Cybersecurity Jobs

The 2023 Cybersecurity Workforce Landscape

January 19, 2023 by Christian Espinosa

It’s a new year, and that means new challenges and opportunities for the cybersecurity workforce. Currently, the job market remains healthy, with another 223,000 jobs added in December 2022 and unemployment falling to 3.5%. Rumblings of a recession and an uncertain economy remain, and big tech, including Meta, Amazon, Twitter, and Google, issued layoffs. However, the landscape for recruiting, hiring, and retaining cybersecurity talent remains a significant problem.

So, how can organizations, big and small, address these problems, and where will the market shift?

The Workforce Grew But Remains Understaffed

The ISC 2022 Cybersecurity Workforce Study reported that the global cybersecurity workforce grew to over 4.6 million, an 11.1% year-over-year increase. The study estimated that over 3.4 million jobs remain unfilled even with this increase. This gap created genuine concern for staff, with almost 70% feeling there aren’t enough workers to be effective. Survey respondents also said that significant shortages increased risk. The cumulative effect of understaffing has real consequences, per the study, including:

Lack of time to perform proper risk assessment and management
Oversights in procedures and processes
Slowing down the patching of critical systems
Training deficiencies
Misconfigurations of systems

Another study found that 80% of organizations experienced at least one breach in the last year, attributing it to a lack of cybersecurity talent or awareness.

Any cybersecurity leader likely has the same concerns. When there aren’t enough people, everyone is stretched thin. Corners get cut, and people get defensive and burn out. It’s an environment that could expose any company to more threats while vulnerabilities go unnoticed. Additionally, those coming into the industry often don’t have the necessary skills to contribute. They may have the technical aptitude but need training in real-life cyber work and honing soft skills.

So, if there isn’t enough qualified talent, how do you fix it? You’ll need new candidates to enter the industry and retain your current employees.

Cybersecurity Talent Pipelines Are Running Dry

It would be easy to think that younger generations all want to work in technology. They are digital natives, but that’s not exactly true. Only 9% of millennials had an interest in the field. Gen Z isn’t flocking to the industry either, preferring jobs where they can shape company culture and have a social impact. They want to be recruiters or marketing or social media managers. For more context, the ISACA State of Cybersecurity surveyed cyber professionals, and only around 12% were 34 or younger.

Apparently, cybersecurity careers aren’t attractive to those entering the job market. Maybe cybersecurity needs a “makeover” to highlight the positives of being in demand, such as providing competitive wages and offering opportunities for advancement.

The key issue with generating interest in the industry is that these new candidates will come to the table unprepared. It could cause more “paper tigers” to infiltrate the ecosystem. Paper tigers are a rampant problem in cybersecurity. People look “great on paper” because they have this credential or that certification.

In reality, they usually don’t have the technical or people skills to be a good hire and an effective cyber professional. In fact, 55% of survey respondents stated they don’t believe applicants are well qualified, citing a lack of hands-on experience as the main factor in the unqualified classification.

In looking at specific skills lacking, the results indicated a gap in people skills as the greatest concern, followed by technical attributes of cloud computing, security controls, and coding.

So, how do we close the skills gap?

Closing the Skills Gap

The skills gap includes both soft and technical skills. As noted, people do not need one more certification or a college degree. Instead, they need practicality and real-world exposure to meet the technical requirements and support to develop interpersonal skills. For this to happen, the industry must shift how it recruits and trains.

The current tests focus on theory, not practice. It’s become easy to earn this “badge” through multiple-choice exams that anyone can memorize. Some certifying organizations still do things right, including CompTIA and EC-Council. Their programs are more practical.

The transformation that needs to occur in the talent pipeline has to be a movement that the entire industry supports. First, the field must showcase that it is one with job security, growth, and opportunity. Second, the training landscape must become consistent, teaching real-world technical and people skills. Third, employers could then make smarter hiring decisions not based on desperation.

In addition to challenges with new talent, organizations are also struggling with turnover, which is costly and disruptive. You have more control over this variable.

The Retention Problem: Is It Your Culture?

In the ISC study, 21% of respondents changed companies in the last 12 months, an increase of 13%. Digging into why, it appears to be about the culture, not the work itself. Cybersecurity can be high-stress, but many in the field enjoy what they do. The ISACA study revealed that 60% of companies had a cybersecurity retention problem, and 63% said they had open roles.

The nemesis of cybersecurity retention is the environment. You have the ability to change that if you recognize the shortcomings.

Cybersecurity culture is often toxic. People often struggle to be open communicators. They can be uncooperative and aggressive. They act this way because they know they can, and when someone new shows up, they’re not unlike a group of mean girls. Such a situation isn’t sustainable, and it only increases risk. If you want to retain the qualified people you have, you must start by laying a foundation for an inclusive, honest, and respectful culture. In most circumstances, you need to help these people evolve with better people skills.

Not everyone will want to grow and change. It’s hard, after all, and uncomfortable. Even if it’s the best technical employee you have, you may be better off without them. Those left get a choice to go through the process. There’s already a blueprint for you on how to do that with the Secure Methodology™. It’s a seven-step guide to help cybersecurity leaders support employees in becoming better communicators, collaborators, and teammates.

The Secure Methodology™ applies to employees, new and senior.

Applying the Secure Methodology™ for Recruitment and Retention

We’ve established that the work isn’t the reason why people leave. We also know there are deficits in skills and that cultures can be toxic. This is the reality that inspired me to develop the Secure Methodology™. Here’s how each step can apply to the cybersecurity workforce challenges.

Awareness

Awareness applies to one’s self and others. It’s lacking in many technical folks, which causes their actions and behaviors to be abrasive or curt. There’s an energy to it, and when people aren’t aware, it causes conflict and animosity. Through exercises and direction, your team can become more aware of themselves and others. It can be a significant shift that gives them perspective.

Mindset

You want to help people move from a fixed to a growth mindset. Only in the latter can they evolve and improve. You also have to believe that change is possible. Additionally, there must be a commitment from people to welcome growth. One activity to support this is the 7 Levels Deep exercise, which can help people understand motivations and why they do the things they do. This knowledge can unlock a fixed mindset.

Acknowledgment

To acknowledge is to express appreciation, and it doesn’t happen enough in cybersecurity. So, first, leaders should begin to do this consistently. It builds trust and confidence. An organization also must accept that a cyber professional isn’t an expert in every technical area and shouldn’t put such extreme burdens on a single person or team. It requires a culture shift that recognizes growth and contributions while ensuring accountability.

Communication

Communication is the foundation for all soft skills and really every step in the Secure Methodology™. When communication is poor, nonexistent, or comprised of technical mumbo-jumbo, breakdowns happen in your risk posture and culture. Communication is also about listening to understand, not just responding. Developing these skills in your staff will pay big dividends for them and your organization. If communication is transparent, honest, and constant, the culture moves further and further from toxicity. Within this step, you’ll find exercises and best practices for cultivating communicators.

Monotasking

Monotasking is about dedicated attention to one task at a time. It’s likely at odds with current performance, where multitasking is the norm. Multitasking is bad for cybersecurity, as it can cause excess stress and errors. Monotasking isn’t always an option, but you’ll want to ensure that your employees know it helps them focus and be more productive.

Empathy

In the Secure Methodology™, I focus on cognitive empathy, which is understanding another’s feelings and perspectives. Empathy also means choosing to connect with someone and accept their views. In such a culture, empathy builds trust, and it all goes back to communication and how people interact. If your team builds empathy, you have an environment where people want to stay.

Kaizen

Kaizen is a Japanese term that translates to “continuous improvement.” So, this step isn’t the final one. It continues as part of the foundation of culture. The pursuit of continuous improvement applies to soft and technical skills. It also supports adaptability and flexibility — traits useful to anyone, anywhere. It keeps people engaged, and that supports recruitment and retention.

The cybersecurity workforce landscape needs some care. Many areas need to evolve, and you can be a voice for that in the industry and your organization using the Secure Methodology™.

Learn more about the Secure Methodology™ by reading my book, The Smartest Person in the Room, and viewing the online course on the guide.

How to Recruit and Hire Cybersecurity Professionals to Help You Win the Cybersecurity War

September 27, 2022 by Christian Espinosa

cybersecurity jobs The field of cybersecurity is growing, but the pool of qualified candidates is not. Nearly every industry deals with labor shortage challenges due to the pandemic, the Great Resignation, and other factors. However, cybersecurity was already experiencing recruitment and retention problems. Even with new people entering the market, it would be remiss to count them all as ready for the cybersecurity war. So, how do you recruit and hire cybersecurity professionals in these times? And is technical prowess the only factor to consider?

The Cybersecurity Labor Landscape

To begin the discussion on recruitment and hiring, let’s look at some of the data on the cybersecurity labor landscape.

The shortage of cybersecurity professionals is 2.72 million globally.
As of June 2022, there were 714,548 total cybersecurity job openings.
78% of decision-makers stated that it’s hard to find certified people.

So, it seems there is a tremendous opportunity for those that want to enter the field. Many employers welcome them, with 91% willing to pay for training and certification. Cybersecurity is an attractive field with the potential for high earnings and upward mobility. With such an appealing opportunity, you could argue that labor shortages will dwindle, especially as more digital natives enter the workforce. So, maybe recruiting and hiring cybersecurity professionals will get easier.

The risk of these presumptions goes back to the idea of qualification, which goes beyond technical skills. In fact, leaders said the highest skill gap in cybersecurity is people skills. This response demonstrates a needed shift from what makes someone a good hire for these roles.

So, why should you care about people skills if candidates have the credentials and experience? As I’ve learned in my decades in the industry, people skills should always be a priority for technical roles. Without these, cybersecurity professionals make crucial missteps based on their own hubris and over-confidence. They don’t communicate or collaborate, and that’s the real reason we’re losing the cybersecurity war. It’s the central theme of my book, The Smartest Person in the Room.

So, let’s talk more about people skills.

Why People Skills Matter in Recruiting and Hiring Cybersecurity Professionals

There are many stereotypes about those in technical roles. It’s easy to lob them all together as bad communicators, inflexible, stubborn, and difficult. Some of this is true, as technical folks often eschew people skills as being important. Yet, they are so vital! Without people skills, these people won’t learn, grow, collaborate, or adapt, and those things are crucial in cybersecurity.

People skills matter because the war zone of cybersecurity isn’t just ones and zeroes. There are hackers on the other side who are deeply passionate about what they do, even though it’s illegal and immoral, to say the least.

Your cybersecurity team needs to have that same passion, which comes only from people skills. The most adept technical professional can be a bad hire when they come up short here.

These are the people skills I think are the most critical:

Empathy: When someone can understand another’s perspective, it makes them better at their job. They can comprehend someone’s mental state and what that might mean, whether that’s a coworker or a criminal on their other side.
Communication: This is the number one people skill for cybersecurity candidates. It’s the core of how we operate. Being a great communicator doesn’t mean you say whatever comes to mind. Rather, it balances expressing thoughts wisely and being excellent listeners. Successful interactions within the team and with other stakeholders are imperative to avoid miscommunication and misconceptions, which are the leading causes of cybersecurity failures.
Adaptability: Cybersecurity is a dynamic field, so those working in it must adapt quickly and be willing and open to change. A lack of this people skill could sink your cybersecurity operations.
Vulnerability: Being vulnerable is really about being honest and having trust. You’ll have to create a safe place for people to be vulnerable, where no one is scared to be wrong. Making this part of your people skills list can provide an ideal environment for solving cybersecurity challenges.

Gauging these people skills is much more complex than testing technical ability. There are many candidates out there masquerading as qualified applicants. They may be, on paper, that is.

Avoiding Hiring Paper Tigers

Paper tiger is a term in the industry that originates from the Chinese phrase zhi lao hu (纸老虎). In the technical world, it simply means that people look good on paper—resumes with an extensive list of certifications, for example. Yet, they lack the skills, experience, and expertise to succeed in cybersecurity.

Candidates like these will land in your inbox. You may not be able to spot them at first glance. So, you’ll have to draw conclusions based on interviews and conversations. Here are some key things to consider:

Where did they earn certifications? Not all organizations that provide credentials are “cyber mills,” taking in money to deliver the certification. The most legitimate and credible are practical and scenario-based exams from CompTIA and EC-Council.
How do they speak about their work experience? Not every applicant will have multiple years of experience, and you shouldn’t discount those new to the field. For those that do, you’ll want to hear about specific projects or responsibilities. Someone who uses a lot of jargon and buzzwords and talks in the abstract is likely a paper tiger.
What motivates them? Different people have different motivations for why they work. Money is at the top of the list. It’s not necessarily a red flag for those that are money motivated. After all, we’re not working for free. However, you’ll find that those who desire meaningful work (roles that are fulfilling), a collaborative team, and being part of something bigger will rank highly on people skills.
What kind of people skills do they exude? Ask questions that tie into the people skills described above. You can even “score” their people skills with assessments like TriMetrix® HD.
Is their knowledge book-based or experience-based? This evaluation concerns your defense posture and whether someone can react in the real world where stress and pressure exist.
How big is their ego? Ego can be a detriment to cybersecurity when your employees believe they can never be wrong. They will be wrong eventually and many times over. If their ego doesn’t fit through the door, it won’t fit on your team, either.
How do they work? Someone’s approach to the day-to-day matters, and you want to see someone with focus. Ideally, in cybersecurity, your employees should be mono-taskers (the opposite of multi-taskers). That undivided attention is necessary in the high-stakes world of cybersecurity.

Now that you know what people skills are critical and the steps to avoid paper tigers, I’ve got a few more tips for recruiting and hiring cybersecurity professionals.

Final Takeaways on Recruiting and Hiring Cybersecurity Professionals

Look to past hiring decisions as learnings, whether they turned out good or bad. Even as you evolve how you hire and recruit, you won’t always make the perfect hire. If you can learn from the past, you’ll be better prepared for the next hire.
Treat the interview as a conversation. You want to learn about the candidate, and they need to find out about the organization. Making these interactions rigid and controlled is a disservice. That’s not how things play out in the real world, so don’t treat this like an inquisition.
Don’t sell your organization short by filling the chair with anyone. A chair occupied by a paper tiger could cause more chaos than harmony. Don’t rush the hiring process because of these feelings. It’s always better to wait for the right person than make do with someone who isn’t.
Be sure the candidate fits your culture. When there’s misalignment here, the hire often becomes turnover. Talk about the culture of the organization and your department to discern how they’ll fit in with your organization. The assessment discussed earlier can help you determine this, too.
Be wary of job-hoppers. I typically screen these people out, but it’s not a rule without exceptions. They may have shorter tenures because of things outside of their control (e.g., layoffs, relocations, etc.). For anyone who’s trying to hire cybersecurity professionals, you know job-hopping is rampant. Consider the circumstances and context, then exclude anyone that looks like a risky hire.
Remember that people skills are teachable, and you can help your team develop them. That’s the sentiment behind the Secure Methodology, a seven-step guide to advancing technical folks from two-dimensional stereotypes to fully engaged and highly communicative team members. Of course, your staff has to be open to change and growth for this to work, which is one more reason to look for those with high potential for people skills in the hiring process.

Get more tips and strategies on how to build a team of cybersecurity professionals to help you win the cybersecurity war by reading my book, The Smartest Person in the Room.

Tips for Certified Cybersecurity Professionals to Find Jobs

September 4, 2021 by Christian Espinosa

There are many ways to land a job that requires the CISSP (Certified Information Systems Security Professional) or any other cybersecurity certification. In this post, I share three methods to empower you to find your ideal job, leveraging your CISSP (or any other) certification. I hope these techniques enable you to land a job in cybersecurity that resonates with you.

I use CISSP throughout this example. You can easily use this tactic with other cybersecurity certifications, such as the Security+.

#1: Research CISSP Job Openings

You should research CISSP job openings for where you are considering moving or the location you are seeking a job. According to CyberSeek, there are currently 77,492 open jobs in the United States that require the CISSP certification. Of the 77,492 open CISSP jobs, 2,031 are in the Public Sector, and 75,465 are in the Private Sector.

Job openings in the United States that require the CISSP certification. The orange number represents CISSP certification holders.

The blue number represents openings requesting the CISSP.

If you live in Arkansas and want to stay in Arkansas, as an example, there are 265 open CISSP jobs in the entire state of Arkansas.

If you want to move to Texas, for example, there are 6,333 open CISSP jobs in Texas.

#2: Determine Which Organizations Hire People with the CISSP Certification

This technique involves you actively seeking a CISSP job.

There are several paths you can take:

you can work for the DoD as an actual DoD employee (civilian or military)
you can work for the DoD as a contractor
you can work in the private sector

Steps to become part of the DoD as a DoD civilian or member of the military are beyond the scope of this article. I will focus on numbers two and three above. If you are seeking a job as a DoD contractor or in the private sector, the process is the same because private companies that have DoD contracts hire DoD contractors. Private companies also hire CISSPs for private sector work.

A good place to determine which companies are hiring CISSPs is indeed.com. As of this writing, there are 13,469 open CISSP jobs in the United States.

According to indeed.com, the company Deloitte has 514 open CISSP jobs, and Washington, DC has 765 openings for people with the CISSP certification.

Another source to determine which organizations are hiring CISSPs is LinkedIn. Search “CISSP” on LinkedIn and set the focus of the results to “Jobs.”

As you can see from the screenshot, there are 25,997 open jobs in the United States that required the CISSP certification.

#3: Update your LinkedIn profile with your CISSP certification

This technique involves you passively seeking a CISSP job.

Many employers, recruiters, and headhunters use LinkedIn to search for people with the CISSP certification. Listing your CISSP certification on your LinkedIn profile will make you show up in searches for “CISSP.”

In the screenshot above, I searched for CISSP, then switched the results to “People.” As you notice, one guy even listed “Studying for CISSP Exam” in his LinkedIn “Headline” and he showed up. The second person put it after their name, like “John Smith, CISSP”. The third person listed the CISSP certification as their LinkedIn Headline. Any of these approaches work to get the attention of employers, recr

uiters, and headhunters. Just be prepared to be bombarded with “incredible opportunities” and lots of new connection requests.

Conclusion

I hope you find these strategies useful in your hunt for your ideal cybersecurity job. Best of luck!

The Urban Legend of the Cybersecurity Skills Gap

September 4, 2021 by Christian Espinosa

According to the Information Systems Security Association (ISSA), we’re facing a cybersecurity skills crisis. Their recent report calls the gap in qualified individuals a “rapidly widening business problem,” claiming businesses are investing their resources in the wrong places when it comes to cybersecurity.

ISSA partnered with Enterprise Strategy Group (ESG) to look at the state of qualified cybersecurity professionals in the workforce. Around 70% of respondents to their survey said they felt a lack of cybersecurity skills within their organization was affecting their company. According to the cybersecurity organization (ISC)², almost three million cybersecurity jobs needed to be filled globally as of 2018.

Most people agree that this is a serious problem. The lack of qualified professionals at major businesses with knowledge in cybersecurity is exacerbating data breaches, and has been called an “existential threat to our national security.” What there doesn’t seem to be a consensus on is how that problem should be solved.

Are There Really Not Enough Qualified People to Fill the Cybersecurity Skills Gap?

The short answer seems to be no. Rather, the problem seems to lie with the paths made available to talent looking to get into the cybersecurity industry.

For a long time, the university path has been the main place students get recruited into cybersecurity jobs. Organizations recruit from universities, and many require a college degree as part of their job descriptions for cybersecurity roles. But there are thousands of talented people that miss out on these job opportunities simply because they don’t choose to go to college.

In an article for Forbes, cybersecurity contributor and CEO of Immersive Labs James Hadley argues that the cybersecurity skills gap won’t be mitigated through the classroom. He argues that self-taught, talented people should be recruited and trained by organizations before they take their talents to the wrong side. He writes:

“The world is desperate for cybersecurity talent, yet the sector limits entrants and clings to obsolete training methods. As the skills gap grows and organizations become increasingly vulnerable to ever-more-complex threats, the need for a diverse pool of cybersecurity experts to learn in real-time, rather than a classroom, strengthens.”

Hadley uses the example of 22-year-old Daniel Kelley, who hacked the telecom company TalkTalk, stole the data of thousands of users, and used it for blackmail as an example of what could happen if people who feel snubbed by the system use their talents for ill. Kelley didn’t make the grade required for a computer course and attacked TalkTalk out of a desire for revenge. He could’ve ended up using his skills to help instead of hurt, Hadley argues, had that path not been closed off to him.

Companies don’t want to train employees, preferring that they come to the job with the skills they need already, but the nature of cybersecurity work demands constant retraining and maintenance of those skills. There are qualified people ready to help stop the next cybersecurity threat if companies are willing to adapt to them.

How Can Companies Fill The Gap?

The threat of cyberattacks and hacking isn’t going away. In fact, they’re likely to increase as time goes on and the technology both companies and hackers use becomes more sophisticated. That’s why businesses should do everything they can to make themselves resilient to cyber threats. How can they do that?

First, hire and train the right people. Provide them with the time and resources they need to continually develop their skills to match the changing threat and technological landscape. Devote more of the company budget to cybersecurity. Currently, 49% of companies say that cybersecurity is a budget priority, but pros say that figure should be closer to 60%.

A shift away from the traditional job requirements of a university degree path would allow for the scouting, hiring, and training of the right people. Instead of academic background, those in the cybersecurity field would be better served by looking at a candidate’s skill sets. Do they have the skills needed for the job, even if they don’t have the degree? If they do, invest in that talent.

A few of the skills necessary for cybersecurity jobs:

Relevant past work experience,
Ability to understand advanced cybersecurity concepts,
Cybersecurity certifications,
Strength in non-technical soft skill areas.

University education can help, but it shouldn’t be the only factor in determining whether a potentially promising candidate in the cybersecurity field gets turned away, especially if that candidate could broaden the diversity of the field. Women represent only 23% of the cybersecurity workforce, according to (ISC)², and that number is after they broadened the definition of who works in cybersecurity.

It isn’t just companies that can help close the gap and guide more capable people into a cybersecurity career. Government initiatives like the UK’s Cyber Discovery free training program can help people explore their interest in IT, and ultimately decide that it’s a good career for them. State and federal governments in the U.S. should implement their own programs to seek out and support talent in a similar fashion.

Part of solving this problem will be getting the word out. Careers in IT and cybersecurity aren’t talked about as widely as more traditional paths like doctors or nurses, or trendier digital careers like YouTuber or Instagram influencer. But the fact is that people who have these jobs hold them a long time, are satisfied with the work they do and are compensated very well for their efforts. If more people knew that, starting at a younger age, they might find a place for their skills where they didn’t think one existed.

Companies can put themselves at the front of the pack by taking the initiative to find and recruit top talent outside the conventional pipeline. And they can do it by being willing to invest the time and money in proper, ongoing training. The cybersecurity skills shortage isn’t all that frightening if you know where to look to close the gap and are willing to take action.

Cybersecurity Paper Tigers are Killing Us

January 24, 2020 by Christian Espinosa

A paper tiger is a fake tiger, made of paper. It may appear to be a real tiger, but it has no substance, is unable to stand up to challenge, and can’t perform any other tiger duties.

Wikipedia defines a paper tiger as this:

“Paper tiger” is a literal English translation of the Chinese phrase zhilaohu (纸老虎／紙老虎). The term refers to something or someone that claims or appears to be powerful and/or threatening, but is actually ineffectual and unable to withstand challenge.

CompTIA has made the Security+ exam more difficult by adding “performance-based questions” to help with the paper tiger issue.

How do paper tigers relate to cybersecurity?

In my mind, the “paper” is often a cybersecurity certification and the “tiger” is the person holding the certification. A person with a CompTIA Security+ certification, for instance, may appear to be a real cybersecurity tiger. If this person just memorized exam questions, didn’t learn any material, and passed the CompTIA Security+ certification exam, they are a cybersecurity paper tiger though.

My company, Blue Goat Cyber, gets routine inquiries about our cybersecurity training. Many people assume we will just “teach the test”. Some people have even mentioned to us that other cybersecurity training providers offer onsite exams allowing people to take the exam “open book” and “as a group”, even though the exam is supposed to be taken solo, closed book. These behaviors breed more paper tigers. Is it any wonder why we have so many data breaches?

Cybersecurity Paper Tigers are Killing Us

Cybersecurity paper tigers are killing us for a number of reasons:

They don’t know enough to actually help with cybersecurity defense. Paper tigers are often responsible for cybersecurity controls, plans, policies, training, etc. The paper tigers don’t actually know much though, so the risk of them doing something wrong or ineffectively is very high. This is sort of like asking your 5 year old if he can drive your car. He says “yes”, so you let him drive to the grocery store. The outcome will not end up well.
They hire other paper tigers. People tend to want to be around people like them. Also, paper tigers typically have fragile egos, so hiring someone that knows less than them is often what they do. Fragile egos stem from incompetence and being “found out”.
They devalue cybersecurity certifications. Cybersecurity certifications still have a worth, but they used to mean more before the influx of the paper tigers. In the past, if you hired someone with the Certified Ethical Hacker (CEH) certification, you knew they had a certain level of knowledge, skills, and abilities. Now, you may see someone certified that doesn’t really know anything. I’ve interviewed people with penetration testing certifications that couldn’t tell me what nmap was…
They are not passionate about cybersecurity. This is sort of the elephant in the room. People that are passionate about a topic, industry, career, etc., make efforts to master these areas. Paper tigers are dabblers. They dabble just enough to give the appearance of expertise. If they are dabblers in their careers, the chance is they are dabblers in everything in their life.

Cybersecurity criminals are masters of their trade – not dabblers. A dabbler will always lose to a master.

The CEH Master requires a practical. Paper tigers need not apply.

What can we do about the cybersecurity paper tiger issue?

There are two areas to focus on to get rid of paper tigers:

Cybersecurity certifications that require a practical. Many certifications are moving towards having practical components to them. The CEH, for example, has two programs. The first is “Certified Ethical Hacker”, where you have to pass a multiple-choice exam. The second is “Certified Ethical Hacker Master” where you have to pass both the CEH multiple-choice exam and a CEH practical exam. Paper tigers may be able to pass a multiple-choice exam, but they will likely fail a practical exam, unless they actually learn some stuff. Learning some stuff may strip them from the paper tiger status!
Hiring procedures. We need to do better at interviewing and screening cybersecurity applicants. Just because someone has multiple cybersecurity certifications, doesn’t mean they know the material. It’s an employer’s duty to screen applicants appropriately. The people doing the interview need to know about the certifications or be certified in those areas themselves in order to discern the paperness of the tiger. For instance, if I’m interviewing someone with a Security+ certification, I should know the basics covered in Security+ so I can validate the candidate’s knowledge.

Let’s do the cybersecurity industry a favor and work to get rid of the paper tigers.