A post from our Founder & Principal CEO, Dr. Christopher Beggs.
A month ago, a client told me I needed to complete a specific OT security training course before they’d engage us on a project. Twenty years of delivering OT security outcomes across critical infrastructure apparently wasn’t sufficient. What they wanted was a piece of paper.
This wasn’t an isolated incident. It’s a pattern that runs deep across the industrial cyber security industry. Clients demand certifications. HR departments filter candidates by credential count. Procurement processes award points for logos on a CV. And aspiring professionals dutifully collect certificates, mistaking the map for the territory.
But here’s what no one wants to say out loud: certifications don’t build capability. Experience does.
The Industry’s Credential Obsession
The emphasis on certifications has become overwhelming. Walk into any OT security conversation and you’ll hear the alphabet soup: CISSP, GICSP, IEC 62443, ISA/IEC, CISA. These credentials have become proxies for competence, serving as shorthand for trustworthiness and gatekeepers for opportunities.
The logic seems sound. Certifications demonstrate baseline knowledge. They create a common language across the industry. They signal that someone has invested time and money into professional development. In theory, they separate the serious practitioners from the amateurs.
In practice, they do something else entirely. They create the illusion of capability without proving it exists.
I’ve watched this play out repeatedly. Professionals use framework names and certification logos to appear knowledgeable, but when it’s time to apply that knowledge under real-world constraints, the gap becomes undeniable. Quoting a standard is easy. Implementing it without disrupting operations, balancing uptime with security, navigating legacy systems and political constraints? That’s where expertise shows.
And it rarely comes from a classroom.
What Certifications Actually Teach
Let me be clear: I’m not dismissing education. I hold a PhD and also built the SIS Certified Industrial Cyber Security Specialist (CICSS) certification. I understand the value of structured learning, of building foundational knowledge, of developing the ability to construct and defend an argument. University taught me how to read critically, write clearly, work in teams, and present complex ideas to diverse audiences.
But it didn’t teach me how to respond when a ransomware attack hits a SCADA network at 2am. It didn’t show me how to negotiate the politics between IT and OT teams during an incident. It didn’t build the muscle memory needed to make high-stakes decisions under pressure with incomplete information.
That ability originated in the field. From projects that failed. From incidents that required improvisation. From real systems with genuine consequences where theory clashed with messy, unforgiving reality.
Certifications can show you’ve learned the theory. They prove you understand the frameworks, terminology, and recommended practices. But they don’t prove you can use them when it counts. They don’t demonstrate you’ve bridged the gap between what the standards require and what the plant floor allows. They don’t reveal whether you freeze or adapt when your planned approach clashes with operational reality.
Where Real Capability Is Forged
Adequate security isn’t acquired in a classroom. It’s gained through real-world experience: handling incidents, working with different teams, and learning from errors. It develops when you’re required to manage risk, ensure uptime, and maintain safety amidst IT-OT challenges that textbooks never quite cover.
Think about what really happens during an OT security incident. You deal with old systems that lack modern security features. You work with operational teams whose main goal is to keep production going, not sticking to your security plan. You manage vendor relationships, contractual limits, and regulatory requirements. You make decisions with limited insight and imperfect choices.
This is where true competence shows itself. Not in your ability to recite framework controls, but in your judgement about which risks to accept, which battles to fight, and how to communicate consequences to non-technical leaders who need to make the final call.
These skills aren’t simply taught. They’re built through repetition, failure, and the accumulated experience of being in the room when it matters.
The Better Path Forward
So, what’s the alternative? If certifications aren’t the answer, what is?
Begin with self-led learning. The standards and frameworks behind most certifications are publicly accessible. IEC 62443, NIST, ISA documents can be read, studied, and understood without spending thousands on a training course. While you might miss the structure, you gain in-depth knowledge. You interact with the material on your own terms, at your own pace, and can delve deeper into what matters most to your situation.
Then pursue practical application experience. Seek out projects that allow you to put your knowledge into practice. Volunteer for incident response rotations. Shadow experienced practitioners during high-pressure scenarios. Collaborate across departments with OT teams who will challenge your assumptions and push you to adapt your thinking.
Build a portfolio of delivery, not just credentials. When someone asks about your capability, you should be able to point to specific results: systems secured, incidents managed, risks mitigated, stakeholders aligned. These stories carry more weight than any logo on your CV.
This doesn’t mean certifications are pointless. They can open doors, especially early in a career. They provide structure for those who learn best in formal settings. They establish credibility in organisations that require documented qualifications. However, they should be tools to enhance capability development, not replacements for it.
What This Means for Hiring and Career Development
If you’re building a career in OT security, prioritise application experience over collecting credentials. Pursue roles and projects that will challenge you, push your boundaries, and teach you through hands-on experience. Find mentors who have been on the front lines during incidents and can demonstrate what true capability looks like under pressure. Develop the essential skills: judgement, communication, adaptability, and technical expertise rooted in operational realities.
If you’re hiring or developing OT security talent, reconsider your criteria. Look beyond just the certification list. Ask about specific projects, the outcomes delivered, mistakes made, and lessons learned. Give more importance to delivery history over training completion. Create pathways for talented practitioners who have built capability through experience, even if their CV lacks the usual logos.
If you’re setting organisational policy, invest in project exposure and incident response capability, not just training budgets. Create opportunities for your team to gain real experience in controlled environments. Rotate people through different systems and scenarios. Build capability through doing, not just learning.
The Question That Matters
Here’s what it comes down to: if you had to choose between someone with five certifications and someone who has responded to three real incidents, managed two complex OT security implementations, and can clearly explain what they learned from their failures, who would you trust with your critical infrastructure?
The answer shows where true ability resides. Not in the qualifications we gather, but in the experience we gain, the judgement we hone, and the results we produce when it really matters.
Certifications can mark the beginning of a journey. But they aren’t the final goal. Experience is.
Dr Christopher Beggs
Founder & Principal CEO (Global)
SIS