– Zack Korman
‘AI is changing cybersecurity fast, and SecAI+ is the new certification that proves you can secure and govern it.’
That is how CompTIA, the for-profit certification company, chose to announce their new AI cybersecurity certification.
I quickly went to Twitter to announce my own position on this: Of all of the dumb cybersecurity certifications, this one is the dumbest.
What Is Wrong With AI Security Certifications?
As CompTIA noted, AI is changing cybersecurity fast. However, they underestimate just how fast.
The core technology and tooling in this space is being actively developed, and teams are adopting new tools on a weekly basis. Model Context Protocol (MCP), the main protocol used to connect external tools to AI agents, launched just over a year ago and has already undergone multiple revisions. AI browsers had a big moment in mid-October, and a few weeks later all but disappeared.
| “Trying to keep up by studying from a book and taking an exam is not possible.“ |
But the even bigger problem is that a certification that ‘proves you can secure and govern [AI]’ is the same as a certification that proves you can cure cancer. AI security is an unsolved problem.
| THE REALITY OF AI SECURITY KNOWLEDGE
SecAI+ has a section on ‘AI assisted security’ covering topics like the use of AI in detection and response. I work in the AI detection space, and I discover new things that work (and don’t work) every single day. My opinions on this area change on a monthly basis, and will likely have changed again by the time this piece gets published. You can’t codify this knowledge. |
Of course, there are some core principles that apply to the area of ‘securing AI systems’, which is 40% of SecAI+, that don’t change quite so rapidly. However, I’d argue that those are principles of security generally, not AI. You don’t need an AI security certification for that.
But Certs Help Get Jobs, Right?
There are plenty of dumb certifications out there that people get so they can land a job. Certifications allow hiring managers to treat hiring the same way they treat the rest of their job: as a box ticking exercise.
| WHY CERTIFICATIONS EXIST
Certifications reduce personal risk for the hiring manager, because if a hire doesn’t work out the manager can always point to the fact that the employee had all the right credentials. It’s the ‘no one gets fired for choosing IBM’ of cybersecurity hiring. |
However, I’d argue that this doesn’t apply to AI security.
Cybersecurity teams feel an enormous amount of pressure to support AI tools across their organization, and they have no idea how to do that. There is no business as usual in this space. Cybersecurity teams need real solutions, not safe hires.
| “If you can solve a CISO’s AI problem, you can get hired.“
– Zack Korman |
Learning AI Security the Real Way
Instead of trying to check off all the HR hiring boxes, when it comes to landing a role in AI security the goal is to stand out. Find a way to prove you know what is going on, because the truth is no one else does.
So how should you do that, if you aren’t buying learning material from CompTIA?
- Use and Break New AI Products
When a new AI product launches, go use it. Try breaking it. Find out what works and what doesn’t. You’ll honestly be surprised. These products all have major weak points, but they’re rarely the same problems people point to when they try to infer the security problems from theory alone. Try ChatGPT Atlas. Try Cursor, Claude Code, and Antigravity. Try out the different models. Inspect the network traffic and really understand what is going on.
- Build (or Use) an MCP Server
Make an MCP server, or at least go use one. There’s nothing complicated about MCP; it’s basically just a bunch of POST requests. If you spend a day playing with it, you’ll know more than most people in this industry.
- Follow the Conversation on Twitter
Get on Twitter and follow people who talk about this area. Being able to refer to people you know and share their insights is already so much more than what others can say.
The Bottom Line
If you do all of that, you’re going to stand out when you talk about AI security far more than you would by having a certification.
| “The role of certifications is drastically diminished. Cybersecurity teams need real solutions, not safe hires.“ |
* * *
| Zack Korman is a technology leader based in Oslo, currently serving as CTO of a high-growth AI security startup. He previously led tech and product at a large European media company. |