Mental Health and Certificates in Infosec

17 Aug 2025 - karit

Background

Discussion of mental health and burnout in the InfoSec community is a common topic across many mediums. This is something that many people say we as a community need to work on and improve. Be it awareness or supporting people, and people knowing where they can go to get support (not a topic of this post, but the wait times in NZ, at least, are shocking and would be more helpful if people could get providers that could see them in a more timely manner).

Certificates

Certificates are the point of this blog post.

The amount of extra time certificates require, whether for studying or the exam, is high, particularly for the more “highly regarded” certificates.

I personally haven’t done these “highly regarded” certificates. From what I’ve heard, it would not be healthy for me to do them. Talking to people who have done these courses and certificates, they are often burnt out at the end of the process and glad it is over. They are frequently not excited about earning the certificate, but instead they are excited about getting their evenings and weekends back. Assuming that they haven’t hurt friendships or family relations along the way through the process.

What can be done

If the infosec industry is serious about mental health and work-life balance, we need to stop supporting certificates that do not promote this healthy work-life balance messaging.

Like one of the more regarded certificate programs has a song called “Try harder”. Is this the message we should be promoting? Putting more time into things is not the answer. We should be supporting people. If people aren’t passing the certificate or not being able to do the labs, to me, that is a failing of the instructors and the course materials, not the student. (I know some of the people who are struggling and looking for help, and they are not people who would fall into the bottom of the bell curve who will fail). Course and lab materials should be there so people can actually achieve the learning objectives. When I run training, I would never tell someone to try harder. I would sit with them and understand the part they are having a struggle with and help them through.

The exam process is also not healthy. For instance, 24 hours of hacking, then 24 hours to write the report, is not good and not what happens in the real world. The eight-hour workday is standard around the globe, so it should look like making eight-hour parts with a proper sleep in between.

Also, the training material’s length is excessive, and the courses are potentially too big. People having to put evenings and weekends aside for six plus months on end is not good. People can surge and put some extra effort in for a little bit, but it should not be a death march. This could be simplified by breaking the courses down into more manageable chunks that can be achieved in a week or two. This will also help keep the exams smaller and more manageable in eight-hour chunks.

Having a high failure rate is not something to be proud of; it either means:

• You are letting people take the course who don’t meet the prerequisites & the course is too advanced. In this case, improve your prerequisites or add a pathway course.
• Your material and/or teachers are lacking. You may have technically excellent people, but have they obtained teaching qualifications, or have someone with a teaching background on staff?

Many businesses in their job advertisements promote that they offer study and educational allowances as part of a total remuneration package. Looking into this, it’s often found that it is just the monetary portion to pay for the course or the certificate, but it doesn’t actually have a study leave allowance to go with it. When courses have week-long or multi-day exams, you need not just the time to do the study but also the time to sit for the exam. So if you are promoting your staff to take these courses, are you giving them enough time to do it justice, or are you just giving them the money and letting them do the rest?

Wrap up

If the Infosec industry is serious about mental health, this needs to extend to the certificates that we hold in high regard. We should stop looking for or expecting people to have these certificates. When the Govt or Business is looking for minimums for contractors/consultants, we should push back, saying we actually support people’s mental health and don’t suggest or condone these certificates.

Things that certificate providers can do:

• Make exams accessible in a single business day.
• Have course materials and trainers that don’t require you to write songs that say try harder
• Make the learning time achievable without it being a multi-month death march.
• Make sure you have precise prerequisites & information about how to get to that level.

Things Security Companies can do:

• Make sure you have professional development pathways that are healthy
• Make sure training budgets have the money, but also study leave.

Things organsiations seeking infosec services can do:

• Understand what these certs are and what they mean for the people providing these services.

As a community what can we do:

• Make sure we are not gatekeeping or putting barriers in place that are detrimental to people’s mental health.