The cybersecurity skills gap and talent shortage continue to widen year over year as the result of a proverbial square peg and round hole situation. The peg: prospective cybersecurity practitioners are looking to break into an industry in dire need of skilled and talented individuals. The hole: hiring managers and their human resources counterparts have a near impossible task of determining which applicants vying for open positions are adequately prepared to fill cybersecurity roles.
Over the last twenty to thirty years, professional certifications exploded in an effort to whittle down the edges on those square pegs. The total number of professional certifications across specialties, experience levels, and different certification bodies now numbers over 100. Here are a few guiding thoughts on how both cybersecurity hopefuls and current employers should be thinking about professional certifications.
Why does everybody disagree on certifications?
In cybersecurity, professional certifications can be particularly polarizing. Some practitioners invest heavily in earning certifications, only hire individuals with certifications, and believe in the intrinsic value of those three- or four-letter credentials. While other professionals, often of similar experience levels and backgrounds, view “certs” as an inaccurate or insufficient way of determining an individual’s knowledge and skills.
My personal belief is that neither of these views is correct. Like everything in life, cybersecurity certifications value is real… within reason. Unlike other professional pathways like those of lawyers, accountants, and physicians, there is no standardized license or exam providing practitioners with a transactional entry point into a career in cybersecurity. Like a chisel and hammer, though somewhat crude, certs are effective when wielded appropriately. Given the lack of another standard, cybersecurity certifications do serve as some indication of an employee-employer match.
Perhaps more helpful, there is an area where nearly all practitioners seem to agree. Earning professional certifications does show or imply that an applicant takes his or her career seriously, is organized, and is capable of learning (even temporarily) new information. These traits are often positive indicators for a successful employee in some recognizable capacity.
Exploring cybersecurity certifications’ value
I’m sorry to disappoint you, but there isn’t a perfect, gold standard certification out there for every practitioner or employer. Certainly, there are the more popular certifications, made in-demand by the United States government through DoD Directive 8140 (or previously, 8570). If you want to work in cybersecurity in the government today, or in a related government contractor, look up the requirements, earn certifications, and apply or hire accordingly until the requirements change.
But outside their direct applicability to the DoD, following these prescriptions blindly helps fuel the polarizing reputation of certifications. Many recommended certs are designed to apply across a broad industry, stretched over several domains, and lack depth in any specific area. When organizations focus only on hiring individuals who have earned these certifications, they overlook individuals that possess differentiating and valuable specialized knowledge and skills.
That said, a subset of industry certifications has been architected to align to specific job roles. Rather than providing a benchmark for generalists, these certifications more closely map to the knowledge, skills, and abilities needed for an individual to be effective in carrying out certain responsibilities.
OSCP – Offensive Security Certified Professional
The OSCP has become a go-to certification for penetration testers and their would-be employers for the past several years, gaining steam gradually over its initial introduction in 2006. This practical certification takes serious dedication in terms of preparation, active training, and completion of a 24-hour examination.
Though the Offensive Security website suggests that the OSCP can be earned after 2-3 months of preparation, anecdotal evidence in my personal experience with other professionals seems to suggest a more reasonable timeline of 5-8 months. Individuals who have earned the OSCP have significant “street cred” in a red-team community that is highly critical of inauthenticity. If you’re serious about becoming or hiring a pen tester, this is the certification to pursue.
CCSP – Certification Cloud Security Professional
With more and more businesses migrating to cloud environments, the popular CCSP certification is in increasing demand. (ISC)² is celebrating its 30th anniversary this year, but this certification was only introduced in 2015. Organizations around the world have been scrambling over the last several years to properly secure their data, applications and infrastructure hosted through cloud providers like Amazon AWS and Microsoft Azure.
CRISC – Certified in Risk and Information Systems Control
Targeting professionals responsible for IT risk management or compliance, the CRISC certification prepares individuals to help their organizations understand business risk and implement proper information systems controls. Ask anyone that works in this space, risk managers are a unique breed of individuals passionate about their responsibilities. If this is a career path that you are seeking or hiring for, the CRISC is a helpful marker of a potential fit.
CySA+ – Cybersecurity Analyst (Plus) Certification
After joining the certification scene in 2017, CompTIA’s CySA+ (Cybersecurity Analyst+) is quickly gaining recognition. With more than 26,000 active job openings in the U.S. for cybersecurity analysts, a professional certification designed specifically for the role makes for a pragmatic pursuit.
Cybersecurity analysts are expected to prevent, detect, respond, and detail cybersecurity threats, and the CySA+ certification is designed to aid by focusing on applied behavioral analytics within in the role. The CySA+ was designed for intermediate information security professionals and could give an applicant the edge over a similarly qualified applicant with a less-targeted certification.
CISM – Certified Information Security Manager
Often compared to the CISSP certification from (ISC)², and somewhat overshadowed by its sibling CISA certification, the CISM certification from ISACA is a hidden gem. CISM stands for Certified Information Security Manager and the last word is key. For organizations and individuals with sights set on filling managerial roles in cybersecurity, the CISM is a certification that suggests its holder can think like a leader, while still possessing enough technical know-how to be “dangerous.”
While the CISSP is more common and significantly more technical, the managerial perspective needed to master the CISM gives it an edge in more senior leadership roles.
What do employers need to bring to the table?
Much of the certification dilemma mentioned earlier can and should be shouldered by employers. Rather than rely on certifications to define company cyber roles and the skill set needed to effectively execute them, employers need to spend the time and effort to properly understand their cybersecurity workforce, the associated tasks they are responsible for, and the knowledge, skills and abilities required to properly execute those tasks.
One way employers can start to understand what makes someone successful in a role is to perform a baseline assessment across their team to determine the strengths and weaknesses of individuals and the organization as a whole. This provides a nuanced and detailed view of the knowledge and skills needed to succeed in their cybersecurity roles. If employers begin their employee search with a better understanding of the unfilled roles and the skills needed for employees to succeed, it will be much easier to find the applicants that could qualify to fill those roles.
What can employees do to get an edge outside of a cert?
In addition to credible experience, education, and credentials, employers want to meet applicants who possess certain traits. For one, employers want to hire employees that are clearly motivated and passionate about a long-term career in cybersecurity. Next, they want to either objectively or anecdotally determine if the potential employee has strong critical thinking abilities. Lastly, and perhaps most importantly, they want to hire employees with an inherent curiosity and willingness to learn. If you are an individual who can take on new information quickly, and analyze and distill complex topics into simple language, employers will need to find a way to count you among their ranks.