An important weapon in the war on cybercrime is the hundreds of thousands of cybersecurity professionals working day in and day out to protect organizations around the globe. These are the “good guys” and we need to give them as much of an edge as we can against all the cyber baddies out there. Comprehensive and robust tools are critical. So are training and support. But what about certifications—what role do they play in all this? To find out, TTR sat down for a chat with Wesley Simpson, COO of (ISC)2, the nonprofit membership association behind the Certified Information Systems Security Professional (CISSP) and other cybersecurity certifications and programs.
TTR: You hear so much about the cybersecurity skills gap. How real is it?
WS: Unfortunately, our research shows that it’s all too real, both statistically and anecdotally. In fact, 63% of respondents to our recent study indicated they have a shortage of staff dedicated to cybersecurity, and 59% said this shortage represents either an extreme or moderate risk to their organization’s security. Much of this gap is found in APAC where the rapid growth of both regional economies and data privacy legislation is driving the demand for cybersecurity talent, but we’re still seeing it here in North America as well, to the tune of nearly half a million skilled staff needed.
TTR: Which areas are feeling it the most?
WS: (ISC)2 is in an interesting position as we have more than 140,000 members globally that are dispersed across all manner of private industries and public sector organizations. This skills gap is an equal opportunity issue in that there doesn’t seem to be any particular market or industry that is immune to the need for more skilled cyber professionals.
TTR: What’s the impact to organizations?
WS: Their defenses are thinner than they should be, and the cybersecurity staff they do have are overly taxed and being asked to perform many tasks that may not be within the scope of their position. Cybersecurity will always be an “all hands on deck” mission for organizations, but when cybersecurity teams don’t have the right resources, the chances of a security event, large or small, increase quite a bit.
TTR: How can companies attract and retain InfoSec professionals?
WS: We asked this very question in another recent study we commissioned. We wanted to understand how, in the face of this skills gap and hiring conundrum, some companies successfully staff their cybersecurity teams. The feedback showed that it has a lot to do with building a resilient cybersecurity culture. The companies who feel confident they’ve got the talent they need on staff say they have very supportive executive management teams who not only understand the importance of cybersecurity but reinforce its importance with all staff throughout their organizations. Also, the study found that putting some care and effort into crafting accurate job descriptions is helpful in reassuring candidates that the organization understands what it needs and properly scopes individual roles rather than searching for a “unicorn” who is skilled in every single aspect of cybersecurity. Finally, while it’s important to offer a competitive salary and benefits, most job seekers in cybersecurity also highly value training opportunities to progress in their careers. Companies that can demonstrate a strong cybersecurity culture have a better chance of landing the staff that they need.
TTR: What role does certification play in all this?
WS: As our mission is to help our members advance in their careers and inspire a more safe and secure cyber world, one of the key reasons we are in the training, education and certification business is because we understand that attaining and maintaining a certification is usually one of the top factors that hiring managers look for on cybersecurity resumes. Holding a certification like our CISSP, SSCP, or CCSP instantly conveys a number of things, including a common understanding of the language of security, a sense of personal industry and perseverance, and the practical experience needed to be able to pass those tests. In addition, all of our certifications require maintenance and our members take courses and attend trainings every year to stay up to date on the latest cybersecurity techniques and threat vectors.
TTR: As the talent war rages on, can companies realistically require candidates to be certified? Is that a luxury they can afford?
WS: It’s clear that there just aren’t enough certified professionals to go around, so having those letters after your name is certainly helpful when you’re trying to land a new job. But certified professionals alone won’t fill out the workforce and companies should be open to candidates from all different backgrounds. As I said earlier though, providing a path to certification for those who want to progress in their career is something that employers can do to retain their cybersecurity staff. This way, organizations can assess a broad talent pool and hire for any number of tangential skills that will make their team more well-rounded, and then they can offer to subsidize their employees’ path to certification as a benefit. This leads to more certified cybersecurity staff for the organization and lowers the turnover rate.
TTR: Who benefits more from certification: the employer or the employee?
WS: That’s a trick question and the answer is: both! Certification is an excellent investment for a professional to make in their own career, and it makes them a part of a larger community beyond any one employer they may work for. For the employer though, having certified cybersecurity professionals on staff is undoubtedly a benefit to their security readiness and the communication within their cybersecurity team. As a not for profit, it’s easy for (ISC)2 to take the stance that by certifying our employees, we may open them up for greater marketability to be recruited. But by doing so, we are giving back to our industry, our profession, and our country by inspiring a safe and secure cyber world.
TTR: How are certifications evolving to keep up with new technologies, threat vectors, business requirements, workforce characteristics, etc.?
WS: This is an excellent question that we get all the time. One of the concerns that hiring managers have from time to time is how old a certification is and how relevant that makes the training. It’s a legitimate question to ask when assessing an individual’s knowledge base. Not all certification bodies are the same, but at (ISC)2 we mandate that our members who hold certifications earn a certain number of Continuing Professional Education (CPE) credits each year. These credits can be earned in a number of ways through programs that keep their skills sharp, including auditing events and webinars, creating new industry knowledge in the form of publishing a paper or giving a presentation, or participating in self-directed learning activities that map back to specific domains. We believe certifications should live and breathe, not just be a snapshot of a particular test or point in time. The professional development and continuous learning of our members is a top priority that we will be expanding immensely in 2019. We want to be the go-to source for professionalizing our members and keeping them relevant, sharp, and current on the latest developments of our profession through high-quality free CPE offerings, so we’ll be rolling out a whole new, updated set of educational courses to accomplish that. Finally, something that we feel is critical at (ISC)2 is that our members agree to a code of ethics, so we require them to sign one. In a field like cybersecurity where our members are in a position of trust with virtually every piece of data they handle and every decision they make, it’s imperative that we uphold the integrity of our profession. So having that certification is another way of demonstrating that you’ve agreed to uphold that high standard.
TTR: Does the value of certification depend on whether you’re a small business or a Fortune 500 enterprise, or whether you’re a for-profit company or a non-profit organization?
WS: The short answer is no. In today’s digital environment, unfortunately every organization is a target for cybercrime. Having certified professionals managing your risk and protecting your data assets is invaluable when you consider the alternative.