kim, 17:00)

2. The Business (and Blurred Lines) of Certification

Certification Ecosystem Critique:
- Simone describes the “cottage industry” of certifications, where the same entity creates, delivers, and monetizes exams and prep.
- She contrasts with law: “The bar exam is created, maintained, and run by a completely separate body…” (Simone, 21:33)
- “In cybersecurity, the lines are completely blurred.” (Simone, 22:19)
Potential for ‘Hacking’ the Exams:
- Simone recounts her Chief Product Officer (from outside cyber) passing the CISSP in a month—showcasing that test-savvy, rather than field expertise, can sometimes be enough. (Simone, 19:14)

3. Skills-Based Hiring and the “Wicked Gate” Problem

[Segment: 26:09 – 29:29]

The industry’s reliance on certifications as hiring filters is questioned:
- “Being able to rely on a credential alone can’t be indicative of someone’s true competence to perform the job.” (Simone, 26:09)
- Labels (“must have CISSP”) are not tailored to actual job skills, leading to bad matches and lost candidates.
- Professional certs often end up too general—or sometimes, if specific, too siloed.
- Hiring managers tend to reuse job descriptions with old checkboxes (like certs), creating unintentional entry barriers.
- As Simone puts it: “We’ve created these jobs that don’t match the packaging for the labels that they’ve created.” (Simone, 27:00)

4. Entry-Level Certifications & Core Knowledge

What Should Entry-Level Aspiring Cyber Pros Know?
- Simone’s Top 3–5 foundational knowledge areas (33:57–35:10):
  - Networking and computing basics (including the OSI model)
  - Understanding of adversarial threats and primary attack vectors
  - Context: Why cybersecurity matters for the specific organization being protected

5. Hidden Barriers: Cost, Diversity & Opportunity

[Segment: 37:10 – 41:49]

Economic Hurdles:
- Certifications, prep, study materials, and ongoing maintenance (like CPEs) can collectively cost thousands.
- “It does not only become a wicked gate, but there’s an economic component to it that gets in the way, even for entry level certifications…” (Kim, 37:13)
Impact on Diversity:
- Entry bars (including time-in-service for advanced certs) perpetuate the existing lack of diversity.
- “The workforce only looks 20% like you.” (Kim, 39:32)
- “We have more qualified entry level candidates than actual available jobs... then in order to get the certification that’s kind of in demand for the next level, they have to have the five years… you've just given them a—you’ve closed the door in their face and walked away.” (Simone, 41:02)

6. The Broken Pipeline & Industry Shortcomings

There is a surplus of diverse, entry-level talent—but not enough roles. The requirement for years of experience before advancing (and before qualifying for advanced certs) blocks upward mobility and perpetuates underrepresentation.
Both Kim and Simone agree that:
- The industry has gotten "lazy," overly reliant on check-the-box hiring.
- Certifications provide very incomplete and sometimes misleading pictures of a candidate’s skill or readiness.

Notable Quotes & Memorable Moments

Important Segment Timestamps

[10:52] — Introduction of Simone Petrella & background
[12:47] — Passport analogy: what certifications really do
[17:00–19:20] — Kim's CISSP story and debate over exam 'gatekeeping'
[19:14–22:19] — Simone on the “hackability” of exams and certification industry structure
[26:09–29:29] — Skills-based hiring, the “wicked gate,” misalignment of certs to job realities
[33:57] — Entry-level core knowledge recommendations
[37:10] — Economic/demographic hurdles amplifying systemic bias
[39:46–41:49] — Diversity pipeline problem and the closing of doors for non-traditional candidates
[42:11] — Long-term vs. short-term incentives in building a cyber workforce

Takeaways & Closing Thoughts

Certifications do hold value as a baseline signal, but they are insufficient for judging a candidate’s competence.
The certification ecosystem is deeply conflicted—driven by business incentives that often run counter to establishing true professional standards.
The overuse of certifications in hiring perpetuates homogeny, creates unnecessary hurdles, and especially impacts diverse, early-career, or under-resourced candidates.
True progress demands redefining both entry and advancement: industry-accepted core knowledge, skills-based hiring, and alignment between the cert creation community, employers, and labor market needs.
Final Thought for Listeners:
“Cybersecurity is a long term game, but we’re playing it with short term incentives... Certifications can help, but only if they’re tied to what the industry really needs and if the economic and systemic barriers are addressed.” (Simone, 42:11)

Suggested Actions (per guest & host)

If hiring: Don’t default to certifications as requirements unless you can defend why they're necessary for a specific role.
If job seeking: Select certs aligned with your career objectives—not for resume padding.
For all: Advocate for skills-based, not checkbox-based, hiring and advancement.

This summary omits non-content segments (ads, intros, outros). All timestamps and attributions refer to original episode audio.

wavePod

Do certifications matter? [CISOP]

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

CyberWire Daily — CISO Perspectives: “Do Certifications Matter?”

Episode Overview

Key Discussion Points & Insights

1. The Value & Limitations of Certifications

2. The Business (and Blurred Lines) of Certification

3. Skills-Based Hiring and the “Wicked Gate” Problem

4. Entry-Level Certifications & Core Knowledge

5. Hidden Barriers: Cost, Diversity & Opportunity

6. The Broken Pipeline & Industry Shortcomings

Notable Quotes & Memorable Moments

Important Segment Timestamps

Takeaways & Closing Thoughts

Suggested Actions (per guest & host)

Summary

CyberWire Daily — CISO Perspectives: “Do Certifications Matter?”

Episode Overview

Key Discussion Points & Insights

1. The Value & Limitations of Certifications

2. The Business (and Blurred Lines) of Certification

3. Skills-Based Hiring and the “Wicked Gate” Problem

4. Entry-Level Certifications & Core Knowledge

5. Hidden Barriers: Cost, Diversity & Opportunity

6. The Broken Pipeline & Industry Shortcomings

Notable Quotes & Memorable Moments

Important Segment Timestamps

Takeaways & Closing Thoughts

Suggested Actions (per guest & host)