Takin’ care of business
By many estimates, the demand for information security practitioners far exceeds availability. As security becomes an appreciable concern for large and small companies alike, it stands to reason that the industry is going to face a serious shortage in the coming years if new practitioners aren’t found or cultivated. Strategies to combat the problem are discussed frequently during industry conferences and online in social media: Implement more school programs focusing on security (vs. general technology or computer science); groom savvy technical staff; look for qualities like creativity or deep analytical skills in non-technical staff, then recruit and train those individuals into security positions; start or join programs in one’s community to increase awareness of and interest in security; volunteer to teach an “intro to security” program at your local school or youth center. What’s interesting is that none of the ideas begin with, “Promote security certification programs!”
The industry has mixed feelings about certifications; for certain they serve a purpose, but often security certifications are considered a baseline, much in the same way that compliance is a baseline—or bare minimum—for security programs.
You get up every morning
In a new infographic released by IT staffing firm, TEKsystems, IT leaders and IT pros showed a tepid attitude towards security certifications. The full dataset behind the infographic and accompanying press release wasn’t available, but as illustrated on TEK’s website, 63% of IT leaders responded that technical certifications are important in the hiring process. However, only 26% of those same leaders responded that job applicants’ certifications are verified “always” or “often” during the hiring process, even when the certification is a factor in the selection criteria. Perhaps this disconnect exists because “IT leader” doesn’t necessarily mean, “someone with overwhelming security knowledge,” and therefore a baseline—like a security certification—is a good place to start during an assessment of a potential new employee. When it comes to developing and promoting talent after the initial hire, respondents said that the importance of certifications decreases at each step; indeed, 52% of IT leaders don’t consider certifications in the decision to promote an employee.
One the practitioner side, only 52% of respondents said that certifications are accurately reflected on their résumés, and a mere 40% said that certifications are important to long-term career growth. These numbers won’t bowl anyone over, but it also doesn’t mean certifications are valueless. They are, perhaps, strong starting points and checkpoints along the road to experience and skill. Much like passing a driver’s road test and written exam doesn’t make a 16 year old an ace driver, an issued license at least ensures new drivers have learned and processed the rules of the road. (Side note: perhaps, we’d achieve improved road safety if drivers were required to re-certify after a given amount of time.)
Take the 8:15 into the city
InfoSec Insider has spoken to many security practitioners over the years and, generally speaking, certifications are thought to be a good way to make sure one isn’t forgetting about the basics and isn’t growing so entrenched in one’s concentrated area of expertise that she or he forgets to cover other security bases. Andrew Hay, CISO of DataGravity, is a big fan of certifications. “They are what set me down my current path,” he says, explaining that certifications help security practitioners in terms of both general knowledge and a willingness to continually put effort into learning. At one time Hay held “fifteen or so” certifications.
Another portion of the security community thinks certifications are for the birds, so to speak. If the infographic is reflective of IT pros’ true thoughts, either certifications are good for something not listed, or they just aren’t a factor when making decisions about one’s career.
If your train’s on time
Adrian Sanabria, Senior Security Analyst at 451 Research, says that “the confusion [about certificates] stems from the fact that most certifications only test knowledge, not skills. Knowledge without skills is useless in a work environment.” While an IT leader might want to know a job applicant is current in his or her security knowledge and has gone the extra mile to obtain or renew a certificate, the piece of paper doesn’t do much to stop real-life threats in a real-life environment. The best way to know if a job applicant has the goods, says Sanabria, is to actively test those skills. “It’s easy,” he explains, dismissing the notion that an interview should be a chat between the hiring manager and the applicant. For instance, “When I want to hire a pentester, I set up a mock pentest for them to perform, complete with writing a report and turning it in. Immediately, you find 50%+ of your candidates running for the hills the moment you suggest putting in 8-20 hours of work to land a job.”
Some job applicants may feel that the effort put into earning a certification, tidying up a résumé, and providing all the right answers are indication enough when it comes to getting the job. Knowledge doesn’t always equal skill under pressure, though, and skill under pressure is necessary in security all the time. “Knowledge without skills is only helpful on Jeopardy,” quips Sanabria. “We need to know how someone is going to perform in the job with realistic constraints.”
Although Sanabria—and many others with whom InfoSec Insider has spoken over the years—would choose (demonstrable) skills over knowledge, he agrees with Hay in one very important aspect: “I find certifications a good way to get yourself to learn a new field.” Indeed, following his own advice from a presentation at Cloud Security World, Sanabria is considering obtaining an AWS certification, “to force myself to learn more cloud technologies,” he says.
Taking care of business and working overtime
Whichever side of the vote you land on, hands-on, practical experience and competency are paramount. A certification is nice to have; it can set the foundation for a long and prosperous career, and it may help a person acquire knowledge or help guide her in a new direction. A certification, though, isn’t the end goal. The industry needs qualified, intelligent people who have or can achieve deep technical expertise, as well as those that understand the complexity of the problem and can strategically guide organizations to a better, more productive future.
Furthermore, the industry needs to generate more interest; without new applicants to the field, “Workin’ overtime” will take on an even more substantial meaning in the near future (if it hasn’t already). School and certification programs are a great way to introduce newbies or info seekers to the industry and test their ability to soak up knowledge—and if information security is about one thing, it’s constant learning and evolution.
That said, a word of caution to those who place full stock in certifications: A certification might be a step along the way for someone to enter the field, for an old timer to buff up in an area, or to acquire knowledge in a new topic, but “I am a certified CISSP and now I can do all the security things,” said no legitimate, skilled, or truly effective security practitioner ever.