What I Learned Talking to 100 IT Hiring Managers About Certifications
When you spend two decades helping Fortune 500 companies, defense contractors, and government agencies figure out their workforce development strategies, you end up in a lot of rooms with the people who actually make hiring decisions. Not recruiters who screen resumes. Not HR generalists who post job listings. I’m talking about the IT directors, CISOs, security managers, and engineering leads who sit across the table from candidates and decide whether to extend an offer or move on to the next person.
Over the years, I’ve had some version of the “what do you actually look for” conversation with well over a hundred of these folks. And here’s what’s funny. If you read job postings, you’d think every employer wants a certified, degreed, experienced unicorn who also knows Klingon and can solve a Rubik’s cube blindfolded. But when you sit down with hiring managers over coffee (or bourbon, depending on the conference), the truth is a lot more nuanced and a lot more encouraging than the job listings suggest.
Certifications get you into the room. What you do once you’re in the room is a completely different skill set. Every hiring manager I’ve talked to agrees on this, even the ones who disagree on everything else.
Certifications Are a Filter, Not a Verdict
The single most consistent thing I’ve heard from hiring managers is that certifications function as a screening mechanism. Not a hiring decision. A screening mechanism. There’s a massive difference, and understanding it changes how you should think about your entire career strategy.
Here’s how it actually works in practice. A security manager posts a job for a SOC analyst. They get 200 applications. They don’t have time to carefully read 200 resumes, so they need a way to get that pile down to 20. Certifications are the fastest, most reliable filter they have. “Does this person have Security+? Yes or no?” That single question eliminates half the stack in seconds. It’s not that the hiring manager thinks Security+ makes you a great analyst. It’s that without it, your resume never gets read long enough for them to find out whether you’re great or not.
Industry data backs this up. ISC2’s cybersecurity hiring research found that roughly 70 percent of hiring managers consider certifications important when screening candidates. But when it comes to making the final hiring decision? Over 90 percent said hands on experience was the most important factor. So certifications open the door, but experience closes the deal. Both matter. They just matter at different stages of the process, and confusing those stages leads people to either over invest or under invest in credentials.
The “Wrong Cert” Problem Nobody Warns You About
I had a conversation at a cybersecurity conference a couple years ago that I still think about. A hiring manager at a financial services firm told me he’d just passed on a candidate who had six certifications. Six. The candidate had spent years and thousands of dollars collecting credentials, and this manager wasn’t impressed. He was actually a little concerned.
His reasoning? “None of the certs lined up with each other, and none of them lined up with the job. It looked like someone checking boxes without a plan.” He ended up hiring a candidate with two certifications, both directly relevant to the role, plus three years of hands on work that matched the job description almost perfectly.
This is something I see constantly. People treat certifications like Pokemon cards. Gotta catch ’em all. But hiring managers don’t think that way. They want to see a coherent story. Your certifications should make sense together and make sense for the role you’re targeting. If you’re going after cloud security work, an AWS certification plus Security+ tells a clear story. A random grab bag of Network+, ITIL, a Scrum certification, and a Python badge from an online course tells a story too, but it’s more of a “this person doesn’t know what they want to be” story.
One director of IT security at a healthcare company put it perfectly: “I’d rather see one certification that’s directly relevant to what we do than a resume that looks like a cert vendor’s catalog.” The lesson here isn’t to avoid certifications. It’s to be strategic about which ones you pursue and in what order. Two well chosen certs beat six random ones every single time.
The Degree Question Has Shifted Dramatically
This is the one where the gap between what job postings say and what hiring managers actually think is the widest. I still see job listings that say “Bachelor’s degree required” for roles where the hiring manager has told me directly that they don’t care about degrees. It’s boilerplate language that HR sticks on the posting because that’s what the template says. The actual humans making hiring decisions are increasingly focused on what you can do, not where you studied.
Research from TestGorilla found that more than half of employers have now removed degree requirements, which was a 30 percent jump from the prior year. ISC2’s hiring research tells a similar story. About 90 percent of security managers said they’d consider candidates who only have previous IT work experience, and 89 percent would consider someone who only holds an entry level cybersecurity certification. That’s not “degrees don’t matter.” But it is a clear signal that the pathway into IT without a traditional four year degree is wider than it’s ever been.
What I’ve noticed in my own conversations is that the degree preference tends to correlate with the size and type of organization. Large enterprises with formal HR departments still lean on degree requirements because their applicant tracking systems are built that way. Smaller companies, startups, and managed security providers tend to care much less about degrees and much more about whether you can actually do the work. Government and defense contracting sits in a weird middle ground where specific certifications often matter more than the degree itself because of DoD 8570/8140 requirements.
What Actually Impresses Them in the Interview
OK so your certifications got your resume past the initial filter. You made it to the interview. Now what? This is where the conversation with hiring managers gets really interesting, because what impresses them has almost nothing to do with the credentials on your resume and everything to do with how you talk about real problems.
A CISO I’ve worked with for years summed it up better than I can. He said he always asks candidates to walk him through a security incident they handled, and the answer tells him everything he needs to know. Not because the incident itself matters, but because the way someone talks about it reveals their thought process, their ability to prioritize under pressure, and whether they actually understand what they did or just followed a playbook someone else wrote.
Across dozens of these conversations, a few themes keep popping up about what separates candidates who get offers from candidates who don’t.
The Certs That Keep Coming Up
I’m not going to pretend there’s a definitive ranking of certifications that every hiring manager agrees on. There isn’t. But certain names come up so consistently that they’re worth calling out. These are the credentials that hiring managers mention unprompted when I ask what they look for on resumes.
CompTIA Security+ is the universal handshake. I’ve never met a hiring manager who didn’t recognize it. It’s the baseline for entry level cybersecurity roles, it satisfies DoD 8570 requirements, and it gives hiring managers confidence that you understand the fundamentals. It won’t blow anyone away for senior roles, but for getting your foot in the door? Nothing beats it for the price and effort involved.
CISSP still carries enormous weight at the mid to senior level. It’s the certification that hiring managers associate with “this person is serious about security as a career.” One VP of security told me that seeing CISSP on a resume doesn’t tell him the candidate is brilliant, but it tells him they’ve invested significant time and effort and that they think about security at an enterprise level. That’s a meaningful signal when you’re hiring for roles that require big picture thinking. Pearson VUE’s research found that 82 percent of certified professionals felt more confident pursuing new job opportunities after earning their credentials, and in my experience, CISSP holders tend to be at the front of that confidence line.
Cloud certifications (AWS, Azure, GCP) are the fastest growing category in terms of hiring manager interest. Five years ago, cloud certs were nice to have. Now they’re table stakes for any role that touches cloud infrastructure, which is most roles. The specific platform matters less than whether you’ve got one that matches the employer’s environment. If a company runs on Azure, your AWS cert is helpful but not a bullseye. Pay attention to what the company actually uses before you decide which cloud cert to chase.
CISM is the one that keeps quietly climbing in conversations with people who hire for management and governance roles. If CISSP is the technical leadership credential, CISM is the business leadership credential. Hiring managers in regulated industries, especially banking, healthcare, and insurance, mention CISM as a signal that someone can translate security concepts into business language. That skill set gets rarer and more valuable the higher you climb in an organization.
The Career Stage Problem
Something that doesn’t get talked about enough is that the value of certifications changes dramatically depending on where you are in your career. What works at year one doesn’t work at year ten, and vice versa. I’ve watched people waste time and money because they applied the wrong certification strategy for their career stage.
For people just getting started, certifications matter a lot. You don’t have experience to point to, so credentials are doing most of the heavy lifting on your resume. This is where something like Security+ or the ISC2 Certified in Cybersecurity genuinely changes your trajectory. ISC2’s research found that 47 percent of security managers rated certifications as the single most critical attribute for entry level candidates, actually ranking slightly higher than experience (44 percent) and education (43 percent) at that career stage. When you’re new, the cert is your strongest card. Play it.
For mid career professionals, the equation flips. Now your experience is your strongest asset and certifications become differentiators rather than tickets to entry. This is the right time for something like CISSP, CISM, or a specialized cloud certification that signals you’re moving from “I can do the work” to “I can lead the work.” Hiring managers at this level told me they look for certifications that show intentional career progression, not random skill collection.
For senior folks, certifications matter in specific ways. Nobody’s hiring a CISO because they have a CompTIA A+. But a CISO with CISSP and CISM signals credibility to board members, auditors, and clients in ways that experience alone can’t always communicate. At the senior level, certifications become more about external credibility and less about proving knowledge to your direct manager. They’re a trust signal for people outside your immediate team who need to evaluate whether you know your stuff.
A pattern I keep seeing: People who are switching careers into cybersecurity later in life actually have a unique advantage that most of them underestimate. The business experience, communication skills, and professional maturity they bring from other industries are exactly what hiring managers say is missing from candidates who grew up purely in tech. Combine that with a well chosen certification or two, and you’re not starting from zero. You’re starting from a different kind of valuable.
The Surprising Things That Turn Hiring Managers Off
I asked every hiring manager I spoke with a version of this question: “What’s something candidates do that you wish they’d stop?” The answers were remarkably consistent and often surprising. Not because the mistakes are obscure, but because smart, qualified people keep making them.
Listing certifications you can’t back up. If you put CISSP on your resume, the hiring manager is going to ask you CISSP level questions. Multiple managers told me about candidates who listed advanced certifications and then couldn’t answer basic questions about the domains those certs cover. One hiring manager called this the “paper tiger” problem. If you earned a cert two years ago and haven’t touched the material since, at least do a refresh before the interview. Getting caught flat footed on material your own resume claims you’ve mastered is one of the fastest ways to lose credibility.
Not researching the company. This sounds basic, but hiring managers say it happens constantly. Candidates show up without knowing what the company does, what technologies they use, or what challenges they’re facing. You don’t need to know everything, but showing that you spent 20 minutes on their website and thought about how your skills connect to their needs demonstrates the kind of initiative that certifications alone can’t prove.
Only talking in theory. One security director told me: “I can always tell the difference between someone who studied for an exam and someone who’s actually done the work. The exam studier talks in definitions. The practitioner talks in stories.” If you completed a home lab project, deployed a SIEM, or participated in a capture the flag event, talk about it. Even small scale practical experience is better than perfectly memorized textbook answers. Hiring managers who build teams understand that real work is messy, and they want to hear that you’ve gotten your hands dirty.
The AI Wrinkle Nobody Saw Coming
The most recent conversations I’ve been having with hiring managers have a new flavor that wasn’t there even 18 months ago. AI is changing what organizations need from their security teams, and it’s happening faster than most certification programs can keep up with. Multiple managers told me they’re actively looking for people who understand the security implications of AI tools being deployed in their environments, even if there’s no certification for it yet.
A ResumeTemplates.com survey of over a thousand hiring managers found that cybersecurity awareness and data analysis ranked right behind software proficiency as the most important technical skills for 2026. But the interesting part was that AI tool comfort ranked lower than traditional competencies. Hiring managers still want solid foundational skills first. AI fluency is a bonus, not a replacement for knowing how to actually secure systems and respond to incidents.
That said, credentials like CompTIA’s new SecAI+ and ISACA’s AAISM certification are starting to show up in conversations. They’re not mainstream requirements yet, but the hiring managers who are paying attention to AI governance and AI security are taking note. Being early to an emerging certification area has historically been a smart career move. The people who got AWS certified in 2015 weren’t following the herd. They were ahead of it. The same opportunity exists right now with AI security credentials, and the hiring managers I talk to are watching to see who shows up first.
What I’d Tell My Younger Self
After distilling a couple hundred of these conversations into something useful, I keep coming back to a handful of truths that hold up regardless of which hiring manager I’m talking to, which industry they’re in, or which specific certifications we’re discussing.
Certifications are necessary but not sufficient. You need them to get noticed. You need experience and personality to get hired. Treating certs as the finish line instead of the starting line is the most common mistake I see people make. Pearson VUE found that about a third of certified professionals received a salary increase after earning their credential, and over half of those increases happened within three months. So the payoff is real. But it’s not automatic. You have to pair the cert with the right career moves.
Strategy beats volume. Every time. Pick certifications that tell a coherent career story. If you’re aiming for a security management role, Security+ followed by CISSP or CISM makes narrative sense. If you’re going into cloud security, pair a cloud platform cert with a security cert. Hiring managers read your certification list as a story about where you’ve been and where you’re going. Make sure it’s a story that makes sense.
And finally, the soft stuff matters way more than you think it does. I know that’s not what people want to hear when they’re trying to figure out which cert to study for next. But every hiring manager I’ve spoken to, without exception, eventually circles back to the same thing: they want someone they can work with. Someone who communicates clearly, takes ownership of problems, stays curious, and doesn’t crumble when things get stressful. No certification teaches that. But the people who combine strong credentials with those human qualities? They’re the ones who never have trouble finding work.