Workforce

Certification: check. Now what?

cybersecurity concept

There has been a lot of buzz lately about the cybersecurity workforce its significant gaps and myriad opportunities, and the lack of clarity in how to bridge the two.

One critical problem is the absence of an agreed-upon barometer for experience and expertise, which makes it difficult for managers to determine the best hire and for job-searchers to determine if a job is the right fit. In recent months and years, programs have been cropping up to address this issue, including school outreach, university degree programs and a slew of certifications.

In an era when a bachelor's degree is the barest of minimums for getting into the cybersecurity field, IT certifications have emerged as the new standard. But it's a new and still-wobbly standard.

"There is some concern in the plethora of credentials and people trying to navigate the field – which ones reflect the right level of credibility and functional knowledge?" said Terry Erdle, executive vice president of CompTIA Certifications. "Certifications don't reflect a full depth, but neither does a computer science degree reflect two other degrees in philosophy. There should be stackable and really recognized credentials, industry-backed and industry-recognized, that anybody can understand what skill sets that credential reflects."

Already there are several certifications that are widely considered to be standard, an alphabet soup that includes CISSP, CompTIA, Security+, A+ and others. Still more are popping up and becoming more specific, such as credentials in cyber forensics.

In the government, certifications have become a primary HR tool, with the National Institute of Standards and Technology developing a National Cybersecurity Workforce Framework. Credentialing is even a requirement in some cases, such as the Defense Department's Directive 8570, which stipulates training, certification and management for all employees involved in information assurance activities.

"Under DOD 8570, you can't hold a job in cybersecurity unless you have one of these certifications – so DOD is using that in a much more regulatory way than private industry tends to," said Dan Ryan, an attorney who does consulting work for (ISC)2, an information security training and certification group.

Making sense of the sea of certifications is one thing, but what happens after attaining them is another. A one-time credential is only so effective when dealing with the rapidly evolving environment in cybersecurity.

"In any event, none of [the certifications] guarantees real depth or understanding. What they guarantee is somebody has worked in the field for a while and was able to pass the test," Ryan said. "This is a highly technical field, and there needs to be a code of ethics and some enforcement mechanism so those who claim to be practicing this discipline as professionals are held to appropriate standards. And there needs to be some kind of continuing education. If you got your Ph.D. in digital forensics 10 years ago, if you didn't keep up with the literature and conferences, you're way, way out of date in a short period of time."

The idea that IT certifications could take a cue from the medical field is one that is beginning to take root.

"It's much like how doctors stay conversant with various things – continuous education, opportunities to recertify. You have to recert every three years or you lose your edge and the timeliness of the content you're supposedly expert in," Erdle said.

Erdle, Ryan and others noted that with the cybersecurity profession in its nascent stages, the pieces and the partnerships are still coming together.

"It's a dance back and forth a little bit, but it's getting healthier and healthier in terms of taking advantage of academic strengths as well as the IT certification world," Erdle said. "We're collaborating more and more to demystify the landscape."

Reader comments

Sat, Nov 2, 2013 San Diego CA

I agree with Madwhitehatter, my last job folks were good at memorizing brain dumps/going to boot camps to pass the certification tests, but clueless about what was going on...can't even troubleshoot a basic network connectivity issue with a client, but yet you are certified with a high level IT certification? Something is definitely wrong with that picture! DoD wonders why stuff is happening to their networks, because people do not know or were not properly trained. The Certification and Boot Camp Providers are making a killing off of the US Gov't Workers (Civilian and Contractors) and will continue till someone gets smart and see what is going on...

Tue, Oct 29, 2013 madwhitehatter

I'd rather see companies hire people who've been going to hacker conventions for the last decade than someone who did a 40-hour boot camp and got a brain dump. The government will stay behind when they don't have people who know the subject doing the hiring.

Tue, Oct 29, 2013

I don't know who the lobbyist was for the certification industry, but they did a great job of dupping the government. The only benefit of certification is for the certification providers! It takes critical finances, time and resources away from defense projects with little to no benefit in return. Experience is by far the premier indicator....

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above