fbpx

cybersecurity professionals

The Truth About Cybersecurity Certifications

cybersecurity certificationsAlmost every industry has certifications. Some carry more weight than others, but it’s clear there’s a trend of over-certification in cybersecurity. Most cybersecurity certifications aren’t hard to obtain and thus are not an illustration of someone’s expertise. The industry is creating many paper tigers — someone who claims to have knowledge but just passed a multiple-choice test to earn a certification.

The Certification Structure Is Failing Us

The explosion of paper tigers in the industry is setting businesses up for cybersecurity failure. The bar for earning certifications has become dangerously low. Equally concerning is that there are no specific regulations on training or hours for cybersecurity professionals. In contrast, skilled trades require a certain amount of training hours, apprenticeships, and more. That’s a problem because those that are in place to protect one of your company’s most valuable assets — your data — aren’t ready to be in that position.

Certifications Do Not Equal Quality Talent

For many years, the industry has been buzzing about the lack of talent; there weren’t enough cybersecurity professionals to feed the demand. With this alarming message, certifications in the field became like a golden ticket to employment. The industry needed an influx of talent. Unfortunately, certifications do not equal quality talent. IT leaders, however, believe that certifications bring value. They do at times, but it’s risky to put so much emphasis on a few letters.

They are merely Band-Aids placed on the problem of putting effectual people into roles. Hiring demand was high, and certifications suddenly became what every hiring manager was seeking.

The proliferation of certifications is a cause-and-effect situation. Technology innovation and advancements required more professionals in the industry. Then there was a talent gap or a lack of people in the field. In turn, organizations promoted certifications that would give anyone a prosperous career path — except most certifications don’t test for knowledge, rubber-stamping individuals to increase the number of certified professionals. More education, however, isn’t the answer either.

College Degrees Don’t Solve the Talent Gap Either

The next logical answer to the talent gap is college degrees. Because surely, those graduating from university are prepared for the world. We know that’s not the case, as many graduates walk out into the real world and find themselves lost.

If every company required a four-year college education to get a job, there would be fewer candidates. But those candidates aren’t always going to be qualified. That’s because the university model has its own shortcomings, especially in the technology realm.

Think about how fast cybersecurity is changing. Every day, there are new attacks, each one more complex than before. It’s hard to capture all this movement in a textbook. How could a professor keep pace with this, especially one that’s not in the trenches? Frankly, there are a minimal number of capable professors with real-world experience. So, it’s all theory, and that’s what they teach. Theory very seldom equals reality.

Even applied sciences universities, which aim to be more practice-oriented, don’t adequately prepare students for a real job in cybersecurity. I was a cybersecurity professor at a university and attempted to bring practicality into the lessons. I framed my classes as real scenarios, leaving the books behind. I was trying to lead with practical knowledge, except the students complained and said it was too hard.

This experience proved to me that cybersecurity students wanted an academic degree, not a practical one. They either lacked passion or had no cognition of what cybersecurity work really is. Maybe Hollywood movies about hacking influenced their field of study. And that portrayal of the industry is anything but realistic.

What I learned from this was that the university system, like the certification one, is broken. Higher learning is not preparing students for the day to day of cybersecurity careers.

Hiring Practices Need to Evolve, Too

The other part of the cybersecurity certification and degree problem is hiring practices. Certifications are given far too much gravity over having useful hard and soft skills. Industry experts are aware of the over-certification, giving little importance to those pieces of paper. However, mainstream corporate hiring managers still give credence to the fact that someone passed a test, for which they could have easily memorized the answers.

Applicants then quickly update their resume and soon land a job in cybersecurity. Cybersecurity teams then become overrun by paper tigers. These individuals don’t have the skillset or experience to face the many challenges of the cybersecurity war. They are up against a more sophisticated army of hackers with a much higher acumen than those on the front lines protecting your organization.

The cycle continues. These paper tigers then hire more unqualified people. A paper tiger isn’t going to bring on someone that knows more than they do because they need to be the smartest person in the room. So, yes, the bar’s that low.

A disruption to the cybersecurity certification system needs to occur. Companies can push back on the certification ecosystem by requiring that certifications be practical.

The Shift to Practical Cybersecurity Certifications

So, how do we turn things around and be real about certifications while also improving them? The first step is to emphasize practical certifications.

Even though I believe there is an over-certification issue in the field, and most are worthless, I’m not counting out all certifications. The industry of training and companies hiring cybersecurity professionals needs to shift to practical certifications.

Practicality is not acing a multiple-choice exam. It’s functional and puts students in real-world scenarios to respond. As someone that holds over 25 certifications, I have a good idea of which ones are actually proof of expertise, and those are few.

Some certification bodies are evolving and doing it right. I’d be remiss not to call out some of the companies helping to fix the cybersecurity talent problem.

CompTIA

CompTIA offers cybersecurity certifications that combine hands-on experience and performance-based and multiple-choice questions. Their curriculum stays up to date on what’s happening in the field, focusing on techniques to combat new and emerging threats.

Their PenTest+ certification includes the elements discussed above and the management skills necessary to scope and manage weaknesses, not just exploit them.

EC-Council

The International Council of Electronic Commerce Consultants (EC-Council) is the world’s largest cybersecurity technical certification body. They have developed several well-known and respected certifications:

  • Certified Ethical Hacker (CEH)
  • Computer Hacking Forensic Investigator (CHFI)
  • Certified Chief Information Security Officer (CCISO)
  • License Penetration Testing – Master  (LPT Master)

The National Security Agency (NSA) and the Committee on National Security Systems (CNSS) endorse their programs, and they have accreditation from the American National Standards Institute (ANSI).

The CEH program, which I think is one of the best, is an immersive class that includes 24 hacking challenges across four levels of complexity, covering 18 attack vectors. It’s a real hands-on practical learning experience. The practical part of the exam would be unpassable for paper tigers. You can’t memorize how to apply techniques to scenarios. It requires critical thinking and knowledge.

If you’re looking for a certification that translates into a cybersecurity job, the CEH should be at the top of the list.

Fixing the Hiring Practice Problem

The first thing any company should do regarding hiring is to let go of the fallacy that a certification is a mark of expertise. You need to have a broader view of what certification means. Simply put, was it a practical or a multiple-choice test?

Even if the person has a long list of certifications, this still isn’t a sign they have the skills you need. If you want to know whether the candidate has the knowledge you assume comes with these certifications, ask the right questions. If they can validate with their answers, you can feel more confident in the worth of those certifications.

The next part is to focus more on hard and soft skills. Hard skills align more with certifications and degrees. They are also testable. You can quickly discover if they have these. Soft skills are harder to gauge. You’ll learn that soft skills are often more valuable. They include being a good communicator and collaborator. Others are a willingness to change and evolve, staying curious and perceptive. In the end, they are people skills, and that may be the real skills gap in cybersecurity.

People Skills Are More Impressive than Certifications

Helping cybersecurity professionals enhance and grow their people skills could be the answer to winning the cyberwar. It’s not an easy proposition, but it’s possible to transform your employees (if they have the right mindset) and build their people skills. That’s the heart of my book, The Smartest Person in the Room. Read it today to learn more about cultivating your people.

Your Cybersecurity Methods Are Failing – Here’s Why

failing cybersecurity methods - christian espinosaAs much as every organization wants to believe they are cyber secure, the reality paints a different story. Cybersecurity methods continue to evolve with an emphasis on tactics and technology. This progression of companies and government agencies follows the cybersecurity status quo that it’s a hardware and software issue.

And that’s just a complete disregard for the real problem. If you want to know why your cybersecurity methods are failing, it’s because it’s a people issue. This is a major theme of my book, The Smartest Person in the Room. It’s a reality that most organizations don’t want to face. Not because they don’t accept this notion; it’s because they don’t even have an awareness of it!

The Cybersecurity Landscape Points to Failures

There is plenty of available data and statistics that illustrate failures. They don’t necessarily lead to the why, but they are important for context nonetheless. Cybersecurity risk is growing, and incidents are increasing.

If you’re in the industry, these numbers aren’t new to you. However, that doesn’t mean they shouldn’t be eye-opening. The numbers continue to trend up, and an organization’s go-to for this is money and defenses.

Cybersecurity Method Failures Aren’t About Spend or Defenses

Cybersecurity budgets keep increasing. Financial services, one of the most prone to cyber-attacks, spend 10% of their IT budget on cybersecurity. Tech giants like Microsoft spend even more. The company’s CEO said they would spend more than $1 billion. Government spending is up as well, with the 2019 budget for the U.S. at $15 billion.

It’s not a money problem. Dollars are essential to fighting the cyberwar, for the best technology, talent, and infrastructures. Unfortunately, many organizations believe if they spend enough, they’ll be free from attack. High budgets do allow for more technology and people, but it doesn’t always equal a successful program. Companies often learn, when something goes wrong, that money and processes do make their networks impenetrable.

All you need to do is look at the SolarWinds hack, which led to the infiltration of at least 18,000 government and private networks. It illustrates the weaknesses of supply chain security and certainly didn’t happen because they weren’t spending buckets of money. There’s no definitive answer on what the failures were for this case, but in looking at alternatives, it could turn out to be a people problem.

One possible line to draw was that the former Chairman of the Joint Chiefs of Staff said of probable cyber attackers, “If they know that we have an incredible offensive capacity, it should deter them from conducting attacks on us.”

The position was that if would-be hackers knew the prowess of the U.S.’s cyber arsenal, they’d cower. That didn’t really work out very well and points to a larger problem within the cyber community. This example in no way characterizes these experts as incompetent. Rather, it shines a light on the culture of cybersecurity.

What’s the Real Reason Cybersecurity Measures Aren’t Working?

As I said in the introduction, it’s the people entrusted with the security. It doesn’t necessarily mean they aren’t knowledgeable or don’t have training and experience. The profession is broken. Those who are practicing cybersecurity and the leadership that manages, hires, and recruits them need a reset.

Here’s why you’re failing and what you can do about it.

Cybersecurity Professionals Aren’t Passionate

Most would say that to succeed in a career, passion is necessary. If you look at those who have achieved great things in any profession, it wasn’t their intellect alone. They had the drive and were invested in their work. Most cybersecurity professionals don’t have this. They don’t take it seriously or simply want to punch a clock. They believe it’s a stable career and do the minimum.

On the other side, cybercriminals are passionate. This is their livelihood, and they treat their endeavors like Olympians chasing gold medals. When there’s this kind of imbalance in protectors versus perpetrators, the hackers are going to win.

The Prevalence of Paper Tigers

Paper tigers in cybersecurity are diluting the profession. What it means is they look good on paper — they have a certification or multiple ones as proof that they know what to do.

Unfortunately, they don’t.

They have very little real knowledge or experience. Organizations hire them, and they immediately become a risk, not a value. They don’t know what they don’t know, and that’s scary. Paper tigers also tend to have fragile egos, so they’ll never admit they don’t have the answer or understand the situation. They’ll keep backpedaling and become defensive instead of being communicative and collaborative.

The situation becomes worse as paper tigers hire paper tigers. Then you have a whole team of “professionals” that have no idea how to protect your data and infrastructure.

A Culture of Insecurity

As I just touched on, paper tigers are insecure. So are many in the profession, regardless of their skillset. Technical folks take a lot of self-worth and value in their career, and that would plummet if they suddenly admitted they weren’t the smartest person in the room. They feel they have earned their way because they have the certifications or degrees on the wall.

Insecurity means people are closed off from learning and growing. Their blind spot keeps getting bigger. In turn, they begin making cybersecurity methods more complex and complicated, believing only they know how to apply them. Such a framework doesn’t provide any guarantees that you’re free from risk. In fact, they can make you less secure. It’s like having 10 locks on your door but leaving it wide open. It’s an illusion of security.

Insecurity and Fear Lead to Posturing

Those in charge of cybersecurity also have fear mixed with insecurity. They are fearful that peers or leadership will find out that don’t have all the answers or experience. So, they counter by posturing. The posture they present is that they “know” what’s going on and how to be cyber secure. This defense mechanism results in using big words and overcomplicating the basics. In reality, there are five CIS (Center for Internet Security) Controls that will stop 85 percent of all attacks. Further, cybersecurity professionals who posture don’t even cover the basics:

  • What do you do?
  • What are you trying to protect?
  • What’s important to the business?

Paper tigers and insecure people aren’t going to ask any questions! They’ll just start laying out jargon and puffing their chests. They only want to seem like they have it under control when there’s a fire in the kitchen, and they don’t even know what baking soda is.

The Biggest People Problem? Communication

There’s a consensus among many that technical people have bad communication skills. That’s not universally true, but I would say it’s the biggest people problem in cybersecurity. They are long on jargon or buzzwords and short on substance.

They also often can’t articulate how and why they do things, and they certainly butt heads with business-focused colleagues. Poor communication skills or lack of altogether is why cybersecurity groups fail internally most of the time.

If there’s no openness in communication, there’s no collaboration or teamwork. Cybersecurity has to be a group effort, and everyone must be on the same page. That’s hard when there are communication barriers.

Moving from Failure to Succeeding in Cybersecurity

Fundamentally, if your business has been the victim of cybercrime, it was likely a people problem. If you haven’t had an incident, it’s probably a matter of if, not when. In either situation, you need to make some people changes.

My approach to solving the people problem and bolstering cybersecurity is the Secure Method. This approach focuses on soft skills and helping professionals lead with their head and heart. It’s a step-by-step guide with seven parts:

  1. Awareness of self and others
  2. Mindset moving from fixed to growth
  3. Acknowledgment of self (removing ego) and others when they make positive changes
  4. Communication (words, tone, and body language): learning how to articulate feelings and situations and listening
  5. Monotasking (concentrated work)
  6. Empathy (looking at other’s perspectives with compassion)
  7. Kaizen (change for the better by being better)

I’ve given you a very brief explanation of each step. There is a lot more, including how to make it through each step. The Secure Method is actionable, and any organization can use it to solve the people problem.

You can read all about it by ordering my bookThe Smartest Person in the Room. It will give you a unique perspective on cybersecurity and how to harness and develop talent to really be cyber secure.