fbpx

christian espinosa

Cybersecurity “Professionals” – Reboot Needed

cybersecurity certifications

Introduction

The cybersecurity industry is broken. What we have very loosely defined as a cybersecurity “professional” is not cutting it. The organizations that need cybersecurity deserve better.

This article focuses on cybersecurity certifications, yet addresses a larger issue with the overall cybersecurity industry – stringent license requirements, as opposed to certification exams that can be easily “gamed”.

Cybersecurity Certification Trend

I’ve noticed a trend that seems to be getting worse.

The trend is this:

Fewer people seem to care about the cybersecurity profession – they just want to learn what’s on a certification test so they can get “certified” and get a high-paying cushy job where no one holds them accountable.

This trend bothers me in a number of ways:

  1. Cybercriminals are winning. Cybercriminals, at least the good ones, take their trade seriously. Otherwise, they’d get caught more often. Many certified cybersecurity professionals, the “good guys”, are not really professionals anymore – they don’t take their trade seriously. This is the primary reason the cybercriminals are winning.

  2. It’s apparent the “instant gratification” wave is here. Many people don’t want to put in the effort to learn a trade anymore. They just want to study the bare minimum, pass a certification exam, get hired, then fake it at a job as long as possible.

  3. B Players hire C Players. C Players hire D Players. We’ve ended up with an industry filled with C and D players. Certified people that don’t really know what they are doing can’t make proper hiring decisions and, most of the time, let their ego get in the way. Their ego prevents them from hiring someone “smarter” than them; a new hire that actually knows what they are doing might find out that the person that hired them doesn’t know much, and has been faking it.

  4. Inflated salaries. Salaries for people that have a certification (such as the Security+), no experience, are paper tigers, and could care less about cybersecurity are grossly inflated. This perpetuates the problem, as the lure of money attracts people, like moths to a flame, to a career field that they have no passion for and, therefore will not develop skill towards.

  5. Cybersecurity certification classes. People that just want to pass the test are not ideal students and are difficult to deal with as a trainer. They constantly ask “is that on the test?” and say things like “why are we learning that, if it’s not on the test?”. I often wonder if certification courses are helping or hurting the industry. Alpine Security’s trainers are awesome and really enjoy helping people that want to learn, pass the exam, and make a difference, but it is demoralizing, draining, and damn-right frustrating dealing with people that don’t care about cybersecurity and just want to pass an exam though.

Who “just wants to pass” the certification exam?

There are two main categories.

  1. People that heard cybersecurity pays well, just want to make money, and don’t care about the industry or profession.
  2. People that are mandated by their employer to have a cybersecurity certification for their job. This could be private or public sector.

Solutions

I can’t point out a challenge, without offering some solutions…

Licensing Requirements

Add licensing requirements for cybersecurity professionals. Many cybersecurity professionals protect your health records (PHI), intellectual property, and sensitive data (PHI – credit card data, date of birth, SSN, etc.). Just about every other industry has federal and state licensing requirements. If a barber needs a license to cut your hair, shouldn’t a cybersecurity professional? A cybersecurity professional protects your identity and medical records and may also be responsible for securing a hospital network and the life-sustaining medical device connected to your grandmother.

Cybersecurity has no license requirements. If I want to become a “Cybersecurity Analyst”, I don’t need a license. I can just start promoting myself as such, study brain dumps or exam crams, pass a few cybersecurity certification tests, become the “expert”, and provide ineffective cybersecurity for my organization.

cybersecurity certifications licensing

For comparison’s sake, let’s look at the licensing requirements to become a barber. A barber license is required in all 50 US states to work as a barber. The barber license requirements vary by state, so I’ll just pick one for comparison to a cybersecurity analyst. I’ll go with Arkansas because I grew up there from age 12-18. Here are Arkansas’s Barber License requirements (https://www.barber-license.com/arkansas/):

Step 1. Complete a Barber Education Program

As a candidate for an Arkansas barber license that has not been licensed in other states, you must first complete a formal barber program that is at least 1,500 hours in duration.

Step 2. Apply for an Arkansas Barber Technician Certification

The Board issues barber technician certifications for students who have completed at least 20 full working days of study in an approved school of barbering and at least 20 hours of study in the sterilization of tools and the barber laws of the State of Arkansas.

Step 3. Apply for an Arkansas Barber License and Take the Required Examinations

Once you have completed the required barber program, you must apply for a barber license at least 10 days before the date of the next barber examination. The Board furnishes all applicants with the appropriate forms.

The barber examinations include both a practical demonstration and a written and oral test. You must submit a completed application, along with a certification of your completed barber school hours, before you are eligible to participate in the examination process.

Step 4. Learn About Job Opportunities in Barbering and Keep your Arkansas Barber License Current

Your Arkansas barber license must be renewed every odd-numbered year, before your birth date. There are currently no continuing education requirements for licensed barbers in Arkansas.

So, to sum it up, to be a barber in Arkansas, you need:

  • 1500 hours of training. This is the equivalent of 37.5 forty-hour weeks.
  • 20 FULL working days of study in an approved barber school
  • 20 hours of sterilization training
  • Pass required exams (plural):
    • Practical demonstration
    • Written Test
    • Oral Test

To become a cybersecurity expert in ANY state in the US, you need:

  • This section intentionally left blank…

If licensing requirements are tied to risk, it seems the risk is greater with cybersecurity professionals. I mean I certainly don’t want to get a bad haircut from an unlicensed barber. But, I’ll take the bad haircut any day over an unskilled paper tiger not securing the medical device that is providing life support to my grandmother in the hospital.

Certified cybersecurity paper tiger

Make cybersecurity certifications practical-based

This gets rid of cybersecurity paper tigers. You generally can’t pass a practical unless you know what you are doing. EC-Council is taking this approach with CEH Master. Licensing requirements would fix this too.

Industry leaders need to step up and put purpose before profit

At Alpine Security, we are making an effort to attract our ideal students and repel the others. This is a bit risky, as we are a business and need to generate revenue. I cannot, however, in good conscience support a broken system that hurts the cybersecurity industry and those the industry support. I’ve thought about pulling Alpine Security out of the cybersecurity certification training business altogether. This only hurts the students and professionals that actually care though, as I believe we offer outstanding training with trainers that are passionate about cybersecurity.

Downsides of Changing the Status Quo

I know, I know…but, what about the cybersecurity skills shortage…the skills gap we hear about incessantly every day? Won’t licensing requirements, practical exams, etc., make this worse?

Not really.

The “skills gap” primarily exists because cybersecurity is considered “white collar” (an antiquated term), where a college degree (any degree) matters. As if a college degree in political science or history makes a person qualified for a cybersecurity job? Really? I’d rather take someone “blue-collar” that has gone through 1500 hours of focused cybersecurity training, an apprenticeship, and passed a practical, written, and oral exam.

Yeah, but that’s 1500 hours? Isn’t that a lot? True, but a 4-year college degree is more than 1500 hours of time (mostly wasted) and a hell of a lot more money.

As for the skills gap, I’d rather have one person that is a professional, is passionate about what they are doing, and has a license in cybersecurity, than 15-20 people that are paper tigers.

One real tiger can easily take out 15-20 paper ones. I don’t know what the real cybersecurity skills gap number supposedly is, but if we divide it by 15-20, it isn’t that big of a deal.

What we are doing now, the status quo is not working. It’s time for a change.

Conclusion

I don’t have all the answers, but I think it’s worth opening the dialog and working to address this cybersecurity “professional” challenge, rather than pretending it doesn’t exist. Perhaps cybersecurity licensing requirements are the solution. I am willing to commit some of my time to make this happen. Alpine Security will also be more selective of students. Our goal is to help the industry and our clients, not contribute to the problems in our industry.

Here’s a simple list we developed to attract the right students and repel the rest for Alpine Security’s cybersecurity training:

Not a good fit for Alpine Security’s training:

  • Think of what you do for work as a job, rather than a career
  • Have a fixed-mindset
  • Make decisions based on your ego, rather than what is right and adds value
  • Are lazy and value short-cuts

Good fit for Alpine Security’s training:

  • Believe in a career, not a job
  • Have a growth-mindset
  • Want to make a positive difference
  • Willing to put in the time to learn a trade and become a true professional

Check out Alpine Security’s Training Schedule.

Are You Caught in the Success Trap?

cybersecurity certificationsThis post is a transcript of the video at the end of this post.

I was at a Tony Robbins event, maybe five or six years ago, where Tony said, “Success without fulfillment is the ultimate failure.” A lot of us fall into this thing that I call the success trap. This means we’ve achieved success, at least according to how society defines success, but we’re unfulfilled and we feel trapped. I think a lot of us fall into this area. This means you may have a job you don’t particularly like, but you’ve been doing it for 10 or maybe 15 years. So you feel vested or invested in this career. And you’ve built up a decent pay structure over these 10 or 15 years. Then you’ve bought a house that you are barely able to afford. Or maybe as you got a new pay raise or promotion, you bought a bigger house. You have a nice car. You have a nice family.

This video excerpt from Up in the Air, says it well:

So you look very successful from the outside, but inside you’re empty and unfulfilled and you feel trapped. The longer in this success trap, as I mentioned, the harder it is to get out. And that’s primarily due to people’s mindset. The idea that keeps you in this trap is if I’ve been at this career for 10 or 15 years, I’ve invested this amount of time in that career. So if I switched careers to do something that I really want to do, you’re going to have to take a step backward, is how a lot of people perceive it, rather than taking a different step. It’s worth asking yourself, “Is a little bit of discomfort to switch careers or to make less money worth your sanity?”

And a lot of people, if they’re in this trap too long, they get out of it. But often not in a pretty way. Some people have a midlife crisis where they just have had enough of the trap and they no longer want to be a lawyer, for instance. They’re going to now become a skydiving instructor or whatever. Some people get addicted to drugs and alcohol or sex, or they have some addictive behavior that’s typically tied to being in that success trap. Some people will actually go as far as killing themselves.

Robin Williams is an example of this. He was very successful, but he wasn’t fulfilled. Kurt Cobain, many celebrities, they have this happen to them. They’re very successful, but they’re not fulfilled. It’s important that what you’re doing with the majority of your time every day aligns with who you are and where you want to go. And it’s never too late to get out of that trap. The sooner you can get out of the success trap and live a life of fulfillment, the better because you will be more centered and your achievements will be in alignment with who you are.

I realize it takes courage. There’s going to be some risk involved to get out of the success trap. But I feel it’s extremely important, especially for people’s mental health. One of the biggest shifts that will benefit you is to shift your mindset. Just because your friends or your family think you’re successful if you don’t feel fulfilled and you want to do something else who gives a shit, what they think about it? It’s your life. You’re the only one that can tell if you’re fulfilled. They can’t.

And I know there’s a lot of peer pressure about playing a safe and having a stable job. But if you’re miserable, what is it really costing you? You’ll be much happier, probably having a job, making less money, maybe even living in a smaller house, maybe driving a less expensive car. If you’re living something more in alignment with your purpose.

I’ve talked to many people over my career. Many people I’ve met at events, many people that I’ve known that have had this high paying job. They’ve had all these nice things they look successful. But then they did decide to take a step in a different direction. They let all these things go. They have fewer things over here. But they’re much happier because they’re living a life that’s intentional and is in alignment with what they feel is their purpose, rather than what society feels or defines as success. So I encourage you to get out of the success trap. The sooner you can get out of it, the better.

I hope you found value in this video. If you are currently in the success trap or you’ve made it out of the success trap, please tell us a little bit about your story in the comments for this video. Have a great day.

The Hero’s 2 Journeys – Achievement & Transformation

cybersecurity certificationsThis blog post is a transcript from the video at the bottom of the post.

Pretty much for any endeavor or goal, we try to achieve in life, there are two journeys we’re on. I first heard of these two journeys, I think, from this book called The Hero’s 2 Journeys. It’s also a course by Michael Hauge and Chris Vogler. But these two journeys are critical to storytelling, but they’re true to life as well. And that’s why with storytelling, they help so much, because people want a story that relates to real life. The two journeys are the outer journey and the inner journey. So if you’re pursuing something and it’s a massive goal, from the outside, people can see the steps you’re taking. They can see the things that didn’t work. They can see your journey towards that goal. So if this is a cybersecurity certification, they can see the studying you’re putting in, the videos you’re watching, the bootcamp you take. They can see all the activities. So that’s one of those hero’s journeys, and it doesn’t have to be a hero’s journey, it is just called the hero’s journey.

The second one, which is more important, is the inner journey. So the first one I described as the outer journey, the one everyone can see as you’re moving towards some goal or achievement. The inner journey though is what’s really important. That’s the transformation you make along the way. So how you change internally, how your belief system changes, how your identity changes, et cetera, et cetera. Because in order to achieve your goal, if it’s a big goal, you may have to change internally to become a different person capable of achieving that goal. So that’s the second journey, and that’s the transformation. So really, if you want to think about the two journeys, there’s the journey of achievement, which is external, and there’s the journey of transformation, which is internal. And for any good story, we need these two elements.

Because I think a lot about how this applies to life, for life, when you pursue something, people can see if you achieve it or not. But really what happens if you’re pursuing a new career, a new certification, a college degree, the most important part, and I think people lose focus of this sometimes, is the transformation of you through that process. Because often to achieve a higher goal, or if you set a higher standard for yourself, through that process, you become a better person or you develop different capabilities, or you change your belief system to support this new thing you’re trying to obtain. And sometimes through this journey, you may realize that this thing you’re trying to obtain, this achievement or goal, isn’t actually that important anymore. Because through this process, you’ve grown and figured out what really matters to you. That’s the transformation. I urge you if you’re pursuing a goal, to think not only about what you’re trying to achieve, but think about the journey you’re on, and how this changes you as a person.

 

How The Confidence Competence Loop Can Benefit You

cybersecurity certificationsThis blog post is a transcription from the video at the bottom of the post.

What is the confidence/competence loop? I’m Christian Espinosa with Alpine Security, and that’s the topic of this video, competence, confidence, and the loop that ties those two together. So confidence is our belief we can do something. Competence is the ability we can do something. The confidence/competence loop means if we believe we can do something, we’ll actually take action to do it, which increases our competence, which then increases our confidence, which allows us to take more action.

So it’s sort of like the chicken and egg scenario because, without the initial confidence, we’re not likely to take a step to gain the competence. Without the confidence, we sort of step back in fear and we’re afraid we are not going to be competent. So we don’t take the action that’s required to become competent. That’s where the confidence/comes into play. The hardest part for most people is getting up over that initial fear.

Initially, when we start some sort of endeavor like the Security+ certification or anything in life that’s a challenge, we don’t have the confidence yet. So we have to get over the fear or put the fear aside and take the first step or the first action to build some competence, which will then increase our confidence. Once we get this cycle going, that will propel us forward to achieve the objective.

I’m really curious about your experience with the confidence/competence loop. Please note your experience if you’d like as a comment to this video. Also, please subscribe to our channel. You can click on the little bell as well to get notified when we have cool videos come out, actually notifies you when we have any video come out. So you can decide if they’re cool or not, but you’ll get notified when a new video comes out. Thanks for watching, and I hope this video helps you take that first step to become competent and then confident and spiral forward to achieve your goals.

FOMO vs JOMO

cybersecurity certificationsThis post is a transcript from the video at the end of this post.

FOMO is the fear of missing out. JOMO is the joy of missing out.

Many of us focus on FOMO, which is basically trying to keep up with the Jones’s. We see if somebody else is going on a vacation, if they’re buying a new house, buying a new car, getting a new job, going to a specific event, we feel like we’re missing out if we’re not doing the same thing, but the reality is you’re chasing somebody else’s desires rather than your own.

For me, I focus on JOMO, which is the joy of missing out. I really don’t care what other people are doing. If people are going on a vacation somewhere or they’re living this great lifestyle on social media, that’s great. I’m happy for them, but it doesn’t mean I should feel anxious about it or have anxiety because I do the things I want to do, which I need to focus on. And, if I focus on what everybody else is doing and have this fear that I’m missing out, it’s going to detract from me accomplishing the things that I want to accomplish and live into my full potential.

If you are looking at social media and you have FOMO, the fear of missing out, and you constantly live in a state of anxiety because you may not be living up to the Jones’s or “keeping up with the Jones’s” as they say, I recommend you consider JOMO and maybe get some joy in missing out. I don’t really care what other people are doing. I don’t care about the news. I don’t care about people going on vacation somewhere. I mean, I like it and I’m glad people are happy, but I don’t feel like I’m missing out just because somebody else is in Hawaii or Acapulco or wherever, I don’t feel jealous or “jelly” as they say, because I’m doing my own things. If you constantly feel jealous about somebody else and what they’re doing, because you have FOMO, it’s not really serving any purpose. It’s really just making you depressed and making you hold back on what you’re capable of. So, embrace JOMO instead of FOMO.

 

How to Get More Time in Your Day Without Waking Up Earlier

cybersecurity certificationsThis blog post is a transcription from the video at the bottom of the post.

How to get more time in your day without waking up earlier. In this post, we’ll cover three tips to make you more productive, to give you back more time in your day without having to cut into your sleep. I’m Christian Espinosa. I’m the CEO of a company. I do Ironman triathlons. I climb mountains. I travel a lot. So productivity is extremely important to me and I’m constantly striving to become more productive. I’ve learned these three techniques over my lifespan and that’s what I’m sharing with you today. So number one is monotasking. We live in this world where everyone thinks it’s normal to multitask, but multitasking is inefficient. There are many studies that show it’s inefficient.

So you should be monotasking, which means you’re focused on one thing, 100% focused on one thing at a time. This way you can get one thing done before you move on to another one or make significant headway on one task before you move on to another one. Your brain can’t really focus on two things at once. Hence, monotasking. The second thing is time blocks. Some people call it block time. You should set your day up so you have blocks of activities scheduled and each of these blocks is set up where you monotask on a specific project or activity for that block of time. Then between each block of time, which is the third thing, you have active breaks. It’s too easy to just sit at your computer or at a job for hours at a time.

But what happens after roughly 50 minutes is your focus starts to wander and you’re less effective. Even if you’re monotasking, you still need a break every 50-60 minutes or so.

time block example - christian espinosa
Time Block Example

Here’s an example of some time blocks:

  • Time Block 1: Between 7:00 am and 8:00 am, you do email. This is a time block with monotasking. You only do email between 7:00 and 8:00 in the morning. That’s it. What most people do is they’ll start a project, and while they’re working on the project, they’ll answer emails, answer text messages, answer the phone, and they make zero progress on the project. So only do email on this time block, and this is just a suggestion. You can do it however you want to
  • Active Break: Then between 8:00 am and  8:10 am, you notice I have a 10-minute break between these two, that 10 minutes is where you take the active break. You do something like get up, walk around, maybe do some pushups, whatever you want to do to get the blood flowing because we sit for too long in front of the computer most of the time.
  • Time Block 2: Then the next period of time block or block of time, I have project one. So I only work on project one during this time block. I don’t do email. I don’t answer the phone. Only project one.
  • Active Break: Next time block I have a break between them. I do something active, walk around, go for a walk, go outside.

Then I do personal development, as the example, then another break, then project two. Some people say, “Well, I’ve got a lot of work to do on a specific project.” That’s okay. You set up two blocks of time for that project, but make sure you take that 10-minute break between the two so you don’t start zoning out or getting distracted or losing your focus. That’s where the active break comes into play. Even if it’s as simple as going outside for a short walk, that will help get the blood flowing and often clear your head, and then you come back with a fresh perspective and can often make more progress on that particular project. So the three things to get a quick review, monotasking, time blocks, and active breaks.

I hope you found these three tips useful. Good luck with your productivity. Take care.