Government // Cybersecurity
Commentary
4/14/2014
09:06 AM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Luring The Elusive Cyber Security Pro

Struggling to find scarce IT security talent? Make sure your hiring managers understand the certifications and match candidates for skills fit -- not just credentials.

Domestic Drones: 5 Non-Military Uses
Domestic Drones: 5 Non-Military Uses
(Click image for larger view and slideshow.)

The shortage of cyber professionals in both public and private sectors hardly comes as news to those of us in the cyber security community. But it is telling when those shortages become national news.

A recent Washington Post article reported that the D.C. region has more cyber job openings than any other area in the US. The requirement that candidates hold a CISSP certification was likely a factor in such a high percentage of jobs going unfilled, said the story. CISSP stands for Certified Information Systems Security Professional. In other words, organizations are not able to "fast-track anyone to being certification-ready" and thus aren't able to fill positions.

Although the increased demand for the CISSP  -- (ISC)2's flagship certification -- is great news at one level, it misses a larger point. The shortage of certified security experts reflects, to a certain extent, a lack of understanding about the types of certifications professionals can earn, and the requirements associated with them. I would encourage the US government and every industry building its cyber workforce to take the time to fully understand the career path of cyber professionals -- and to do so prior to assessing their personnel needs and publishing job opening requirements.

[Federal agencies are recognizing the importance of investing in human capital, not just cyber security technology. Read 7 Reasons Federal Cybersecurity Hires Will Grow.]

If hiring managers and HR personnel did this they would know that, in fact, there is a track by which professionals can become certification-ready and it's not as time consuming as one might think. For instance, information security professionals who do not possess the required amount of work experience for the CISSP, or any other high-level (ISC)2 certification, can pursue an (ISC)2 Associate Program. Candidates must pass one of several certification exams. Then, after earning the requisite years of experience for the credential, they will receive full certification after completing an endorsement process.

Another certification, the hands-on technical Systems Security Certified Practitioner (SSCP), is open to candidates with only one year of work experience. SSCP professionals can play important roles in an organization: In the world of continuous monitoring, for example, one needs four to five SSCPs for every CISSP.

Yet we still see organizations hiring CISSPs more for the reputation of the credential than the actual skill fit. We estimate about 70% of the security personnel searches we see ask for a CISSP. I know of none requiring the SSCP. But what organizations are really looking for is a practitioner -- who have the added benefit of not commanding the same high salary as a CISSP.

Another example is forensics. All CISSPs and SSCPs have a minimum baseline knowledge in forensics, but if you are looking for a full-time forensics person, you should consider a forensic technician with specific tool training from SANS. If you want a full-blown forensics expert, you should consider (ISC)2's Certified Computer Forensics Professional (CCFP). 

TRADOC training exercise. (Image: Army CIO-G6)
TRADOC training exercise. (Image: Army CIO-G6)

Many organizations get it. The SSCP, (ISC)2 Associate, and other (ISC)2 certifications all are identified by the US Department of Defense as approved certifications under the DOD's 8570.1 mandate. The Defense Department offers a good example of how organizations that understand the cyber security career path are modifying job requirements to reflect these different credentials. The civilian side of government should be more adaptive of this model.

So why aren't we seeing more government and contractor job descriptions following suit?

If agency hiring personnel can't or won't develop or search for the appropriate position description, that's an indication that they're not clear on exactly what they need. The government is just now recognizing that it needs more specific job series and descriptions in order to fill the needs of the IT security sector, but it can't accurately tell you how many security personnel it has because of insufficient HR documentation.

If they had a more thorough understanding about the cyber security career path and the accumulation of skills that accompany it, more organizations would modify their job requirements, resulting in more positions being filled and the number of job openings decreasing.

One great resource for learning about the full range of cyber security certifications, how they're developed, and how they meet the IT needs for organizations is available from the Cybersecurity Credentials Collaborative. C3 provides a forum for a variety of vendor-neutral certification bodies, not just (ISC)2, that concentrate on information security, privacy, and related IT disciplines. (ISC)2 has also recently published a paper about the evolving state of cyber security work.

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
4/22/2014 | 5:50:43 PM
All that glitters is not necessarily a security cert
Speaking as a female in I.T. who leans towards security, I can tell you that the biggest obstacle I have faced is the rampant sexism in the industry moreso than taking the CISSP exam which I studied for years ago with a professional government contractor group but was never able to sit for due to the work experience requirement that I could never obtain as result of said sexism.  
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.