Utility Of Cyber Security Certifications Part 2: A Roundtable Discussion
Experts weigh-in on cyber security certifications for the enterprise
Security-related jobs cover a wide array of possibilities, and so too do the certifications that help potential employers determine fit and expertise for their various open roles. Here, Cyber Security Hub looks to the expertise of executives in the field to help us figure out if certifications contribute to a sort of “catch 22” in the hiring process. Are they truly standard practice for the space?
In the first part of this series titled, "Utility Of Cyber Security Certifications," we looked at the certifications landscape through a simple search, accompanying the short list with a more extensive one pulled together by a web content data mining application.
The data was pulled and analyzed by Andrew Aken, PhD, Senior Cyber Security Consultant for DocDrew, LLC. Aken is an established IT professional with 15+ years of executive leadership and consulting experience across multiple industries including oil/gas, telecommunications, IT, Department of Defense, transportation, and education.
We also tapped into the expertise of Dr. Luis O. Noguerol, the Information System Security Officer at the US Department of Commerce, NOAA Southeast Fisheries Center; and President & CEO of Advanced Division of Informatics and Technology, Inc. (ADITusa, Inc.).
He has over 33 years of experience in Information Security/Information Technology, including a very strong academic background, which comes from his enthusiasm about new technologies and their integration in our daily lives. He also currently owns 78 IT certifications.
Finally, Cyber Security Hub Advisory Board member and CISO and Director of the Office of Cyber Security, Bob Turner, leads the development and delivery of a comprehensive information security and privacy program at the University of Wisconsin-Madison. His team provides a full scope of information and cyber security services including risk management and compliance, a full service security operations center and security tools support, cyber intelligence analysis, security awareness, and information technology policy.
Aken, Noguerol and Turner come from various backgrounds and perspectives, all with a very different take on the role of certifications within the industry. In this roundtable interview, we dive into the details to see if there is truly a standard industry practice when it comes to cyber security certification in the hiring process.
CS Hub: Are certifications useful for individuals breaking into cyber security roles within the enterprise?
Aken: I firmly believe that certifications are useful for people looking for cyber security roles in the enterprise. But, on their own, they cannot adequately demonstrate someone’s fit for a particular position. Without a significant amount of experience, certifications provide some evidence that the applicant possesses knowledge of the core ideas related to a particular task.
If combined with a degree, it also demonstrates the candidates’ ability to reason, research, and apply this knowledge to perform basic tasks within the domain they're trying to get hired into. If the candidate is looking to move into a different area or into a more leadership role, certifications along with the candidate's experience and accomplishments can provide additional evidence for their suitability for the new role they're seeking. So, certifications provide evidence of at least a baseline of knowledge that a candidate possesses related to the role they are seeking to obtain.
Noguerol: For multiple reasons, the topic of information security certifications is a dichotomy now. With a great amount of new technologies, the diversity of problems in the cyber world, and the contrasted opinions of many of the most important cyber security experts from all around the world, there is a need not to reach agreement, but instead to understand why divergent opinions exist when it comes to how useful it is to employ individuals looking for cyber security roles or advancing in their careers in the enterprise nowadays.
In many cases, those that deny the importance of the certifications are not well-certified or haven’t been putting the time and efforts to understand the perceptible benefits of it. The reasons can be numerous and unlike, the “justifications” for not being certified are more abundant than not, but in the end, enterprises highly value the possibility to employ a certified person versus the ones that are not. In the majority of job descriptions nowadays, the employer looks for a set of skills that have been certified by others, completely independent from the companies and its affiliates.
See Related: “CISOs Gather To Collaborate On Security Strategies”
Being certified in cyber security topics in some of the large amount of specializations today, is more than a wish, it is a necessity because certifications dramatically expands the possibilities of finding a job for cyber security roles in the enterprise. Being certified means that the individual mastered a series of concepts (practical and theoretical as well), related to a specific topic, which, at least ideally speaking, guaranteed a tremendous reduction of errors at the workplace.
For those with respectable different opinions, the question should be, why not? And if the answer is something like, “I prefer to work with the people who really know what I need to do here and have a ‘strong’ background in cyber security and the one who is really skilled and hands-on,” the reflection should be: who is making the assessment on a certified person and how a cyber security certification might benefit the organization? Is it someone who is not certified? Consider when you go to see a physician — wouldn’t you look for the one with more credentials than not?
Turner: In today’s cyber security climate, the absence of a certification communicates to me that the individual may be talented, but lacks awareness of the industry. Certified professionals in cyber security, digital forensics, incident response, penetration testing, and other skills within the profession are in abundance. Credentials like CISSP, CISM, GPEN, CISA, Security+, or other general professional certifications can add to technical certifications like CCNA + Security, EnCase Forensics Examiner and prove the professional and technical merit of the individual.
CS Hub: Is it more beneficial to hire someone with practical experience, or relevant certifications?
Aken: Demonstrable and effective practical experience trumps certifications when comparing candidates. But, experience without being able to effectively demonstrate their effectiveness in those roles (especially if that experience is of a relatively short duration) isn't particularly useful.
Noguerol: Let’s be practical and honest: certifications without practical experience are not of much help and again, a similar dichotomist discussion. Choosing between the two possibilities, amongst these two distinct alternatives is not an easy task for a simple reason: experience comes exclusively with time, repetition, and know-how, through a complex process in which skills are developed through trial and errors and certainty and assertions. If the question becomes, can the experience be substituted by certifications? Categorically and clearly, the answer is no, never. The ideal condition is always to hire someone that owns both: practical experience and, not or, relevant certifications. The exclusion clause, (or), in this particular context is always unwanted.
Turner: I look for a mix of education, credentials, experience and at interview my team and I focus on how the individual expresses their practical experience. There is a significant difference between being a certified professional and actually doing the work.
Those who do not have a certification are still extremely valuable and many are at their highest and best doing what they do. As we all know, cyber security threats, technology, tactics and procedures continually evolve. By far, the ones on my team who excel are those that grab the opportunity to add a certification to their portfolio and step out to embrace the new challenges that certification opens up.
CS Hub: Do certifications contribute to sort of a ‘catch 22’ in the hiring process? Are they truly standard practice for this space?
Aken: Certifications that require you to demonstrate a significant number of years of experience in the domain make it more difficult for people without that experience to obtain it. For example, if a job position requires a CISSP certification and there aren't a large number of people from a particular population segment already in those roles, it makes it more difficult for that population segment to break into those roles.
Noguerol: ‘Catch 22’ is undisputable; it is one of the major concerns when hiring a person to fill a particular role, and this is no different when it comes to the cyber security world. After being in the cyber security and information technology space myself for over 33 years, and at the same time actively involved in higher education for over 16 years now, I can easily relate the ‘catch 22’ with a common question: what unambiguous needs do we have as an organization, and which are the precise skills we are looking for? For example, for those wishing to join the cyber security workforce, one of the most repeated questions is: how can I get experience if no one will ever give me a job to start, even as an intern?
Depending of dissimilar factors, the practice of ‘catch 22’ can or cannot be a standard practice. We have many examples in which individuals with no previous, (or poor experience), beat – professionally speaking, and unseat some those more “experimented” at the organization in an unexpected short period. IT certifications might contribute, somehow, to the ‘catch 22’, but the real no-win situation is to be cached by prejudices and old industry standards related to the hiring process. Every individual needs to be evaluated independently and a very strong citation made by the brilliant Steve Jobs, Founder and President of Apple, illustrates my point of view when he said, “It doesn't make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”
Turner: Lack of a certification is by no means an exclusion factor. When you have 27 candidates for the position where education, experience and certifications are listed as required or preferred, certifications and documented performance help the players with potential rise to the top of the list.
The Verdict: Cyber Security Certifications Are A Baseline
So, what’s the verdict on cyber security certifications? While preferences and answers vary as we can see from the aforementioned interview, there is an agreement that while certifications cannot be the only factor to hire an aspiring professional, it certainly is a piece of the desired puzzle.
“Certifications provide a great baseline from which someone can derive information about their knowledge in the domain covered by the certification. They don't necessarily demonstrate aptitude for work in that domain. Therefore, when evaluating candidates for an open position, I would give preference to demonstrable and effective experience, degrees from a recognized higher education institution, and then certifications. If lacking the experience, education combined with certifications can be a solid foundation for suitability for a particular role,” Aken says.
Turner looks at the “professionalism of my team as directly linked to certifications and budget accordingly to ensure the team can earn and maintain their desired or required certifications. When looking for employers I hope that helps us stand above the crowd for those who are already certified professionals.”
Noguerol adds that certifications should be as relevant as the job experience is, but only when completed in a conscious manner. “When someone becomes certified by memorization and repetition of books without major logical analysis, with study guides, or even worse, ‘certification dumps’ are used to become certified — the lack of understanding becomes rampant when it relates to a particular cyber security topic. The entire industry suffers and the real value of being certified is dramatically impacted.”
Once Certified In Cyber Security, What Are Next Steps?
Katia Dean is a pet mom, public speaker, cyber security professional and mentor. She also provides career advice, mentorship and cyber security tips for others pursuing their cyber security careers.
Dean is often asked by professionals looking to enter into the field about ‘what kind of certifications should I get to start my cyber career?’ While she notes that everyone has their own opinion, she shares her advice based on what she has observed:
- Know your career route in this area NICE Workforce. This resource provides a cyber professional with the knowledge of different areas, roles, tasks and skills.
- You cannot know EVERYTHING IN CYBER! This area is very broad, so focus on one area and become THE subject matter expert. It will set you apart from the competition.
- Once you obtain your certification, research the positions that are a minimum requirement under the job description. “Mentoring people in my spare time, I observed some cyber professionals are not aware of the positions that are available after they obtain their certification. Setting your scope and using the NICE resource should guide you to begin, or boost your career.”
- Actually, there is no right answer. It comes from what you are passionate about!
See Related: “Cyber Security Digital Summit, Spring 2019”