Skip to main content
POST ATLAS
All perspectives
Perspective · Certifications

The certification didn't get you into cyber, the signal did

The cyber or GRC cert changes your position in the hiring system, not your capability inside it. Filter-first, evaluate-later is how the market actually runs, and the candidates who understand that build different things in parallel.

Published 17 June 2026·7 min read·By the POST editor, 20 yrs, helpdesk to security architect
Verdict

The cyber or GRC certification didn't make you ready for the job. It made you eligible to be considered for it. Those are two different things and most cert-led entrants get them confused. The cert changes your position in the hiring system. It doesn't change your capability inside it. The shift you actually want happens later, on the job, and nobody can sell it to you in advance.

Walk through any UK entry-level cyber or GRC hiring pool in 2026 and the same shape repeats. A few hundred CVs, most of them with Security+ or ISO 27001 Foundation, a third with a bootcamp on the line above, a handful with a CISSP they probably shouldn't have on there yet. Recruiters keep saying the same thing on calls: we keep getting the same CVs, none of them stand out. Hiring managers keep saying the same thing in their heads after first-round interviews: this person passed an exam, they haven't worked a day in the function.

Both observations are right. They're also describing the same thing from two angles, and the thing they're describing is what a certification actually does in the labour market.

What you're really buying

The story people tell themselves is straightforward. You did the cert, the cert proved you were ready, the job followed. It's clean. It's also wrong about the mechanism.

What you bought was a filter pass. Filter-first, evaluate-later is how almost all entry-level cyber and GRC hiring runs. The ATS, the recruiter screen, the keyword match, the box on the agency spec that says “Security+ or equivalent”. The cert clears those gates. That's the product. Training providers won't put it this way because the honest pitch isn't flattering: we move you from somebody who can't apply to somebody who can. They sell it as readiness because readiness sounds like value and a filter pass sounds like admin.

It is value. It's just smaller and more specific than the prospectus implies.

Where the belief breaks

The cert tells you what a control is. It doesn't tell you what to do when finance refuses to implement it, when the supplier questionnaire comes back half-answered the day before the audit, when the engineering lead pushes back on a SOC alert at 4pm on a Friday and you have to decide whether to escalate or eat it. None of those moments map cleanly to a domain in the syllabus. All of them are the job.

The career shift people credit to the cert almost always happened somewhere else. First on-call shift. First audit finding you had to own with a stakeholder who outranks you. First control you designed that broke in production and made a real number change on a real dashboard. That's when the function becomes legible to you, and that's when colleagues start treating you like someone in it. The exam date is months earlier and largely unrelated.

Why the pathway still works

It does work. People do move from telecoms, audit, IT support and adjacent technical roles into cyber and GRC after a cert, and the cert is part of why. The argument here isn't that the route is fake. It's that the route works for a different reason than the one most candidates believe.

It works because the filter is real and the cert clears it. Everything after the filter is up for negotiation, and most of the negotiation goes to the candidate who has something other than the cert to talk about. Two years of helpdesk where you ended up owning the supplier security questionnaire. A home lab that actually answers a specific question, not a generic build. Three months of evening work on a GRC tool the team you're applying to already runs. The cert opens the door. One of those gets you the offer.

What a cert-led candidate should actually do

If you're in the middle of the route, the move is not another cert. The move is to build the things the cert can't prove. Three concrete ones, in rough priority order.

  • One artefact that names a real situation. Not a generic home lab writeup. Something a hiring manager can read in two minutes and recognise as the shape of work they actually do. A control gap analysis on a real public framework. A SIEM rule you tuned with a writeup of why the first version was noisy. One good artefact beats a third cert in nearly every shortlist conversation.
  • Wedge work inside whatever job you're in now.The supplier security questionnaire your current team gets and nobody wants to fill in. The access review nobody owns. The incident response runbook that's six years out of date. None of this is your target role. All of it is a sentence on your CV that isn't “studied for Security+”.
  • One real conversation a month with someone in the seat.Thirty minutes, no pitch. Ask what their last bad week looked like and what they wish they'd known a year before they took the role. Twelve of those teach you more about what the job actually wants from you than any training provider will.

The honest reframe

The cert is the price of being looked at, not the proof you belong. Treat it that way and the route works. Treat it as the finish line and you end up in the pool everyone complains about, wondering why the interviews aren't converting.

The job becomes real the first time it costs you something. The exam pass doesn't.

Where this connects on POST

For why one or two certs earn their place and five don't, the certs prove direction essay covers the sequencing. For the candidate-side failure mode of applying into the right function but the wrong pool inside it, the wrong pool essay is the mirror of this one. If you want a written call on whether your specific cert plan is doing what you think it's doing, the Career Verdict is the closest thing POST does to a one-to-one assessment.

Authored by

The POST editor. Twenty years in the work. Helpdesk, sysadmin, network, cloud, security engineering, security architecture. POST exists because the advice given to people entering this industry is, on average, dishonest.

Last reviewed 17 June 2026. Career advice without a date is worth what you paid for it.

POST Atlas is independent practitioner commentary. Certification and product names belong to their respective owners. Views are based on observed hiring patterns, public job-market signals and practitioner experience, not vendor endorsement.

Where this fits

This essay describes one pattern. The question is whether it applies to your route.

Perspectives that bear on this

The next step

This essay named one failure mode. The verdict tells you whether it's yours.

A Career Verdict is the practitioner-authored call applied to your specific situation. Same six primitives, every time.

A route shows what people usually do. A Career Verdict judges whether it's realistic for you.

A Career Verdict includes

The call
A single written judgement on whether the route is realistic for you.
Plateaus and failure modes
The flat years and the specific ways this route tends to stall.
Where you stand
The strongest and weakest parts of your current position, named.
Salary reality
What this route actually pays, set against what you've been told it pays.
Certification rulings
Each cert on your list: useful, optional, or skip, with reasons.
Likely timeline
How long this route takes from where you actually are, not from zero.
Get a judgement on your situation£39, one-off. Built for your inputs, yours to keep.

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All perspectives