The Future of Cybersecurity Certifications Crossroad

The Future of Cybersecurity Certifications Crossroad

Security practitioners are increasingly conflicted about the role that certifications play in their career development. Phil Muncaster finds out why

If you enjoy spending time down the internet rabbit hole that is a Twitter debate, you may have seen an interesting recent thread. In it, a cybersecurity professional asks the online void whether anyone is still using certifications. After two decades of maintaining his own certs, the professional argues that continuing professional education (CPE) credits are becoming increasingly diluted, with the certifications themselves offering diminished value. It is difficult to find anyone in the succeeding – and lengthy – thread that disagrees.

Yet certifications are still hugely popular. They promise a higher salary, and many employers require said certifications for industry roles. The question is whether they can stay relevant in an industry characterized by rapid technological advances and a volatile and dynamic threat landscape.

A Brief History of Certs

Information security certificates have a long history. For as long as there have been complex IT products on the market, vendors have run accreditation courses for practitioners to prove their competence in using them. In the late 1980s, the need for a more generalist vendor-neutral certification program emerged, and the non-profit International Information Systems Security Certification Consortium (ISC)² was born. Over 152,000 practitioners worldwide now hold its Certified Information Systems Security Professional (CISSP) certification.

To keep such accreditations current and encourage participation, bodies like (ISC)² and professional association ISACA require holders to earn CPEs. Ways of earning CPEs include attending webinars and events (including Infosecurity Magazine webinars and online summits) and completing training courses. Data from (ISC)² claims that 72% of professionals are required by their employer to earn certifications and that those holding them earn an average salary of $91,700 in the US versus $58,800 without. Certificates remain the third most sought-after employee attribute for recruiters after problem-solving and curiosity, it claims.

Shrinking the Talent Pool

However, many practitioners are becoming disillusioned by industry certifications. While they may be useful for young professionals early in their careers, many argue that such qualifications have not aged well, offering limited value for those later in their careers.

Ed Tucker, senior director of cybersecurity at The Workshop, claims that certs have actually become a barrier to entry for many at a time of acute industry skills shortages.

“By its very nature, this narrows our potential talent pool, but also means we create something of an echo chamber, where people begin with an ingrained security prejudice, rather than a fresh and inquisitive mindset that looks at problems for what they are,” he tells Infosecurity. “Why are we still recruiting based on whether someone passed a test rather than who they are and the natural skills they bring?”

He argues that certifications may also be hitting the industry’s efforts to diversify.

“They narrow our pool of talent when what we need is the biggest possible net,” he continues. “How can we expect someone from a different socio-economic background to have attained certs without significant support? Frankly, why the hell would we want them to?”

Socura CEO, Andy Kays, says his firm doesn’t screen candidates by their certifications but rather their aptitude, experience and attitude.

“Not all certifications are created equal, and it’s not always clear which certs are truly valuable, especially when there is the potential for them to have been obtained illegitimately,” he tells Infosecurity. “It’s like writing. An English or journalism degree will infer to an editor that someone possesses strong writing skills and the kind of knowledge required to do the job. However, it is no guarantee. Likewise, many of the best writers have no formal qualifications, nor should they be required to attain them.”

A Useful Tool

Perhaps unsurprisingly, the member associations and accreditation bodies Infosecurity spoke to firmly defend their certifications as a useful tool for employers to judge candidates. (ISC)² chief qualifications officer, Casey Marks, argues that they level the playing field for candidates.

“Not every aspiring professional can obtain a university degree or knows ‘the right people’ to get an internship or apprenticeship to secure a cybersecurity career. Certifications are a cost-effective, targeted and efficient mechanism to assist in the demonstration of competence for employment,” he tells Infosecurity. “They are the only mechanism with an independently accredited process that allows individuals to publicly demonstrate a commitment to continued competence within the field.”

Rowland Johnson, president of certification body CREST, says certs can also bring clarity to proceedings in an industry where there is an “asymmetry of language between buyers and sellers,” although he acknowledges that they should not be used in isolation.

“People are able to build and develop skills through training and on-the-job experience, which should be actively encouraged and applauded as an essential ingredient for the sector. However, in an industry clamoring to define job definitions as well as skills and competency frameworks, cybersecurity certifications provide the only tangible measurement of capability,” he tells Infosecurity. 

“Despite their ability to demonstrate an individual’s knowledge and skills, infosec certs are not a silver bullet. They provide an indicator, along with many other pointers, and should rarely be used as an exclusive measurement of competency.”

A Money Making Machine?

For Trend Micro VP of security research, Rik Ferguson, it is the industry that has grown up around certifications over the years that’s the problem, rather than certs per se.

“A whole acronym industry has emerged that competes to put letters after your name. The ones I was obliged to continue to pay for I let lapse because I felt I wasn’t getting anything in return from the certifying bodies year after year. It began to feel like a mechanism for milking me and thousands of other people,” he argues.

“I’ve direct experience of trying to hire people in tech support roles who were certified up to their eyeballs and on paper were incredible. However, they’d never done a day’s support work in their lives and didn’t have the skills required to do the job because these skills were not the same as the knowledge required to pass the exam.”

HP Inc CISO, Joanna Burkey, has also seen the industry change over the years. While she maintains they can serve a real purpose, there are drawbacks. Read more:

You can also read this: Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers

Leave a Reply

Your email address will not be published.