Certifications A Part Of ‘Vicious Circle’ In Cyber Security Space?

Security Experts Provide Their Take On Cyber Certs



Dan Gunderman
09/06/2018

Cyber security is battling a fearsome talent crisis as it attempts to right its course and amplify its presence and efficacy in the enterprise. In order to do so, it is relying on grassroots efforts to build awareness, but also on security certifications.

According to Threat Post, there are 76,413 CISSP certification holders compared to 78,523 openings requesting the certification. What’s more, according to Cybersecurity Ventures, “by 2021, as many as 3.5 million cyber security jobs will likely remain unfilled for significant periods of time.”

The demand remains strong. According to the U.S. Bureau of Labor Statistics, “Employment of information security analysts is projected to grow 28% from 2016 to 2026, much faster than the average for all occupations.”

More job listings are also requiring various certifications – from broad, foundational certifications to specializations in, say, penetration testing or compliance.

But it becomes a vicious circle as entry-level candidates vie for certifications in the space to pull in job offers, but lack practical experience. Conversely, enterprises want practical experience and certifications, but current holders may be far too inexperienced. It is a disconnect between human resources (HR) and hiring managers, security teams and even management.

Regardless, there does appear to be a wider call for certification holders in the security operations center (SOC), especially as Chief Information Security Officers (CISO), and others charged with network defense, try to document and repel sophisticated cyber-attacks. Some candidates are generalists, while others are subject matter experts (SMEs). Each brings a different talent to the table, but both are in high demand. But how does a candidate go about navigating the space; how do they obtain the right certifications and market themselves?

Certifications are also crucial to some compensation packages in the cyber security space, as practitioners seek different pay grades or resume plugs to search elsewhere.

See Related: Cyber Security Pain Points: 2018 [Infographic]

Making You Marketable

As Threat Post points out, “Certifications make you more attractive to potential employers because they show that you’re focused and goal-oriented. If they’re not required, they’re often preferred, depending on the role. Certifications also keep you marketable in the field as your career progresses, since the threat landscape is constantly changing and businesses – and security professionals – need to keep up.”

Commenting on the presence of certifications in cyber security and enterprise teams, Lisa Tuttle, CISO, SPX Corporation, told the Cyber Security Hub: “I advocate holding security certifications as a way to increase your knowledge of industry best practices in program management and operational controls.

“When hiring,” she added, “I seek candidates who hold security certifications as a demonstration of their commitment to the profession. Work experience is always the top priority, and certifications are a distinguishing factor.”

Certs Aren't Everything

Kayne McGladrey, Director of Information Security Services, Integral Partners, LLC, told the Cyber Security Hub: “From an employer’s perspective, certifications provide an easier way to identify qualified candidates in either specific technologies or in the broader discipline of cyber security.”

He said there’s no guarantee that an individual who holds certifications will be an ideal candidate, and there are many technologies that do no yet have a vendor-provided certification. McGladrey added: “So, excluding candidates who do not hold certifications is a poor strategy.”

Is there a certain method that candidates and practitioners can utilize to obtain certifications more easily? McGladrey said, “There needs to be sufficient motivation for an individual to spend time outside of work studying, as pursuing a certification of any form is rarely done on ‘company time.’”

See Related: DHS Cyber Security Initiative Plans To Partner Public & Private Sectors

He said that people get interested in certifications when considering leaving a position or when their compensation is tied to maintaining or gaining them.

“This (factors into) the broader economic outlook,” McGladrey told the Cyber Security Hub. “If the economy is thriving and people are considering asking for a raise, they may pursue a new certification. If they do not receive the raise, they may mentally justify the time spent by putting the certification on their resume and searching for new openings.”

An Expense

Dennis Leber, CISO, Cabinet for Health and Family Services, Kentucky, told the Cyber Security Hub that cost is also a factor in obtaining certifications.

“Most are expensive,” he said, “so a person attempting to break into the profession may not be able to afford certifications. (Both) a lack of experience (and a lack of certifications) makes (candidates) in this category less competitive.”

However, certifications may be more readily available for some. Leber pointed out that various organizations or agencies have programs that aid in the pursuit of certifications (e.g., the U.S. military). Sometimes, this visibility supersedes even more expensive educational programs.

Nevertheless, he concluded: “Certifications are valuable, and lend to the maturity of our profession. One must remember that certifications are one piece of the total picture. A combination of experience, desire to learn, certification, education, ongoing education, curiosity and passion are key, but not all required.”

It’s clear that certifications won’t be disappearing anytime soon, but their effectiveness will come down to how they are utilized in the hiring process and as a metric for educational standards.

Be Sure To Check Out: 'Excessive Security' Could Slow The Business, But Is There Such A Thing?