Certified Cybersecurity “Professionals” – Reboot Required
The cybersecurity industry is broken. What we have very loosely defined as a cybersecurity “professional” is not cutting it. The organizations that need cybersecurity deserve better.
This article focuses on cybersecurity certifications, yet addresses a larger issue with the overall cybersecurity industry – stringent license requirements, as opposed to certification exams that can be easily “gamed”.
Cybersecurity Certification Trend
I’ve noticed a trend that seems to be getting worse.
The trend is this:
Fewer people seem to care about the cybersecurity profession – they just want to learn what’s on a certification test so they can get “certified” and get a high-paying cushy job where no one holds them accountable.
This trend bothers me in a number of ways:
Cybercriminals are winning. Cybercriminals, at least the good ones, take their trade seriously. Otherwise, they’d get caught more often. Many certified cybersecurity professionals, the “good guys”, are not really professionals anymore – they don’t take their trade seriously. This is the primary reason the cybercriminals are winning.
It’s apparent the “instant gratification” wave is here. Many people don’t want to put in the effort to learn a trade anymore. They just want to study the bare minimum, pass a certification exam, get hired, then fake it at a job as long as possible.
B Players hire C Players. C Players hire D Players. We’ve ended up with an industry filled with C and D players. Certified people that don’t really know what they are doing can’t make proper hiring decisions and, most of the time, let their ego get in the way. Their ego prevents them from hiring someone “smarter” than them; a new hire that actually knows what they are doing might find out that the person that hired them doesn’t know much, and has been faking it.
Inflated salaries. Salaries for people that have a certification (such as the Security+), no experience, are paper tigers, and could care less about cybersecurity are grossly inflated. This perpetuates the problem, as the lure of money attracts people, like moths to a flame, to a career field that they have no passion for and, therefore will not develop skill towards.
Cybersecurity certification classes. People that just want to pass the test are not ideal students and are difficult to deal with as a trainer. They constantly ask “is that on the test?” and say things like “why are we learning that, if it’s not on the test?”. I often wonder if certification courses are helping or hurting the industry. Alpine Security’s trainers are awesome and really enjoy helping people that want to learn, pass the exam, and make a difference, but it is demoralizing, draining, and damn-right frustrating dealing with people that don’t care about cybersecurity and just want to pass an exam though.
Who “just wants to pass” the certification exam?
There are two main categories.
People that heard cybersecurity pays well, just want to make money, and don’t care about the industry or profession.
People that are mandated by their employer to have a cybersecurity certification for their job. This could be private or public sector.
I can’t point out a challenge, without offering some solutions…
Add licensing requirements for cybersecurity professionals. Many cybersecurity professionals protect your health records (PHI), intellectual property, and sensitive data (PHI – credit card data, date of birth, SSN, etc.). Just about every other industry has federal and state licensing requirements. If a barber needs a license to cut your hair, shouldn’t a cybersecurity professional? A cybersecurity professional protects your identity and medical records and may also be responsible for securing a hospital network and the life-sustaining medical device connected to your grandmother.
Cybersecurity has no license requirements. If I want to become a “Cybersecurity Analyst”, I don’t need a license. I can just start promoting myself as such, study brain dumps or exam crams, pass a few cybersecurity certification tests, become the “expert”, and provide ineffective cybersecurity for my organization.
For comparison’s sake, let’s look at the licensing requirements to become a barber. A barber license is required in all 50 US states to work as a barber. The barber license requirements vary by state, so I’ll just pick one for comparison to a cybersecurity analyst. I’ll go with Arkansas because I grew up there from age 12-18. Here are Arkansas’s Barber License requirements (https://www.barber-license.com/arkansas/):
Step 1. Complete a Barber Education Program
As a candidate for an Arkansas barber license that has not been licensed in other states, you must first complete a formal barber program that is at least 1,500 hours in duration.
Step 2. Apply for an Arkansas Barber Technician Certification
The Board issues barber technician certifications for students who have completed at least 20 full working days of study in an approved school of barbering and at least 20 hours of study in the sterilization of tools and the barber laws of the State of Arkansas.
Step 3. Apply for an Arkansas Barber License and Take the Required Examinations
Once you have completed the required barber program, you must apply for a barber license at least 10 days before the date of the next barber examination. The Board furnishes all applicants with the appropriate forms.
The barber examinations include both a practical demonstration and a written and oral test. You must submit a completed application, along with a certification of your completed barber school hours, before you are eligible to participate in the examination process.
Step 4. Learn About Job Opportunities in Barbering and Keep your Arkansas Barber License Current
Your Arkansas barber license must be renewed every odd-numbered year, before your birth date. There are currently no continuing education requirements for licensed barbers in Arkansas.
So, to sum it up, to be a barber in Arkansas, you need:
1500 hours of training. This is the equivalent of 37.5 forty-hour weeks.
20 FULL working days of study in an approved barber school
20 hours of sterilization training
Pass required exams (plural):
To become a cybersecurity expert in ANY state in the US, you need:
This section intentionally left blank…
If licensing requirements are tied to risk, it seems the risk is greater with cybersecurity professionals. I mean I certainly don’t want to get a bad haircut from an unlicensed barber. But, I’ll take the bad haircut any day over an unskilled paper tiger not securing the medical device that is providing life support to my grandmother in the hospital.
Make cybersecurity certifications practical-based
This gets rid of paper tigers. You generally can’t pass a practical unless you know what you are doing. EC-Council is taking this approach with CEH Master. Licensing requirements would fix this too.
Industry leaders need to step up and put purpose before profit
At Alpine Security, we are making an effort to attract our ideal students and repel the others. This is a bit risky, as we are a business and need to generate revenue. I cannot, however, in good conscience support a broken system that hurts the cybersecurity industry and those the industry support. I’ve thought about pulling Alpine Security out of the cybersecurity certification training business altogether. This only hurts the students and professionals that actually care though, as I believe we offer outstanding training with trainers that are passionate about cybersecurity.
Downsides of Changing the Status Quo
I know, I know…but, what about the cybersecurity skills shortage…the skills gap we hear about incessantly every day? Won’t licensing requirements, practical exams, etc., make this worse?
The “skills gap” primarily exists because cybersecurity is considered “white collar” (an antiquated term), where a college degree (any degree) matters. As if a college degree in political science or history makes a person qualified for a cybersecurity job? Really? I’d rather take someone “blue-collar” that has gone through 1500 hours of focused cybersecurity training, an apprenticeship, and passed a practical, written, and oral exam.
Yeah, but that’s 1500 hours? Isn’t that a lot? True, but a 4-year college degree is more than 1500 hours of time (mostly wasted) and a hell of a lot more money.
As for the skills gap, I’d rather have one person that is a professional, is passionate about what they are doing, and has a license in cybersecurity, than 15-20 people that are paper tigers.
One real tiger can easily take out 15-20 paper ones. I don’t know what the real cybersecurity skills gap number supposedly is, but if we divide it by 15-20, it isn’t that big of a deal.
What we are doing now, the status quo is not working. It’s time for a change.
I don’t have all the answers, but I think it’s worth opening the dialog and working to address this cybersecurity “professional” challenge, rather than pretending it doesn’t exist. Perhaps cybersecurity licensing requirements are the solution. I am willing to commit some of my time to make this happen. Alpine Security will also be more selective of students. Our goal is to help the industry and our clients, not contribute to the problems in our industry.
Here’s a simple list we developed to attract the right students and repel the rest for Alpine Security’s cybersecurity training:
Not a good fit for Alpine Security’s training:
Think of what you do for work as a job, rather than a career
Have a fixed-mindset
Make decisions based on your ego, rather than what is right and adds value
Are lazy and value short-cuts
Good fit for Alpine Security’s training:
Believe in a career, not a job
Have a growth-mindset
Want to make a positive difference
Willing to put in the time to learn a trade and become a true professional