Workforce

Certification: check. Now what?

cybersecurity concept

There has been a lot of buzz lately about the cybersecurity workforce its significant gaps and myriad opportunities, and the lack of clarity in how to bridge the two.

One critical problem is the absence of an agreed-upon barometer for experience and expertise, which makes it difficult for managers to determine the best hire and for job-searchers to determine if a job is the right fit. In recent months and years, programs have been cropping up to address this issue, including school outreach, university degree programs and a slew of certifications.

In an era when a bachelor's degree is the barest of minimums for getting into the cybersecurity field, IT certifications have emerged as the new standard. But it's a new and still-wobbly standard.

"There is some concern in the plethora of credentials and people trying to navigate the field – which ones reflect the right level of credibility and functional knowledge?" said Terry Erdle, executive vice president of CompTIA Certifications. "Certifications don't reflect a full depth, but neither does a computer science degree reflect two other degrees in philosophy. There should be stackable and really recognized credentials, industry-backed and industry-recognized, that anybody can understand what skill sets that credential reflects."

Already there are several certifications that are widely considered to be standard, an alphabet soup that includes CISSP, CompTIA, Security+, A+ and others. Still more are popping up and becoming more specific, such as credentials in cyber forensics.

In the government, certifications have become a primary HR tool, with the National Institute of Standards and Technology developing a National Cybersecurity Workforce Framework. Credentialing is even a requirement in some cases, such as the Defense Department's Directive 8570, which stipulates training, certification and management for all employees involved in information assurance activities.

"Under DOD 8570, you can't hold a job in cybersecurity unless you have one of these certifications – so DOD is using that in a much more regulatory way than private industry tends to," said Dan Ryan, an attorney who does consulting work for (ISC)2, an information security training and certification group.

Making sense of the sea of certifications is one thing, but what happens after attaining them is another. A one-time credential is only so effective when dealing with the rapidly evolving environment in cybersecurity.

"In any event, none of [the certifications] guarantees real depth or understanding. What they guarantee is somebody has worked in the field for a while and was able to pass the test," Ryan said. "This is a highly technical field, and there needs to be a code of ethics and some enforcement mechanism so those who claim to be practicing this discipline as professionals are held to appropriate standards. And there needs to be some kind of continuing education. If you got your Ph.D. in digital forensics 10 years ago, if you didn't keep up with the literature and conferences, you're way, way out of date in a short period of time."

The idea that IT certifications could take a cue from the medical field is one that is beginning to take root.

"It's much like how doctors stay conversant with various things – continuous education, opportunities to recertify. You have to recert every three years or you lose your edge and the timeliness of the content you're supposedly expert in," Erdle said.

Erdle, Ryan and others noted that with the cybersecurity profession in its nascent stages, the pieces and the partnerships are still coming together.

"It's a dance back and forth a little bit, but it's getting healthier and healthier in terms of taking advantage of academic strengths as well as the IT certification world," Erdle said. "We're collaborating more and more to demystify the landscape."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.