Archives for July 21, 2020

The Cybersecurity Status Quo Needs to Change

This is a transcript of the video at the bottom of the post.

In 1997, Apple came out with the commercial Here’s to the Crazy Ones. 20 plus years later, that commercial still resonates with me. Steve Jobs came up with a lot of the material for that commercial based on his life. He always felt like he didn’t quite fit in or was a misfit. He felt like he wanted to challenge the status quo. He also was called crazy a lot for dreaming too big, but instead of trying to follow the status quo or fit in, he embraced his uniqueness and ended up changing the world and having a huge impact. I feel the same way about cybersecurity, because, with cybersecurity, there is a status quo, this movement that we just keep following, but it’s not helping. A lot of people would call me crazy for wanting to challenge the status quo, but the status quo was not working.

And we know this. There’s plenty of evidence of this because of the different data breaches every day. One of the reasons the status quo is not working, or I believe it’s the primary reason is we’ve overly complicated cybersecurity. Instead of focusing on a few things and doing those few things very well, that few things that will reduce the risk the most, we try to get everyone to do hundreds of things. We can’t do hundreds of things very well, and what happens is we ended up doing them all half-assed, really.

I used to work with this guy and I always think of this scenario. I used to work with him and he was working these two projects once, and he was having a little bit of trouble figuring out which one took priority or which one took precedence. So he went and asked his boss, which one of these two projects takes priority? His boss told him they’re both an equal priority. His response was, “Okay. Well, I guess I’ll do both of them half-assed.” It’s the same concept as cybersecurity. If we try to do too many things, we ended up doing them half-assed. We should focus on just a few things and do them very well. Most data breaches are caused by a misconfiguration or an unpatched system. These are two simple things to fix, but you can’t focus on those things if you’re focusing on the other 98 stuff, 98 items that don’t really matter. This time, we challenge the cybersecurity status quo. What we’re doing is not working. We need to think different, as Apple would say. Here’s to the crazy ones.

Here’s to the crazy ones, the misfits, the rebels, the troublemakers, the round pegs in the square holes, the ones who see things differently. They’re not fond of rules and they have no respect for the status quo. You can quote them, disagree with them, glorify, or vilify them. About the only thing you can’t do is ignore them because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius, because the people who are crazy enough to think they can change the world are the ones who do.

Cybersecurity “Professionals” – Reboot Needed

Introduction

The cybersecurity industry is broken. What we have very loosely defined as a cybersecurity “professional” is not cutting it. The organizations that need cybersecurity deserve better.

This article focuses on cybersecurity certifications, yet addresses a larger issue with the overall cybersecurity industry – stringent license requirements, as opposed to certification exams that can be easily “gamed”.

Cybersecurity Certification Trend

I’ve noticed a trend that seems to be getting worse.

The trend is this:

Fewer people seem to care about the cybersecurity profession – they just want to learn what’s on a certification test so they can get “certified” and get a high-paying cushy job where no one holds them accountable.

This trend bothers me in a number of ways:

  1. Cybercriminals are winning. Cybercriminals, at least the good ones, take their trade seriously. Otherwise, they’d get caught more often. Many certified cybersecurity professionals, the “good guys”, are not really professionals anymore – they don’t take their trade seriously. This is the primary reason the cybercriminals are winning.

  2. It’s apparent the “instant gratification” wave is here. Many people don’t want to put in the effort to learn a trade anymore. They just want to study the bare minimum, pass a certification exam, get hired, then fake it at a job as long as possible.

  3. B Players hire C Players. C Players hire D Players. We’ve ended up with an industry filled with C and D players. Certified people that don’t really know what they are doing can’t make proper hiring decisions and, most of the time, let their ego get in the way. Their ego prevents them from hiring someone “smarter” than them; a new hire that actually knows what they are doing might find out that the person that hired them doesn’t know much, and has been faking it.

  4. Inflated salaries. Salaries for people that have a certification (such as the Security+), no experience, are paper tigers, and could care less about cybersecurity are grossly inflated. This perpetuates the problem, as the lure of money attracts people, like moths to a flame, to a career field that they have no passion for and, therefore will not develop skill towards.

  5. Cybersecurity certification classes. People that just want to pass the test are not ideal students and are difficult to deal with as a trainer. They constantly ask “is that on the test?” and say things like “why are we learning that, if it’s not on the test?”. I often wonder if certification courses are helping or hurting the industry. Alpine Security’s trainers are awesome and really enjoy helping people that want to learn, pass the exam, and make a difference, but it is demoralizing, draining, and damn-right frustrating dealing with people that don’t care about cybersecurity and just want to pass an exam though.

Who “just wants to pass” the certification exam?

There are two main categories.

  1. People that heard cybersecurity pays well, just want to make money, and don’t care about the industry or profession.
  2. People that are mandated by their employer to have a cybersecurity certification for their job. This could be private or public sector.

Solutions

I can’t point out a challenge, without offering some solutions…

Licensing Requirements

Add licensing requirements for cybersecurity professionals. Many cybersecurity professionals protect your health records (PHI), intellectual property, and sensitive data (PHI – credit card data, date of birth, SSN, etc.). Just about every other industry has federal and state licensing requirements. If a barber needs a license to cut your hair, shouldn’t a cybersecurity professional? A cybersecurity professional protects your identity and medical records and may also be responsible for securing a hospital network and the life-sustaining medical device connected to your grandmother.

Cybersecurity has no license requirements. If I want to become a “Cybersecurity Analyst”, I don’t need a license. I can just start promoting myself as such, study brain dumps or exam crams, pass a few cybersecurity certification tests, become the “expert”, and provide ineffective cybersecurity for my organization.

cybersecurity certifications licensing

For comparison’s sake, let’s look at the licensing requirements to become a barber. A barber license is required in all 50 US states to work as a barber. The barber license requirements vary by state, so I’ll just pick one for comparison to a cybersecurity analyst. I’ll go with Arkansas because I grew up there from age 12-18. Here are Arkansas’s Barber License requirements (https://www.barber-license.com/arkansas/):

Step 1. Complete a Barber Education Program

As a candidate for an Arkansas barber license that has not been licensed in other states, you must first complete a formal barber program that is at least 1,500 hours in duration.

Step 2. Apply for an Arkansas Barber Technician Certification

The Board issues barber technician certifications for students who have completed at least 20 full working days of study in an approved school of barbering and at least 20 hours of study in the sterilization of tools and the barber laws of the State of Arkansas.

Step 3. Apply for an Arkansas Barber License and Take the Required Examinations

Once you have completed the required barber program, you must apply for a barber license at least 10 days before the date of the next barber examination. The Board furnishes all applicants with the appropriate forms.

The barber examinations include both a practical demonstration and a written and oral test. You must submit a completed application, along with a certification of your completed barber school hours, before you are eligible to participate in the examination process.

Step 4. Learn About Job Opportunities in Barbering and Keep your Arkansas Barber License Current

Your Arkansas barber license must be renewed every odd-numbered year, before your birth date. There are currently no continuing education requirements for licensed barbers in Arkansas.

So, to sum it up, to be a barber in Arkansas, you need:

  • 1500 hours of training. This is the equivalent of 37.5 forty-hour weeks.
  • 20 FULL working days of study in an approved barber school
  • 20 hours of sterilization training
  • Pass required exams (plural):
    • Practical demonstration
    • Written Test
    • Oral Test

To become a cybersecurity expert in ANY state in the US, you need:

  • This section intentionally left blank…

If licensing requirements are tied to risk, it seems the risk is greater with cybersecurity professionals. I mean I certainly don’t want to get a bad haircut from an unlicensed barber. But, I’ll take the bad haircut any day over an unskilled paper tiger not securing the medical device that is providing life support to my grandmother in the hospital.

Certified cybersecurity paper tiger

Make cybersecurity certifications practical-based

This gets rid of cybersecurity paper tigers. You generally can’t pass a practical unless you know what you are doing. EC-Council is taking this approach with CEH Master. Licensing requirements would fix this too.

Industry leaders need to step up and put purpose before profit

At Alpine Security, we are making an effort to attract our ideal students and repel the others. This is a bit risky, as we are a business and need to generate revenue. I cannot, however, in good conscience support a broken system that hurts the cybersecurity industry and those the industry support. I’ve thought about pulling Alpine Security out of the cybersecurity certification training business altogether. This only hurts the students and professionals that actually care though, as I believe we offer outstanding training with trainers that are passionate about cybersecurity.

Downsides of Changing the Status Quo

I know, I know…but, what about the cybersecurity skills shortage…the skills gap we hear about incessantly every day? Won’t licensing requirements, practical exams, etc., make this worse?

Not really.

The “skills gap” primarily exists because cybersecurity is considered “white collar” (an antiquated term), where a college degree (any degree) matters. As if a college degree in political science or history makes a person qualified for a cybersecurity job? Really? I’d rather take someone “blue-collar” that has gone through 1500 hours of focused cybersecurity training, an apprenticeship, and passed a practical, written, and oral exam.

Yeah, but that’s 1500 hours? Isn’t that a lot? True, but a 4-year college degree is more than 1500 hours of time (mostly wasted) and a hell of a lot more money.

As for the skills gap, I’d rather have one person that is a professional, is passionate about what they are doing, and has a license in cybersecurity, than 15-20 people that are paper tigers.

One real tiger can easily take out 15-20 paper ones. I don’t know what the real cybersecurity skills gap number supposedly is, but if we divide it by 15-20, it isn’t that big of a deal.

What we are doing now, the status quo is not working. It’s time for a change.

Conclusion

I don’t have all the answers, but I think it’s worth opening the dialog and working to address this cybersecurity “professional” challenge, rather than pretending it doesn’t exist. Perhaps cybersecurity licensing requirements are the solution. I am willing to commit some of my time to make this happen. Alpine Security will also be more selective of students. Our goal is to help the industry and our clients, not contribute to the problems in our industry.

Here’s a simple list we developed to attract the right students and repel the rest for Alpine Security’s cybersecurity training:

Not a good fit for Alpine Security’s training:

  • Think of what you do for work as a job, rather than a career
  • Have a fixed-mindset
  • Make decisions based on your ego, rather than what is right and adds value
  • Are lazy and value short-cuts

Good fit for Alpine Security’s training:

  • Believe in a career, not a job
  • Have a growth-mindset
  • Want to make a positive difference
  • Willing to put in the time to learn a trade and become a true professional

Check out Alpine Security’s Training Schedule.