Most cybersecurity job postings still do not require certifications, study finds

By AI, Created 1:01 PM UTC, June 03, 2026, /AGP/ – Programs.com released a new study on June 3, 2026, analyzing 2,694 cybersecurity job listings and how often employers mention certifications. The report suggests certifications can help candidates stand out, but most postings still do not require one.

Why it matters: - Cybersecurity candidates often assume certifications are a baseline hiring requirement. - The new study suggests most employers still prioritize skills, experience, and role fit over a specific credential. - The findings matter most for job seekers targeting governance, risk, compliance, government, and defense roles, where certification demand is higher.

What happened: - Programs.com published a study on June 3, 2026, examining how often employers require cybersecurity certifications in job postings. - The analysis reviewed 2,694 unique, deduplicated cybersecurity job listings from major job boards. - The report tracked 20 widely recognized certifications, including CISSP, CISM, CISA, CEH, Security+, CCSP, OSCP, and CRISC. - Each certification mention was classified as required, preferred, or unclear based on job description language.

The details: - 74.8% of cybersecurity job postings mentioned no specific certification. - 6.9% of postings explicitly required a certification. - 25.2% of postings mentioned at least one tracked certification. - CISSP was the most mentioned credential, appearing in 17.6% of all cybersecurity job postings. - 70% of listings that mentioned any certification included CISSP. - CompTIA Security+ had the highest hard-requirement rate among major certifications. - GRC, risk, and compliance roles were the most certification-heavy job category. - Brian Dean, founder of Programs.com, said most cybersecurity job postings do not require a certification at all.

Between the lines: - The data points to a split hiring market. - Many employers use certifications as a signal, not a strict filter. - CISSP appears to function as the broadest shorthand for senior cybersecurity credibility. - Security+ stands out more as a required credential than as a commonly mentioned one. - Dean said the takeaway is not that certifications do not help candidates get hired, but that job seekers should be selective.

What’s next: - Programs.com has made the full study available on its website. - Job seekers can use the findings to match certification choices more closely to target roles. - Candidates focused on compliance-heavy or government-adjacent work may see the clearest return from certification investment.

The bottom line: - Cybersecurity certifications still matter, but the hiring data shows they are an advantage more often than a universal requirement.