The shortage of cyber professionals in both public and private sectors hardly comes as news to those of us in the cyber security community. But it is telling when those shortages become national news.
A recent Washington Post article reported that the D.C. region has more cyber job openings than any other area in the US. The requirement that candidates hold a CISSP certification was likely a factor in such a high percentage of jobs going unfilled, said the story. CISSP stands for Certified Information Systems Security Professional. In other words, organizations are not able to "fast-track anyone to being certification-ready" and thus aren't able to fill positions.
Although the increased demand for the CISSP -- (ISC)2's flagship certification -- is great news at one level, it misses a larger point. The shortage of certified security experts reflects, to a certain extent, a lack of understanding about the types of certifications professionals can earn, and the requirements associated with them. I would encourage the US government and every industry building its cyber workforce to take the time to fully understand the career path of cyber professionals -- and to do so prior to assessing their personnel needs and publishing job opening requirements.
[Federal agencies are recognizing the importance of investing in human capital, not just cyber security technology. Read 7 Reasons Federal Cybersecurity Hires Will Grow.]
If hiring managers and HR personnel did this they would know that, in fact, there is a track by which professionals can become certification-ready and it's not as time consuming as one might think. For instance, information security professionals who do not possess the required amount of work experience for the CISSP, or any other high-level (ISC)2 certification, can pursue an (ISC)2 Associate Program. Candidates must pass one of several certification exams. Then, after earning the requisite years of experience for the credential, they will receive full certification after completing an endorsement process.
Another certification, the hands-on technical Systems Security Certified Practitioner (SSCP), is open to candidates with only one year of work experience. SSCP professionals can play important roles in an organization: In the world of continuous monitoring, for example, one needs four to five SSCPs for every CISSP.
Yet we still see organizations hiring CISSPs more for the reputation of the credential than the actual skill fit. We estimate about 70% of the security personnel searches we see ask for a CISSP. I know of none requiring the SSCP. But what organizations are really looking for is a practitioner -- who have the added benefit of not commanding the same high salary as a CISSP.
Another example is forensics. All CISSPs and SSCPs have a minimum baseline knowledge in forensics, but if you are looking for a full-time forensics person, you should consider a forensic technician with specific tool training from SANS. If you want a full-blown forensics expert, you should consider (ISC)2's Certified Computer Forensics Professional (CCFP).
Many organizations get it. The SSCP, (ISC)2 Associate, and other (ISC)2 certifications all are identified by the US Department of Defense as approved certifications under the DOD's 8570.1 mandate. The Defense Department offers a good example of how organizations that understand the cyber security career path are modifying job requirements to reflect these different credentials. The civilian side of government should be more adaptive of this model.
So why aren't we seeing more government and contractor job descriptions following suit?
If agency hiring personnel can't or won't develop or search for the appropriate position description, that's an indication that they're not clear on exactly what they need. The government is just now recognizing that it needs more specific job series and descriptions in order to fill the needs of the IT security sector, but it can't accurately tell you how many security personnel it has because of insufficient HR documentation.
If they had a more thorough understanding about the cyber security career path and the accumulation of skills that accompany it, more organizations would modify their job requirements, resulting in more positions being filled and the number of job openings decreasing.
One great resource for learning about the full range of cyber security certifications, how they're developed, and how they meet the IT needs for organizations is available from the Cybersecurity Credentials Collaborative. C3 provides a forum for a variety of vendor-neutral certification bodies, not just (ISC)2, that concentrate on information security, privacy, and related IT disciplines. (ISC)2 has also recently published a paper about the evolving state of cyber security work.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.