In this interview, Tony Vizza, Director of Cybersecurity Advocacy APAC, (ISC)2, talks about the benefits of earning a cybersecurity certification, the most common misconceptions related to getting certified, the cybersecurity skills shortage, and much more.
Generally, what are the essential benefits of earning a cybersecurity certification? Does it create a competitive advantage?
The benefits of a professional certification are multi-faceted, particularly in the cybersecurity space, where demand for verified skills and capability are in such high demand, and where capability needs more than just work experience to ensure you are fully educated and able to address the latest technologies, threats and challenges.
First and foremost, holding a certification demonstrates your depth of cybersecurity knowledge and expertise – or your specialisations within cybersecurity, depending on the certification you hold – alongside your demonstrated and paid work experience in the field. It also provides a benchmark for your skills and capabilities.
Certifications create an advantage for the holder, elevating your status within the industry and with it, your employability. This is because your knowledge and experience can be independently validated with the certification body by virtue of that certification. This means that an organisation that is seeking to hire a cybersecurity professional can hire a certified cybersecurity professional with the full confidence of knowing the person is skilled, experienced and will perform their tasks ethically. It also means your skillset can be verified and recognised globally, rather than being country-specific.
In addition, a certification also attests to your character. As a certified professional, you not only meet a high capability standard, you also commit to upholding a code of ethics, with your path to certification also requiring that an existing credential holder can attest to your good character.
What does a standard certification process entail? What are some of the most common misconceptions?
One of the biggest misconceptions we come across is that a certification is just the by-product of an exam. The reality is that a cybersecurity certification is so much more than passing an exam. The test is just a small part of a much bigger picture.
A certification requires that you have a number of specific attributes in order to meet the minimum criteria to attain certification. These include demonstrating a minimum number of years paid work experience in the field you are pursuing a certification in, adhering to a code of ethics, along with having a sponsor to vouch for your character, capability and career experience. And there is the matter of passing a vigorous and comprehensive exam – and by passing, its far higher than 50%. It’s a score of 700 out of 1,000.
On top of this, there is the requirement to maintain the certification. This means completing a minimum number of continuing professional education (CPE) credits to demonstrate that you are invested in keeping up-to-date with the latest developments in cybersecurity. Continuous education is critical as cybersecurity is changing by the hour – so there is little value in any certification that doesn’t have a requirement for continuing learning beyond an exam pass. It ensures that you stay sharp, informed and relevant.
How has the CISSP certification evolved in the past few years? How many have obtained it worldwide?
The CISSP is considered the gold standard of cybersecurity certifications, and for good reason. While the structure of the certification and much of the theoretical components of the CISSP have held firm over the years, as cybersecurity has evolved, so too have many of the elements of the certification. The Common Body of Knowledge (CBK) for the CISSP, which constitutes all of the material that is assessable during the exam, is constantly updated to reflect the ever-changing nature of cybersecurity.
While the CISSP originated in the US, its relevance to the global industry, the depth and breadth of the certification itself, along with the prestige it holds in the eyes of employers seeking to employ skilled and experienced professionals has seen numbers grow exponentially around the world. There are more than 136,000 CISSP holders globally, with over 90,000 in North America, 23,000 in EMEA and nearly 18,000 across the Asia-Pacific region. Many government entities around the world mandate the CISSP as a benchmark that a potential public sector employee needs to hold to be successfully employed, or as a requirement to undertake government cybersecurity certification.
Which information security certifications do you see gaining popularity this year?
The CISSP will continue to be regarded as the gold standard in cybersecurity certification for senior cyber professionals. In terms of certifications gaining popularity, the SSCP is growing exponentially with IT-based professionals who are seeking to further their careers in cybersecurity.
The CCSP has been growing rapidly for a number of years now, given the ever-increasing reliance on cloud-based technologies by organisations. As such, the security of those resources is critical and has seen non-cyber cloud certifications grow in equal importance to those organisations. Another certification that is growing steadily is the CSSLP, which is a certification that DevOps and app developers are increasingly seeing the value of to ensure their code is secure.
Finally, with the recent updates to the HCISPP certification that ensure that it now reflects the global nature of personal data in the medical and healthcare sectors, it’s a certification that is essential to any cybersecurity professional working in the healthcare industry.
What type of certification should employers be on the lookout for?
There is no one-size-fits-all approach, it depends on the nature of the organisation. As a minimum, all IT staff who manage some aspects of an organisation’s cybersecurity would be well served to attain SSCP certification.
For cybersecurity managers and staff for whom the main task is to manage an organisation’s cybersecurity, the CISSP is arguably the most valuable to possess. For organisations with sizeable cloud deployments, individuals with the CCSP certification will be hugely beneficial to have on their teams. For organisations working in DevOps, app development, fintech, IoT and smart cities, having a CSSLP on the team will help to ensure that the software is developed in accordance with best practice secure coding principles.
Can security certification help with the cybersecurity skills shortage?
Absolutely they can. Skilling and certification are critical to addressing the industry skills shortage. It is important for all entrants into the cybersecurity field to realise that they do need to grasp the fundamentals of cybersecurity early on, and this is provided in the certification CBKs that are assessible in the examinations.
Candidates also need hands-on work experience in the field in order to learn from those experiences and apply the fundamentals they have learned in practice. For those who want to demonstrate a commitment to a career in cybersecurity, grasp the fundamentals and are working toward full certification, the Associate program from (ISC)2 is an advantageous option. Associates “convert” to full credential holders upon meeting the necessary work experience for that certification. It’s a great option for those who want to pursue a certification and a career in cybersecurity now, allowing them to demonstrate their commitment, interest and work ethic.
Ultimately, a good competitive advantage in the workforce comes from being skilled and accredited in areas where there is a skills shortage. The 2018 (ISC)2 Cyber Workforce Study showed a shortfall of 2.93 million professionals globally. Clearly, having skills, experience and certification in cybersecurity goes a long way to possessing a compelling competitive advantage.