fbpx

cybersecurity certifications

Tips for Certified Cybersecurity Professionals to Find Jobs

cybersecurity jobThere are many ways to land a job that requires the CISSP (Certified Information Systems Security Professional) or any other cybersecurity certification. In this post, I share three methods to empower you to find your ideal job, leveraging your CISSP (or any other) certification. I hope these techniques enable you to land a job in cybersecurity that resonates with you.

I use CISSP throughout this example. You can easily use this tactic with other cybersecurity certifications, such as the Security+.

#1: Research CISSP Job Openings

cissp jobs

You should research CISSP job openings for where you are considering moving or the location you are seeking a job. According to CyberSeek, there are currently 77,492 open jobs in the United States that require the CISSP certification. Of the 77,492 open CISSP jobs, 2,031 are in the Public Sector, and 75,465 are in the Private Sector.

 

Job openings in the United States that require the CISSP certification. The orange number represents CISSP certification holders.

The blue number represents openings requesting the CISSP.

If you live in Arkansas and want to stay in Arkansas, as an example, there are 265 open CISSP jobs in the entire state of Arkansas.

If you want to move to Texas, for example, there are 6,333 open CISSP jobs in Texas.

#2: Determine Which Organizations Hire People with the CISSP Certification

This technique involves you actively seeking a CISSP job.

There are several paths you can take:

  1. you can work for the DoD as an actual DoD employee (civilian or military)

  2. you can work for the DoD as a contractor

  3. you can work in the private sector

Steps to become part of the DoD as a DoD civilian or member of the military are beyond the scope of this article. I will focus on numbers two and three above. If you are seeking a job as a DoD contractor or in the private sector, the process is the same because private companies that have DoD contracts hire DoD contractors. Private companies also hire CISSPs for private sector work.

A good place to determine which companies are hiring CISSPs is indeed.com. As of this writing, there are 13,469 open CISSP jobs in the United States.

According to indeed.com, the company Deloitte has 514 open CISSP jobs, and Washington, DC has 765 openings for people with the CISSP certification.

Another source to determine which organizations are hiring CISSPs is LinkedIn. Search “CISSP” on LinkedIn and set the focus of the results to “Jobs.”

As you can see from the screenshot, there are 25,997 open jobs in the United States that required the CISSP certification.

#3: Update your LinkedIn profile with your CISSP certification

This technique involves you passively seeking a CISSP job.

Many employers, recruiters, and headhunters use LinkedIn to search for people with the CISSP certification. Listing your CISSP certification on your LinkedIn profile will make you show up in searches for “CISSP.”

In the screenshot above, I searched for CISSP, then switched the results to “People.” As you notice, one guy even listed “Studying for CISSP Exam” in his LinkedIn “Headline” and he showed up. The second person put it after their name, like “John Smith, CISSP”. The third person listed the CISSP certification as their LinkedIn Headline. Any of these approaches work to get the attention of employers, recr

uiters, and headhunters. Just be prepared to be bombarded with “incredible opportunities” and lots of new connection requests.

Conclusion

I hope you find these strategies useful in your hunt for your ideal cybersecurity job. Best of luck!

LinkedIn Tips for a Better Cybersecurity Job

cybersecurity jobLand a new and better cybersecurity job with these LinkedIn tips.

It is a fact that employers, recruiters, and headhunters use LinkedIn to search for people with a cybersecurity certification, such as the CISSP or Security+. We can use this fact to our advantage!

In this article, I focus on a tactic that advertises your credentials to all LinkedIn users. Rather than actively work to find a job and seek out opportunities, this method brings opportunities to you!

In the screenshots in this article, we use the CISSP credential as an example, but you can easily replace “CISSP” with “Security+”, “CEH”, “PMP”, or whatever you want. All we are really doing is adding searchable data to our profile that may be of interest to a prospective employer.

For example, listing your CISSP certification on your LinkedIn profile will make you show up in searches for “CISSP”, as shown below.

LinkedIn search for CISSP, sorted by People.

linkedin cybersecurity

In the screenshot above, I searched for CISSP, then switched the results to “People”. There are two methods you can use to show up in these searches – (1) change your LinkedIn Headline and (2) change your LinkedIn name. If you want to be really proud (loud) about your credentials, you can even change both your headline and name.

linkedin profile

Where to change your LinkedIn Headline, which shows up beneath your name in search results.

LinkedIn Headline

The first person in the results example above doesn’t even have a CISSP certification. He listed “Studying for CISSP Exam”, in his headline. The LinkedIn Headline is what shows up beneath your name.

Listing “Studying for…” might pique the interest of some desperate headhunters. The fact of the matter is “Studying for the CISSP Exam” doesn’t mean anything though, other than you don’t have the CISSP certification. I personally think it is silly when people list “Studying for…..” or “In Pursuit of…”, but that’s me.

The third person listed the CISSP certification as their LinkedIn Headline.

LinkedIn Name change – BEFORE

LinkedIn Name

The second person put CISSP after their name, like “John Smith, CISSP”. This is effective. Some people even list multiple certifications after their name, such as “John Smith, CISSP, CEH, Hacker, Cat-Lover, Ninja”. It’s up to you. Some creativity may generate more interest.

How to add the title to your LinkedIn name. I suggest using something other than “Dude” 🙂
What LinkedIn profile looks like after “Dude” added to the name.

Conclusion

Any of these approaches work to get the attention of employers, recruiters, and headhunters. Just be prepared to be bombarded with “incredible opportunities” and lots of new connection requests, even ones that don’t make sense, based on your current role, like the sample I received today:

Sample headhunter LinkedIn message.

It’s apparent many recruiters take a shotgun approach and don’t bother to look at the prospect’s current role. I don’t have any credentials listed in my profile headline or name either, but I still get a couple of these per week.

I hope you find these strategies useful in your hunt for your ideal career.

Check out my book “The Smartest Person in the Room” to pick up some much-needed EQ skills for cybersecurity. People skills are actually more important than technical skills.

How to Hire Cybersecurity Professionals to Ensure Success for the Organization and the Employee

cybersecurity hiringHiring practices are different for every field, and for cybersecurity professionals, there are many opinions. In a growing and evolving industry, some standardization exists, including a significant focus on certifications. But do certifications equal talent? Not always. As a cybersecurity leader with years of experience building teams, I want to teach you how to hire cybersecurity professionals so they and your organization can be successful.

The Failures in the Hiring Process

The number one failure by cybersecurity hiring managers is the blindness around certifications. Certifications should illustrate skillsets and experience; however, as I write about in my book, The Smartest Person in the Room, that over-dependence leads to retaining paper tigers. Paper tigers are the folks that look great on paper but aren’t ready for the real world of cybersecurity.

Why Certifications Don’t Hold Too Much Weight

The problem with cybersecurity certifications is that structure isn’t conducive to training people to be job-ready. The design of many is a quick multiple-choice test, which anyone can memorize. It’s not like a skilled trade, requiring hours of training or apprenticeships.

The rush to earn certifications accelerated because of the constant call of a lack of talent in the industry. That is certainly true, but many saw it as an opportunity to have a piece of paper that would lead them to a lucrative career.

Most certifications don’t test for practical, real-life skills in cybersecurity. Some are credible and mix hands-on experience with testing, such as CompTIA and EC-Council. So, if you’re going to look at certifications, investigate what they really mean about that candidate’s acumen.

Hard and Soft Skills Matter

Another area to discuss in hiring cybersecurity professionals is seeking a broad skillset. Cybersecurity is a technical field, so the person you’re interviewing should certainly understand:

  • Penetration testing
  • Ethical hacking
  • Incident response
  • SIEM (security information and event management) tools
  • Audit and compliance rules
  • Malware
  • Device management
  • IAM (Identity and Access Management)

These are all essential hard skills. Certifications and job experience can offer evidence of these. The questions you ask can as well (more on this in the best practices section).

However, don’t focus solely on hard skills. There are lots of great candidates out there that might fall short on an exhaustive list of technical prowess. If they have soft skills and an open mindset, they could be an excellent hire.

These soft skills should be on your radar when hiring cybersecurity professionals:

  • Leadership qualities: Gauge their ability to lead, no matter their career level. Cybersecurity is an intense field and having leaders on your team means they look at the big picture strategically.
  • Passion: One of the things most lacking in cybersecurity teams is passion. I firmly believe that the enemy — hackers — are deeply passionate about what they do, and that’s why they win a lot of the time. If you can find people that have a fire in their gut to learn and grow, they will care very much about keeping your data safe and secure.
  • Collaborative: Cybersecurity professionals shouldn’t work in silos. There are many specialist roles within the field, so it takes a team to execute a strategy and remain vigilant. Lean toward those applicants that appreciate collaboration and want to work in that kind of culture.
  • Communicative: Communication can be challenging for technical professionals. It’s a bit of a stereotype but also true. Being a good communicator isn’t about being articulate or having a large vocabulary. Rather, it means someone is a good listener and that they use communication to understand, show empathy, and work together. There are many ways to foster communication skills for tech folks, and I talk about this a lot in my book.
  • Curious and inquisitive: Cybersecurity professionals should not be afraid to ask questions. Only through these can they determine the organization’s needs and challenges around security. Some people don’t ask questions; they make assumptions. It doesn’t mean they aren’t talented. In fact, much of the time, those in this situation learn this from life experience. Having a curious nature is a great trait for cybersecurity candidates, and you can assess by the way they interact and if they actually ask you questions during the interview.
  • Empathy: Empathy is an attribute that’s an asset in every job. I find it’s constructive in cybersecurity because it enables people to be in the shoes of another and see their perspective. People who can do this can go far in their careers. There’s no substitute for empathy in professional or personal relationships. You can evaluate this characteristic by how the candidate talks and frames situations.

These are outlines of hard and soft skills and not an exhaustive list, but they are good points to consider as you rethink how to hire cybersecurity professionals. Next, I’ll share some best practices for hiring managers.

Best Practices for Cybersecurity Hiring

Whether you’ve been a cybersecurity manager for years or are just starting, this advice can support your recruiting efforts and help you avoid hiring unqualified people. Because once you do, it can become a bad cycle. Ultimately, you want to hire people that have the right skills and fit your culture. Success for all should always be the goal.

Recognize Past Mistakes

If you’ve been recruiting for some time, I would first recommend recognizing past mistakes. We’re all human and make mistakes. What’s important is we learn from them and do better the next time. The reality is that bad hiring hurts everybody. Turnover costs your company real money, and the effect of hiring candidates that are lacking could lead to expensive errors. So, face your past gaffes and go forward without those dragging you down.

Have Real Conversations with Candidates

An interview is a chance for the candidate to sell him or herself. Most interviews are very rigid with detailed questions or checklists. I’m not saying you should toss that out, but this is your chance to get to know the person and vice versa.

Having a natural conversation that touches on who they are and what they know will allow them to feel less nervous and be vulnerable. They may be more honest and introspective, and you can learn a lot about somebody when this happens. You’ll never find that on a resume.

Use an Assessment Tool

In my company, I use the TriMetrix HD. Such a tool allows you to discover important things about an applicant:

  • How they behave and communicate
  • Why moves them into action
  • What personal talents they have
  • Which competencies they have mastered, and to what degree

These aren’t technical tests. They give you insights into soft skills. It’s a good next step in the process after you determine they have technical acumen.

Screen Out Job Hoppers

I typically eliminate job hoppers from the applicant pile. This is not a finite rule; some people with multiple shorter job histories may have been the victim of layoffs or acquisitions. However, in the field, it’s rampant. Most of the time, if somebody is changing jobs every six to 18 months, it’s a red flag. If that looks to be the case, you should probably move on to others.

Don’t Rush Hiring

In many cases, the need to hire cybersecurity professionals is urgent. You needed somebody yesterday, but don’t let that guide you. You’ll make rash decisions that may not pan out just to have a body in a chair. Instead, have a strategic plan that will lead you to the right people. It will take longer, but it’s worth it in the long run.

Ensure Candidates Align with Organizational Values

Most companies, big and small, have a set of company values. Hopefully, these are more than in name only. Your values create your culture. The expectation is that your employees live and respect these.

You can ask candidates questions about your values. Talking about your culture and its attributes with the person should also give you insight into if they believe in them. You can find someone with amazing tech skills, but the employment will likely not last if they aren’t a good culture fit.

Seek Out Those with Great Focus

Monotasking is a pillar of my Secure Methodology, a framework for nurturing and fostering cybersecurity professionals to have better habits and behaviors. Monotasking is the opposite of multitasking and requires focus, which is very important in cybersecurity. You can tell a lot in body language about focus. Another way to assess for it is to ask them how they work. Those who see the value in monotasking could be great team members.

Cybersecurity Hiring: Get It Right So It’s Mutually Beneficial

Cybersecurity hiring can be challenging. There are many considerations — things to do and not to do. Focusing on hard and soft skills, deprioritizing certifications, and implementing these best practices can help. You can learn more about my hiring advice and the Secure Methodology by reading The Smartest Person in the Room.

The Truth About Cybersecurity Certifications

cybersecurity certificationsAlmost every industry has certifications. Some carry more weight than others, but it’s clear there’s a trend of over-certification in cybersecurity. Most cybersecurity certifications aren’t hard to obtain and thus are not an illustration of someone’s expertise. The industry is creating many paper tigers — someone who claims to have knowledge but just passed a multiple-choice test to earn a certification.

The Certification Structure Is Failing Us

The explosion of paper tigers in the industry is setting businesses up for cybersecurity failure. The bar for earning certifications has become dangerously low. Equally concerning is that there are no specific regulations on training or hours for cybersecurity professionals. In contrast, skilled trades require a certain amount of training hours, apprenticeships, and more. That’s a problem because those that are in place to protect one of your company’s most valuable assets — your data — aren’t ready to be in that position.

Certifications Do Not Equal Quality Talent

For many years, the industry has been buzzing about the lack of talent; there weren’t enough cybersecurity professionals to feed the demand. With this alarming message, certifications in the field became like a golden ticket to employment. The industry needed an influx of talent. Unfortunately, certifications do not equal quality talent. IT leaders, however, believe that certifications bring value. They do at times, but it’s risky to put so much emphasis on a few letters.

They are merely Band-Aids placed on the problem of putting effectual people into roles. Hiring demand was high, and certifications suddenly became what every hiring manager was seeking.

The proliferation of certifications is a cause-and-effect situation. Technology innovation and advancements required more professionals in the industry. Then there was a talent gap or a lack of people in the field. In turn, organizations promoted certifications that would give anyone a prosperous career path — except most certifications don’t test for knowledge, rubber-stamping individuals to increase the number of certified professionals. More education, however, isn’t the answer either.

College Degrees Don’t Solve the Talent Gap Either

The next logical answer to the talent gap is college degrees. Because surely, those graduating from university are prepared for the world. We know that’s not the case, as many graduates walk out into the real world and find themselves lost.

If every company required a four-year college education to get a job, there would be fewer candidates. But those candidates aren’t always going to be qualified. That’s because the university model has its own shortcomings, especially in the technology realm.

Think about how fast cybersecurity is changing. Every day, there are new attacks, each one more complex than before. It’s hard to capture all this movement in a textbook. How could a professor keep pace with this, especially one that’s not in the trenches? Frankly, there are a minimal number of capable professors with real-world experience. So, it’s all theory, and that’s what they teach. Theory very seldom equals reality.

Even applied sciences universities, which aim to be more practice-oriented, don’t adequately prepare students for a real job in cybersecurity. I was a cybersecurity professor at a university and attempted to bring practicality into the lessons. I framed my classes as real scenarios, leaving the books behind. I was trying to lead with practical knowledge, except the students complained and said it was too hard.

This experience proved to me that cybersecurity students wanted an academic degree, not a practical one. They either lacked passion or had no cognition of what cybersecurity work really is. Maybe Hollywood movies about hacking influenced their field of study. And that portrayal of the industry is anything but realistic.

What I learned from this was that the university system, like the certification one, is broken. Higher learning is not preparing students for the day to day of cybersecurity careers.

Hiring Practices Need to Evolve, Too

The other part of the cybersecurity certification and degree problem is hiring practices. Certifications are given far too much gravity over having useful hard and soft skills. Industry experts are aware of the over-certification, giving little importance to those pieces of paper. However, mainstream corporate hiring managers still give credence to the fact that someone passed a test, for which they could have easily memorized the answers.

Applicants then quickly update their resume and soon land a job in cybersecurity. Cybersecurity teams then become overrun by paper tigers. These individuals don’t have the skillset or experience to face the many challenges of the cybersecurity war. They are up against a more sophisticated army of hackers with a much higher acumen than those on the front lines protecting your organization.

The cycle continues. These paper tigers then hire more unqualified people. A paper tiger isn’t going to bring on someone that knows more than they do because they need to be the smartest person in the room. So, yes, the bar’s that low.

A disruption to the cybersecurity certification system needs to occur. Companies can push back on the certification ecosystem by requiring that certifications be practical.

The Shift to Practical Cybersecurity Certifications

So, how do we turn things around and be real about certifications while also improving them? The first step is to emphasize practical certifications.

Even though I believe there is an over-certification issue in the field, and most are worthless, I’m not counting out all certifications. The industry of training and companies hiring cybersecurity professionals needs to shift to practical certifications.

Practicality is not acing a multiple-choice exam. It’s functional and puts students in real-world scenarios to respond. As someone that holds over 25 certifications, I have a good idea of which ones are actually proof of expertise, and those are few.

Some certification bodies are evolving and doing it right. I’d be remiss not to call out some of the companies helping to fix the cybersecurity talent problem.

CompTIA

CompTIA offers cybersecurity certifications that combine hands-on experience and performance-based and multiple-choice questions. Their curriculum stays up to date on what’s happening in the field, focusing on techniques to combat new and emerging threats.

Their PenTest+ certification includes the elements discussed above and the management skills necessary to scope and manage weaknesses, not just exploit them.

EC-Council

The International Council of Electronic Commerce Consultants (EC-Council) is the world’s largest cybersecurity technical certification body. They have developed several well-known and respected certifications:

  • Certified Ethical Hacker (CEH)
  • Computer Hacking Forensic Investigator (CHFI)
  • Certified Chief Information Security Officer (CCISO)
  • License Penetration Testing – Master  (LPT Master)

The National Security Agency (NSA) and the Committee on National Security Systems (CNSS) endorse their programs, and they have accreditation from the American National Standards Institute (ANSI).

The CEH program, which I think is one of the best, is an immersive class that includes 24 hacking challenges across four levels of complexity, covering 18 attack vectors. It’s a real hands-on practical learning experience. The practical part of the exam would be unpassable for paper tigers. You can’t memorize how to apply techniques to scenarios. It requires critical thinking and knowledge.

If you’re looking for a certification that translates into a cybersecurity job, the CEH should be at the top of the list.

Fixing the Hiring Practice Problem

The first thing any company should do regarding hiring is to let go of the fallacy that a certification is a mark of expertise. You need to have a broader view of what certification means. Simply put, was it a practical or a multiple-choice test?

Even if the person has a long list of certifications, this still isn’t a sign they have the skills you need. If you want to know whether the candidate has the knowledge you assume comes with these certifications, ask the right questions. If they can validate with their answers, you can feel more confident in the worth of those certifications.

The next part is to focus more on hard and soft skills. Hard skills align more with certifications and degrees. They are also testable. You can quickly discover if they have these. Soft skills are harder to gauge. You’ll learn that soft skills are often more valuable. They include being a good communicator and collaborator. Others are a willingness to change and evolve, staying curious and perceptive. In the end, they are people skills, and that may be the real skills gap in cybersecurity.

People Skills Are More Impressive than Certifications

Helping cybersecurity professionals enhance and grow their people skills could be the answer to winning the cyberwar. It’s not an easy proposition, but it’s possible to transform your employees (if they have the right mindset) and build their people skills. That’s the heart of my book, The Smartest Person in the Room. Read it today to learn more about cultivating your people.

Your Cybersecurity Methods Are Failing – Here’s Why

failing cybersecurity methods - christian espinosaAs much as every organization wants to believe they are cyber secure, the reality paints a different story. Cybersecurity methods continue to evolve with an emphasis on tactics and technology. This progression of companies and government agencies follows the cybersecurity status quo that it’s a hardware and software issue.

And that’s just a complete disregard for the real problem. If you want to know why your cybersecurity methods are failing, it’s because it’s a people issue. This is a major theme of my book, The Smartest Person in the Room. It’s a reality that most organizations don’t want to face. Not because they don’t accept this notion; it’s because they don’t even have an awareness of it!

The Cybersecurity Landscape Points to Failures

There is plenty of available data and statistics that illustrate failures. They don’t necessarily lead to the why, but they are important for context nonetheless. Cybersecurity risk is growing, and incidents are increasing.

If you’re in the industry, these numbers aren’t new to you. However, that doesn’t mean they shouldn’t be eye-opening. The numbers continue to trend up, and an organization’s go-to for this is money and defenses.

Cybersecurity Method Failures Aren’t About Spend or Defenses

Cybersecurity budgets keep increasing. Financial services, one of the most prone to cyber-attacks, spend 10% of their IT budget on cybersecurity. Tech giants like Microsoft spend even more. The company’s CEO said they would spend more than $1 billion. Government spending is up as well, with the 2019 budget for the U.S. at $15 billion.

It’s not a money problem. Dollars are essential to fighting the cyberwar, for the best technology, talent, and infrastructures. Unfortunately, many organizations believe if they spend enough, they’ll be free from attack. High budgets do allow for more technology and people, but it doesn’t always equal a successful program. Companies often learn, when something goes wrong, that money and processes do make their networks impenetrable.

All you need to do is look at the SolarWinds hack, which led to the infiltration of at least 18,000 government and private networks. It illustrates the weaknesses of supply chain security and certainly didn’t happen because they weren’t spending buckets of money. There’s no definitive answer on what the failures were for this case, but in looking at alternatives, it could turn out to be a people problem.

One possible line to draw was that the former Chairman of the Joint Chiefs of Staff said of probable cyber attackers, “If they know that we have an incredible offensive capacity, it should deter them from conducting attacks on us.”

The position was that if would-be hackers knew the prowess of the U.S.’s cyber arsenal, they’d cower. That didn’t really work out very well and points to a larger problem within the cyber community. This example in no way characterizes these experts as incompetent. Rather, it shines a light on the culture of cybersecurity.

What’s the Real Reason Cybersecurity Measures Aren’t Working?

As I said in the introduction, it’s the people entrusted with the security. It doesn’t necessarily mean they aren’t knowledgeable or don’t have training and experience. The profession is broken. Those who are practicing cybersecurity and the leadership that manages, hires, and recruits them need a reset.

Here’s why you’re failing and what you can do about it.

Cybersecurity Professionals Aren’t Passionate

Most would say that to succeed in a career, passion is necessary. If you look at those who have achieved great things in any profession, it wasn’t their intellect alone. They had the drive and were invested in their work. Most cybersecurity professionals don’t have this. They don’t take it seriously or simply want to punch a clock. They believe it’s a stable career and do the minimum.

On the other side, cybercriminals are passionate. This is their livelihood, and they treat their endeavors like Olympians chasing gold medals. When there’s this kind of imbalance in protectors versus perpetrators, the hackers are going to win.

The Prevalence of Paper Tigers

Paper tigers in cybersecurity are diluting the profession. What it means is they look good on paper — they have a certification or multiple ones as proof that they know what to do.

Unfortunately, they don’t.

They have very little real knowledge or experience. Organizations hire them, and they immediately become a risk, not a value. They don’t know what they don’t know, and that’s scary. Paper tigers also tend to have fragile egos, so they’ll never admit they don’t have the answer or understand the situation. They’ll keep backpedaling and become defensive instead of being communicative and collaborative.

The situation becomes worse as paper tigers hire paper tigers. Then you have a whole team of “professionals” that have no idea how to protect your data and infrastructure.

A Culture of Insecurity

As I just touched on, paper tigers are insecure. So are many in the profession, regardless of their skillset. Technical folks take a lot of self-worth and value in their career, and that would plummet if they suddenly admitted they weren’t the smartest person in the room. They feel they have earned their way because they have the certifications or degrees on the wall.

Insecurity means people are closed off from learning and growing. Their blind spot keeps getting bigger. In turn, they begin making cybersecurity methods more complex and complicated, believing only they know how to apply them. Such a framework doesn’t provide any guarantees that you’re free from risk. In fact, they can make you less secure. It’s like having 10 locks on your door but leaving it wide open. It’s an illusion of security.

Insecurity and Fear Lead to Posturing

Those in charge of cybersecurity also have fear mixed with insecurity. They are fearful that peers or leadership will find out that don’t have all the answers or experience. So, they counter by posturing. The posture they present is that they “know” what’s going on and how to be cyber secure. This defense mechanism results in using big words and overcomplicating the basics. In reality, there are five CIS (Center for Internet Security) Controls that will stop 85 percent of all attacks. Further, cybersecurity professionals who posture don’t even cover the basics:

  • What do you do?
  • What are you trying to protect?
  • What’s important to the business?

Paper tigers and insecure people aren’t going to ask any questions! They’ll just start laying out jargon and puffing their chests. They only want to seem like they have it under control when there’s a fire in the kitchen, and they don’t even know what baking soda is.

The Biggest People Problem? Communication

There’s a consensus among many that technical people have bad communication skills. That’s not universally true, but I would say it’s the biggest people problem in cybersecurity. They are long on jargon or buzzwords and short on substance.

They also often can’t articulate how and why they do things, and they certainly butt heads with business-focused colleagues. Poor communication skills or lack of altogether is why cybersecurity groups fail internally most of the time.

If there’s no openness in communication, there’s no collaboration or teamwork. Cybersecurity has to be a group effort, and everyone must be on the same page. That’s hard when there are communication barriers.

Moving from Failure to Succeeding in Cybersecurity

Fundamentally, if your business has been the victim of cybercrime, it was likely a people problem. If you haven’t had an incident, it’s probably a matter of if, not when. In either situation, you need to make some people changes.

My approach to solving the people problem and bolstering cybersecurity is the Secure Method. This approach focuses on soft skills and helping professionals lead with their head and heart. It’s a step-by-step guide with seven parts:

  1. Awareness of self and others
  2. Mindset moving from fixed to growth
  3. Acknowledgment of self (removing ego) and others when they make positive changes
  4. Communication (words, tone, and body language): learning how to articulate feelings and situations and listening
  5. Monotasking (concentrated work)
  6. Empathy (looking at other’s perspectives with compassion)
  7. Kaizen (change for the better by being better)

I’ve given you a very brief explanation of each step. There is a lot more, including how to make it through each step. The Secure Method is actionable, and any organization can use it to solve the people problem.

You can read all about it by ordering my bookThe Smartest Person in the Room. It will give you a unique perspective on cybersecurity and how to harness and develop talent to really be cyber secure.

Cybersecurity “Professionals” – Reboot Needed

cybersecurity certifications

Introduction

The cybersecurity industry is broken. What we have very loosely defined as a cybersecurity “professional” is not cutting it. The organizations that need cybersecurity deserve better.

This article focuses on cybersecurity certifications, yet addresses a larger issue with the overall cybersecurity industry – stringent license requirements, as opposed to certification exams that can be easily “gamed”.

Cybersecurity Certification Trend

I’ve noticed a trend that seems to be getting worse.

The trend is this:

Fewer people seem to care about the cybersecurity profession – they just want to learn what’s on a certification test so they can get “certified” and get a high-paying cushy job where no one holds them accountable.

This trend bothers me in a number of ways:

  1. Cybercriminals are winning. Cybercriminals, at least the good ones, take their trade seriously. Otherwise, they’d get caught more often. Many certified cybersecurity professionals, the “good guys”, are not really professionals anymore – they don’t take their trade seriously. This is the primary reason the cybercriminals are winning.

  2. It’s apparent the “instant gratification” wave is here. Many people don’t want to put in the effort to learn a trade anymore. They just want to study the bare minimum, pass a certification exam, get hired, then fake it at a job as long as possible.

  3. B Players hire C Players. C Players hire D Players. We’ve ended up with an industry filled with C and D players. Certified people that don’t really know what they are doing can’t make proper hiring decisions and, most of the time, let their ego get in the way. Their ego prevents them from hiring someone “smarter” than them; a new hire that actually knows what they are doing might find out that the person that hired them doesn’t know much, and has been faking it.

  4. Inflated salaries. Salaries for people that have a certification (such as the Security+), no experience, are paper tigers, and could care less about cybersecurity are grossly inflated. This perpetuates the problem, as the lure of money attracts people, like moths to a flame, to a career field that they have no passion for and, therefore will not develop skill towards.

  5. Cybersecurity certification classes. People that just want to pass the test are not ideal students and are difficult to deal with as a trainer. They constantly ask “is that on the test?” and say things like “why are we learning that, if it’s not on the test?”. I often wonder if certification courses are helping or hurting the industry. Alpine Security’s trainers are awesome and really enjoy helping people that want to learn, pass the exam, and make a difference, but it is demoralizing, draining, and damn-right frustrating dealing with people that don’t care about cybersecurity and just want to pass an exam though.

Who “just wants to pass” the certification exam?

There are two main categories.

  1. People that heard cybersecurity pays well, just want to make money, and don’t care about the industry or profession.
  2. People that are mandated by their employer to have a cybersecurity certification for their job. This could be private or public sector.

Solutions

I can’t point out a challenge, without offering some solutions…

Licensing Requirements

Add licensing requirements for cybersecurity professionals. Many cybersecurity professionals protect your health records (PHI), intellectual property, and sensitive data (PHI – credit card data, date of birth, SSN, etc.). Just about every other industry has federal and state licensing requirements. If a barber needs a license to cut your hair, shouldn’t a cybersecurity professional? A cybersecurity professional protects your identity and medical records and may also be responsible for securing a hospital network and the life-sustaining medical device connected to your grandmother.

Cybersecurity has no license requirements. If I want to become a “Cybersecurity Analyst”, I don’t need a license. I can just start promoting myself as such, study brain dumps or exam crams, pass a few cybersecurity certification tests, become the “expert”, and provide ineffective cybersecurity for my organization.

cybersecurity certifications licensing

For comparison’s sake, let’s look at the licensing requirements to become a barber. A barber license is required in all 50 US states to work as a barber. The barber license requirements vary by state, so I’ll just pick one for comparison to a cybersecurity analyst. I’ll go with Arkansas because I grew up there from age 12-18. Here are Arkansas’s Barber License requirements (https://www.barber-license.com/arkansas/):

Step 1. Complete a Barber Education Program

As a candidate for an Arkansas barber license that has not been licensed in other states, you must first complete a formal barber program that is at least 1,500 hours in duration.

Step 2. Apply for an Arkansas Barber Technician Certification

The Board issues barber technician certifications for students who have completed at least 20 full working days of study in an approved school of barbering and at least 20 hours of study in the sterilization of tools and the barber laws of the State of Arkansas.

Step 3. Apply for an Arkansas Barber License and Take the Required Examinations

Once you have completed the required barber program, you must apply for a barber license at least 10 days before the date of the next barber examination. The Board furnishes all applicants with the appropriate forms.

The barber examinations include both a practical demonstration and a written and oral test. You must submit a completed application, along with a certification of your completed barber school hours, before you are eligible to participate in the examination process.

Step 4. Learn About Job Opportunities in Barbering and Keep your Arkansas Barber License Current

Your Arkansas barber license must be renewed every odd-numbered year, before your birth date. There are currently no continuing education requirements for licensed barbers in Arkansas.

So, to sum it up, to be a barber in Arkansas, you need:

  • 1500 hours of training. This is the equivalent of 37.5 forty-hour weeks.
  • 20 FULL working days of study in an approved barber school
  • 20 hours of sterilization training
  • Pass required exams (plural):
    • Practical demonstration
    • Written Test
    • Oral Test

To become a cybersecurity expert in ANY state in the US, you need:

  • This section intentionally left blank…

If licensing requirements are tied to risk, it seems the risk is greater with cybersecurity professionals. I mean I certainly don’t want to get a bad haircut from an unlicensed barber. But, I’ll take the bad haircut any day over an unskilled paper tiger not securing the medical device that is providing life support to my grandmother in the hospital.

Certified cybersecurity paper tiger

Make cybersecurity certifications practical-based

This gets rid of cybersecurity paper tigers. You generally can’t pass a practical unless you know what you are doing. EC-Council is taking this approach with CEH Master. Licensing requirements would fix this too.

Industry leaders need to step up and put purpose before profit

At Alpine Security, we are making an effort to attract our ideal students and repel the others. This is a bit risky, as we are a business and need to generate revenue. I cannot, however, in good conscience support a broken system that hurts the cybersecurity industry and those the industry support. I’ve thought about pulling Alpine Security out of the cybersecurity certification training business altogether. This only hurts the students and professionals that actually care though, as I believe we offer outstanding training with trainers that are passionate about cybersecurity.

Downsides of Changing the Status Quo

I know, I know…but, what about the cybersecurity skills shortage…the skills gap we hear about incessantly every day? Won’t licensing requirements, practical exams, etc., make this worse?

Not really.

The “skills gap” primarily exists because cybersecurity is considered “white collar” (an antiquated term), where a college degree (any degree) matters. As if a college degree in political science or history makes a person qualified for a cybersecurity job? Really? I’d rather take someone “blue-collar” that has gone through 1500 hours of focused cybersecurity training, an apprenticeship, and passed a practical, written, and oral exam.

Yeah, but that’s 1500 hours? Isn’t that a lot? True, but a 4-year college degree is more than 1500 hours of time (mostly wasted) and a hell of a lot more money.

As for the skills gap, I’d rather have one person that is a professional, is passionate about what they are doing, and has a license in cybersecurity, than 15-20 people that are paper tigers.

One real tiger can easily take out 15-20 paper ones. I don’t know what the real cybersecurity skills gap number supposedly is, but if we divide it by 15-20, it isn’t that big of a deal.

What we are doing now, the status quo is not working. It’s time for a change.

Conclusion

I don’t have all the answers, but I think it’s worth opening the dialog and working to address this cybersecurity “professional” challenge, rather than pretending it doesn’t exist. Perhaps cybersecurity licensing requirements are the solution. I am willing to commit some of my time to make this happen. Alpine Security will also be more selective of students. Our goal is to help the industry and our clients, not contribute to the problems in our industry.

Here’s a simple list we developed to attract the right students and repel the rest for Alpine Security’s cybersecurity training:

Not a good fit for Alpine Security’s training:

  • Think of what you do for work as a job, rather than a career
  • Have a fixed-mindset
  • Make decisions based on your ego, rather than what is right and adds value
  • Are lazy and value short-cuts

Good fit for Alpine Security’s training:

  • Believe in a career, not a job
  • Have a growth-mindset
  • Want to make a positive difference
  • Willing to put in the time to learn a trade and become a true professional

Check out Alpine Security’s Training Schedule.