Performance-Based Cybersecurity Certifications: Discerning Capability
The cybersecurity field contains a professional charge like few others. Exploding into the commercial landscape over the last decade, the discipline finds itself in a perpetual state of flux. Subject to a myriad of definitions, many hopeful professionals and students know two things about cybersecurity: first, it is important; second, it is growing.
This trend is evident in the highest levels of corporate consciousness. A recent Forrester poll cited a 48 percent increase in executive awareness of information security. As a result, students and professionals worldwide are pursuing the vocation, while companies try hard to hire these professionals.
However, somewhere a disconnect has occurred in the training process because the people who have studied, prepped, certified and sacrificed for these skills and jobs are often deemed unqualified, unproven or unknown by hiring organizations. As a result, both the aspirational professional and the hopeful hiring organization are left wanting. This is underlined by the fact that one of the biggest hiring hurdles organizations face is finding people with the “right stuff.”
The same Forrester poll noted that 59 percent of cybersecurity organizations said finding employees with the right skills was either a challenge or a major challenge. Of those respondents, 59 percent felt keeping their cybersecurity team staffed appropriately was either a challenge or a major challenge. Thus, reinforcing findings of an ISACA/RSA survey State of Cybersecurity: Implications for 2016 that found 27 percent of respondents needed at least three to six months to fill vacancies.
This disruptive cycle of cybersecurity employment disappointment is a direct result of the current education and certification systems, churning out graduates and certificate holders who, while displaying gumption and interest, are rarely evaluated on the level that matters: hands-on performance.
True capability in the field of cybersecurity does not rest in the traditional certification or education process, but requires performance-based testing and evaluation in live environments. Only through directly assessing an individual under pressure and time constraints are organizations able to truly place their faith in new hires.
The Problem It is easy to see why a lot of cybersecurity job hopefuls are struggling. Traditional academic institutions offer advanced degrees in cybersecurity without ever dissecting a packet, instead providing curriculum heavy in policy and guidance. While no cyber education is complete without a thorough understanding of the laws that govern the realm, it is equally important that students learn the practical side of the craft.
Meanwhile, many certification programs that vaunt their technical aspects suffer from rampant test and evaluation corruption, wherein students purchase copies of the antiquated knowledge-based exams online, memorizing the answers and cheating the certification process. So it comes as no surprise when most organizations feel that only half of their cybersecurity applicants are qualified upon hire.
The Solution A cure is at hand: the Cybersecurity Nexus (CSX). CSX is a holistic, grassroots program—developed from the ground up—with real time evaluation of technical skills at its core. With three levels: Practitioner, Specialist and Expert, the program meets hiring organizations’ needs for new, proven talent.
Understanding that the greatest skills needs in cybersecurity organizations are skills in security operations, such as device configuration, policy maintenance and intelligence analysis, CSX provides students with consistent, live lab environments, which are accessible anywhere with an Internet connection. Additionally, CSX integrates all of the important governance and policy details of the cybersecurity field, both internationally with ISO and ISA compliance, as well as Cybersecurity Framework elements.
While this is helpful for students, the true value lies in the certification exam that requires them to identify and protect assets, detect and respond to threats, and recover from network incidents in a live environment. They are evaluated in real time, based upon their performance and effectiveness. The end result is competent, proven cybersecurity professionals who provide results on their first day.
Hope for Competence While the cybersecurity field matures and expands, it is important to remember that accurate evaluation of hands-on skills is the most effective way to assure that potential hires and aspirational professionals are able to prove their abilities. Through applying performance-based instructional and certification mechanisms, like those seen in the CSX program, organizations can feel confident that their new hires are applicable on day one and new employees can take solace in the knowledge that they have effectively proven their worth.
(About the author: Frank Downs is senior manager of cyber/information security at the ISACA. This post originally appeared on his ISACA blog, which can be viewed here).