TheConversation

Blog archive

What's wrong with cyber training? Apparently, a lot.

Navy person using keyboard

Why are trained cybersecurity professionals hard for the government to hire?

Our recent story headlined What’s wrong with cyber training? provoked quite the reaction.

Some readers agreed that there is too much focus on paper credentials and not enough on real-world know-how. Others argued that without those certifications, landing a job is next to impossible.

As commenter rb CA put it: (1) In most professions, you have book learning and you learn how to really work after you are hired. No one comes out of college (or the one-week course) ready to design the next gen CPU for Intel. They work their way up after years of effort. (2) We want them cyber ready but their 4 year degree is worthless if they don't have A+, SEC+, and/or CISSP.

Others presented new angles to the discussion. Commenter Kathleen Smith, for example, wrote: "What we don't understand is that those launching cyber attacks have a different moral compass than we do. We do not train our folks to go no-holds-barred when researching, developing an offense or going on the defense as our assailants."

Amber Corrin responds: It’s true that there are cultural factors at play here. In China, enormous pressure is put on young computer science students to be able to crack codes, hack into iron-clad network and to do it all faster than anyone else. In Russia, involvement in cyber crime, especially if it’s being provided as a service to the government, is often a matter of pride. In both places, these types of activities are heavily ingrained in the culture – and not coincidentally, both countries are frequently attributed as being responsible for cyber attacks on the U.S.

SANS Institute founder Alan Paller, quoted in the original story, suggested it is a cultural issue in the U.S., too – one that is holding us back. Recruiting, rather than training, is a key problem, one both rooted in and magnified by the lack of attention paid to the types of young minds that the U.S. needs in the cyber domain.

"We’re not celebrating that kind of brain that likes to break stuff apart and figure it out," Paller said.

Finally, @PrometricCyber tweeted FCW: Would you say the lack of well-trained cyber security professionals makes the industry a lucrative job market?

Amber Corrin responds: The answer to that is two-fold. There’s no shortage of cybersecurity jobs – the market is stronger than essentially any other, according to the numerous reports released over the last six months. By most standards, it is also quite lucrative: According to an InformationWeek survey from earlier this year, IT security staff enjoy a median yearly salary of $95,000, with management at $120,000.

And Paller said that those on the policy and decision-making side still tend to earn more than those in the trenches. As he put it, that’s because the policy-makers are the ones determining salaries.

"The people who don’t know what they’re doing are getting paid more than the people who do because they make the rules about who gets paid what," Paller said.

Posted by Amber Corrin on Jul 02, 2013 at 2:30 PM


Featured

Reader comments

Wed, Jul 10, 2013

It seems pretty obvious that one's perspective on certs depends a great deal on whether one holds them. Speaking as a 15-year cybersecurity veteran (with plenty of certs along the way), I've never attained a credential without learning something. On the other hand, most of what I continue to learn is OJT and hands on with actual tools, something no cert (with few exceptions) actually does. I agree with Alan Paller that the fattest salaries go to non-nerds (surprise...), but I also believe that that is less true for cyber than for virtually any other specialty. Also agree that Americans tend to avoid skills measurement and competition (such as CTFs) much more than their counterparts for some reason.

Wed, Jul 3, 2013

Certifications, IMHO, are pretty much worthless. Knowledge gained in 'teach to the test' drink-from-a-firehose boot camps has a rapid decay curve. Training and testing should be based on actual job duties. I hope somebody in DoD owns stock in the diploma mill companies- I'd hate to ascribe 8570.1 to mere stupidity.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above