Would an engineer build a bridge without assessing the soil profile of where the footings will sit? Without understanding the materials that go into the construction of the bridge, without assessing external forces like wind and rain, without factoring in the load the bridge would need to handle at rush hour?
Of course not. Why? Because if the bridge collapses and people die, the engineer will face grave professional and even legal consequences. Yet in our industry, products and solutions are recommended all the time without necessarily understanding what the organization’s compliance and risk requirements are for those controls being recommended – or appreciating the consequences of an incomplete or incompetent implementation.
Most industries where practitioners can do serious harm have strict accreditation practices in place. Doctors need to go through medical school for years and complete residency. Lawyers go to law school, need to pass the bar exams, and “article” to gain exposure to specific areas of law under supervision. To become a CPA (chartered professional accountant), you must obtain a relevant bachelor’s degree, complete at least 2½ years of practical experience, complete multiple training modules and a rigorous CFE exam. Further, these professionals are required to have continuing skills education as their fields evolve over time. Would you want to see a doctor who stopped learning a decade ago?
You could argue that the cyber attacks that cybersecurity practitioners are tasked with defending against have similarly farther-reaching consequences. For example, an attack against an IoT device in a healthcare setting could harm or kill a patient. Cyber attacks on critical infrastructure can cut off power, water, or other essential services. Inadequate defenses against these attacks can have a devastating impact on large numbers of people. Data breaches can expose the sensitive personal information of millions, potentially creating havoc on the day-to-day lives of innocent victims.
Yet, while the cybersecurity industry has numerous certification options designed to assess the knowledge and skills of practitioners, there is no over-arching regulatory body that oversees the professional competence and conduct of cyber professionals. Cyber “experts” are free to self identify: there is no licensing for the field. Where should certifications be required for cybersecurity, and do existing ones do enough to assess practitioners’ expertise?
The Benefits of Certification
90% of security leaders prefer to hire candidates with certifications, and over a third of employees received a pay increase after completing a certification. The reason for this is that cybersecurity certifications provide multiple potential benefits to candidates and the companies that employ them, including:
- Demonstrating Skills: Cybersecurity practitioners are expected to have certain skills to fulfill their roles. Certifications can prove to employers that candidates have the skills that they claim.
- Standardizing Vocabulary: Certification bodies commonly define standard vocabulary for use in their exams. This standardization also aids communication outside of the exam environment.
- Upskilling and Specialization: Certifications provide students with the ability to learn new skills and take exams to test them. This helps people to enter the field and also supports transitions into specialized roles, such as incident response, malware analysis, or digital forensics.
Who Should Be Certified?
Certifications offer the potential to reduce cybersecurity risk for a company and its customers. Employees with the right skills at the right place in an organization could make the difference when preventing or mitigating a cybersecurity incident. So, what employees should be certified and what skills do they need? Consider:
- SOC Analysts and IR Team
The corporate security operations center (SOC) and incident response team are responsible for identifying, preventing, and remediating security incidents. Validating their skills helps to ensure that the organization can protect itself and its customers’ data against potential attacks.
- Security Auditors
Security auditors validate an organization’s compliance with regulations such as GPDR, PCI DSS, and HIPAA. Auditors must be certified to ensure that their audits accurately assess an organization’s security posture and regulatory compliance.
- C-Level Executives
Regulations such as the EU’s NIS2 and the U.S. Sarbanes Oxley Act (SOX) make executives personally responsible for an organization’s cybersecurity. For example, SOX 10-K disclosures require the CEO and CFO to attest to potential threats to the organization’s financial footing — including the potential for cyberattacks.
If regulators and customers are relying on executives’ assertions that the company is secure, these executives should have the knowledge to make that determination or direct access to someone who does. Requiring the CIO/CISO to complete a certification evaluating both business and security knowledge could improve the reliability of these reports.
The Challenges of Cybersecurity Certification
In the cybersecurity industry, there are several major certification providers — CompTIA, ISC2, SANS, ISACA, EC-Council, etc. — and numerous smaller certifications. Each of these is designed to evaluate and certify a candidate’s knowledge and skills in a certain area.
However, with so many to choose from, how can a candidate or business choose the “right” certification? And do these certifications actually demonstrate that a candidate has the necessary skills?
Relevant Skills vs. Book Knowledge
One of the most common critiques of cybersecurity certifications is that they don’t accurately assess hands-on knowledge and expertise. Many certification exams rely heavily on multiple-choice questions, which are better for testing rote memorization than if a candidate can actually use a tool or react properly to a complex scenario.
Some certification providers are working to address this potential issue. For example, TCM Security’s Practical Network Penetration Tester (PNPT) exam is a week-long assessment in which a student performs a real pen test in a sandbox environment, writes a professional report, and performs a debrief. EC-Council also introduced a Practical component to its Certified Ethical Hacker (CEH) exam to test hands-on skills.
Certification Accreditation
At the end of the day, certification providers are in the business of convincing people that their certification is valuable. If employers require the certification or employees think it will help them get a job, then the provider makes money. This fact makes it difficult to determine whether a certification tests knowledge and skills that bring value to the business.
Certification accreditation can help with this problem. Some certification programs are accredited under ISO 17024, which validates the competence of certification bodies. Certifications that have undergone ISO 17024 accreditation have undergone a formal, external review to validate their contents.
Student Authentication
Certification exams are designed to assess a candidate’s knowledge and skills. Often, these exams are taken without access to textbooks or the Internet to prevent cheating.
However, some organizations like Take My Online Exam offer test-taking services with guaranteed passing. Additionally, the rise of generative AI and deepfakes makes it more difficult to determine if a candidate is who they claim and whether they received outside help.
Recertification Processes
Many certification bodies allow students to renew their certificates after they have expired. This can be accomplished through various means, including retaking the exam, writing articles, giving talks, and similar activities.
While these activities are valuable, they don’t prove that the candidate retains the knowledge required by the original exam. Similarly, there is no guarantee that the candidate has kept abreast of technical and security advancements.
From Certification to Licensing
The patchwork of certifications and the risk involved have increased support for the concept of licensing cybersecurity professionals, just as doctors, engineers, and accountants are today. Licensing would establish a baseline of knowledge, skills, and experience required for cybersecurity roles, helping to mitigate risks posed by unqualified practitioners. It would also hold cybersecurity professionals accountable to a code of ethics and continuing education requirements, fostering expertise and responsible conduct in this critical field that has far-reaching impacts to national security, business operations, and individual privacy.
Accessing Trusted Expertise
At ISA Cybersecurity, we take a formal process to ensure our teams have the skills to face any cyber challenge. Within each service framework, we identify the tools, roles, and expertise required to manage each process, enabling us to develop an inventory of the required skills/qualifications/experience per role type. Certifications are maintained on an annual basis, ensuring that we are ready to face the evolving challenges in the real world. Proven knowledge and expertise is critical to your organization’s security.
Cross your bridge with confidence: contact us to learn more about how ISA Cybersecurity can help.
