Certification: check. Now what?

cybersecurity concept

There has been a lot of buzz lately about the cybersecurity workforce its significant gaps and myriad opportunities, and the lack of clarity in how to bridge the two.

One critical problem is the absence of an agreed-upon barometer for experience and expertise, which makes it difficult for managers to determine the best hire and for job-searchers to determine if a job is the right fit. In recent months and years, programs have been cropping up to address this issue, including school outreach, university degree programs and a slew of certifications.

In an era when a bachelor's degree is the barest of minimums for getting into the cybersecurity field, IT certifications have emerged as the new standard. But it's a new and still-wobbly standard.

"There is some concern in the plethora of credentials and people trying to navigate the field – which ones reflect the right level of credibility and functional knowledge?" said Terry Erdle, executive vice president of CompTIA Certifications. "Certifications don't reflect a full depth, but neither does a computer science degree reflect two other degrees in philosophy. There should be stackable and really recognized credentials, industry-backed and industry-recognized, that anybody can understand what skill sets that credential reflects."

Already there are several certifications that are widely considered to be standard, an alphabet soup that includes CISSP, CompTIA, Security+, A+ and others. Still more are popping up and becoming more specific, such as credentials in cyber forensics.

In the government, certifications have become a primary HR tool, with the National Institute of Standards and Technology developing a National Cybersecurity Workforce Framework. Credentialing is even a requirement in some cases, such as the Defense Department's Directive 8570, which stipulates training, certification and management for all employees involved in information assurance activities.

"Under DOD 8570, you can't hold a job in cybersecurity unless you have one of these certifications – so DOD is using that in a much more regulatory way than private industry tends to," said Dan Ryan, an attorney who does consulting work for (ISC)2, an information security training and certification group.

Making sense of the sea of certifications is one thing, but what happens after attaining them is another. A one-time credential is only so effective when dealing with the rapidly evolving environment in cybersecurity.

"In any event, none of [the certifications] guarantees real depth or understanding. What they guarantee is somebody has worked in the field for a while and was able to pass the test," Ryan said. "This is a highly technical field, and there needs to be a code of ethics and some enforcement mechanism so those who claim to be practicing this discipline as professionals are held to appropriate standards. And there needs to be some kind of continuing education. If you got your Ph.D. in digital forensics 10 years ago, if you didn't keep up with the literature and conferences, you're way, way out of date in a short period of time."

The idea that IT certifications could take a cue from the medical field is one that is beginning to take root.

"It's much like how doctors stay conversant with various things – continuous education, opportunities to recertify. You have to recert every three years or you lose your edge and the timeliness of the content you're supposedly expert in," Erdle said.

Erdle, Ryan and others noted that with the cybersecurity profession in its nascent stages, the pieces and the partnerships are still coming together.

"It's a dance back and forth a little bit, but it's getting healthier and healthier in terms of taking advantage of academic strengths as well as the IT certification world," Erdle said. "We're collaborating more and more to demystify the landscape."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Sat, Nov 2, 2013 San Diego CA

I agree with Madwhitehatter, my last job folks were good at memorizing brain dumps/going to boot camps to pass the certification tests, but clueless about what was going on...can't even troubleshoot a basic network connectivity issue with a client, but yet you are certified with a high level IT certification? Something is definitely wrong with that picture! DoD wonders why stuff is happening to their networks, because people do not know or were not properly trained. The Certification and Boot Camp Providers are making a killing off of the US Gov't Workers (Civilian and Contractors) and will continue till someone gets smart and see what is going on...

Tue, Oct 29, 2013 madwhitehatter

I'd rather see companies hire people who've been going to hacker conventions for the last decade than someone who did a 40-hour boot camp and got a brain dump. The government will stay behind when they don't have people who know the subject doing the hiring.

Tue, Oct 29, 2013

I don't know who the lobbyist was for the certification industry, but they did a great job of dupping the government. The only benefit of certification is for the certification providers! It takes critical finances, time and resources away from defense projects with little to no benefit in return. Experience is by far the premier indicator....

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group