There have been a lot of interesting reactions to the Equifax data breach. One of the most interesting for me is the criticism of the Equifax CISO’s lack of technical or cyber security education. She does have Bachelor’s and Master’s degrees in music composition as well as a resume that shows a work history at several companies also in the finance industry. This situation illustrates the challenge we all face in identifying qualified candidates.
It is only recently that Information Security degrees have become available from universities. Most people rely on “certifications” to vet qualified candidates. The Certified Information Systems Security Professional (CISSP), Global Information Assurance Certification (GIAC), Certified in Risk and Information Systems Control (CRISC) and Certified Information Security Manager (CISM) certifications are common in cyber Security job descriptions. But what is the true value of such certifications?
Certifications are issued by for-profit companies whose business model is to generate revenue by issuing certificates. On the one hand, they need to ensure a minimum “quality” of their certification holders so potential customers value the brand and are willing to pay the certification fees. On the other hand, they are encouraged to sign up as many customers as possible so the “quality bar” cannot be set too high. Once a certification brand is valued enough, there develops an education system to assist candidates to achieve the certification. You will often see “Boot Camps” that promise to fill your mind with all of the knowledge to pass the certification exam in one week. I think we can all agree that one week is insufficient to develop competency in any discipline.
So is there any value to an Information Security certification? Let’s consider three:
- The certification gets you to the short list. Many automated recruiting systems will filter candidates based on pre-defined keywords. Often these keywords include certifications and education. You may have all of the necessary skills to excel at the role and never get an opportunity to interview if you can’t pass the initial screening process.
- A certification is a quick way to fill gaps in an employee’s skill set. There is a lot of benefit in hiring “non-traditional” employees for Cyber Security positions. Someone with in-depth knowledge of the business function, rare technical skills, or a unique blend of technical and “people” skills can be very valuable for cross-functional teams. Certifications provide a structured way for these individuals to learn a common nomenclature and Cyber Security processes and frameworks in a relatively short time.
- Certifications can indicate strengths or passion. The certifications listed above all focus on different priorities. The GIAC is considered a more technical certification, while the CISM is intended for leaders of Cyber Security teams. It is difficult to determine an individual’s career aspirations or skills based solely on former job titles. But someone who has been an Information Security Analyst for the past three roles and has a CRISC certification is probably stronger at governance and risk assessment and less likely to be enthusiastic about a technical role.
Cyber security is still a young and informally defined discipline. Roles and job descriptions are inconsistent, as are the education and certification opportunities. The breadth of skills required in cyber security means that almost any relevant background can be beneficial, and with the shortage of qualified talent, we are forced to be flexible, creative, and willing to develop our staff. Certifications have some value, but you must recognize their relative strengths and shortcomings.
Steve Biswanger is Director of Information Security at Encana Corporation and is the first President of the new CISO Division, CIO Association of Canada. On Twitter at https://twitter.com/itsabouttrust. This is the third of five blogs marking Cyber Security Awareness Month.