Certification: check. Now what?

cybersecurity concept

There has been a lot of buzz lately about the cybersecurity workforce its significant gaps and myriad opportunities, and the lack of clarity in how to bridge the two.

One critical problem is the absence of an agreed-upon barometer for experience and expertise, which makes it difficult for managers to determine the best hire and for job-searchers to determine if a job is the right fit. In recent months and years, programs have been cropping up to address this issue, including school outreach, university degree programs and a slew of certifications.

In an era when a bachelor's degree is the barest of minimums for getting into the cybersecurity field, IT certifications have emerged as the new standard. But it's a new and still-wobbly standard.

"There is some concern in the plethora of credentials and people trying to navigate the field – which ones reflect the right level of credibility and functional knowledge?" said Terry Erdle, executive vice president of CompTIA Certifications. "Certifications don't reflect a full depth, but neither does a computer science degree reflect two other degrees in philosophy. There should be stackable and really recognized credentials, industry-backed and industry-recognized, that anybody can understand what skill sets that credential reflects."

Already there are several certifications that are widely considered to be standard, an alphabet soup that includes CISSP, CompTIA, Security+, A+ and others. Still more are popping up and becoming more specific, such as credentials in cyber forensics.

In the government, certifications have become a primary HR tool, with the National Institute of Standards and Technology developing a National Cybersecurity Workforce Framework. Credentialing is even a requirement in some cases, such as the Defense Department's Directive 8570, which stipulates training, certification and management for all employees involved in information assurance activities.

"Under DOD 8570, you can't hold a job in cybersecurity unless you have one of these certifications – so DOD is using that in a much more regulatory way than private industry tends to," said Dan Ryan, an attorney who does consulting work for (ISC)2, an information security training and certification group.

Making sense of the sea of certifications is one thing, but what happens after attaining them is another. A one-time credential is only so effective when dealing with the rapidly evolving environment in cybersecurity.

"In any event, none of [the certifications] guarantees real depth or understanding. What they guarantee is somebody has worked in the field for a while and was able to pass the test," Ryan said. "This is a highly technical field, and there needs to be a code of ethics and some enforcement mechanism so those who claim to be practicing this discipline as professionals are held to appropriate standards. And there needs to be some kind of continuing education. If you got your Ph.D. in digital forensics 10 years ago, if you didn't keep up with the literature and conferences, you're way, way out of date in a short period of time."

The idea that IT certifications could take a cue from the medical field is one that is beginning to take root.

"It's much like how doctors stay conversant with various things – continuous education, opportunities to recertify. You have to recert every three years or you lose your edge and the timeliness of the content you're supposedly expert in," Erdle said.

Erdle, Ryan and others noted that with the cybersecurity profession in its nascent stages, the pieces and the partnerships are still coming together.

"It's a dance back and forth a little bit, but it's getting healthier and healthier in terms of taking advantage of academic strengths as well as the IT certification world," Erdle said. "We're collaborating more and more to demystify the landscape."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Sat, Nov 2, 2013 San Diego CA

I agree with Madwhitehatter, my last job folks were good at memorizing brain dumps/going to boot camps to pass the certification tests, but clueless about what was going on...can't even troubleshoot a basic network connectivity issue with a client, but yet you are certified with a high level IT certification? Something is definitely wrong with that picture! DoD wonders why stuff is happening to their networks, because people do not know or were not properly trained. The Certification and Boot Camp Providers are making a killing off of the US Gov't Workers (Civilian and Contractors) and will continue till someone gets smart and see what is going on...

Tue, Oct 29, 2013 madwhitehatter

I'd rather see companies hire people who've been going to hacker conventions for the last decade than someone who did a 40-hour boot camp and got a brain dump. The government will stay behind when they don't have people who know the subject doing the hiring.

Tue, Oct 29, 2013

I don't know who the lobbyist was for the certification industry, but they did a great job of dupping the government. The only benefit of certification is for the certification providers! It takes critical finances, time and resources away from defense projects with little to no benefit in return. Experience is by far the premier indicator....

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group