The Current Cybersecurity Landscape
Cybersecurity is Confusing, Fragmented, and Crowded
By Simone Petrella, Chief Cyberstrategy Officer, CyberVista
The cybersecurity landscape isn’t the easiest place to navigate. It’s confusing, fragmented, and crowded. There are currently more than 85 cybersecurity-related certifications, ranging from the foundational to the highly specialized. Furthermore, there are countless degree programs where you can pursue a cybersecurity certificate, bachelor’s, or master’s degree. Finally, there are 217 universities accredited as NSA Centers of Academic Excellence in Cyber Defense.
Despite all of these options, programs, and credentials, the cybersecurity workforce gap still exists and, in fact, continues to widen. (ISC)²’s 2017 Global Information Security Workforce Study indicates the workforce gap is estimated to be growing, with the projected shortage reaching 1.8 million professionals by 2022. Turns out the current model doesn’t work for the cyber candidate or the employer.
Why It’s Wrong for Candidate and Employer
Obtaining a laundry list of certifications is costly and time-consuming. Plus, once you get them you have to maintain them! Worst of all, given the debate around the true utility of a certification by some hiring managers and already unclear job descriptions, many credentialed candidates still find themselves over-certified and yet, still under-qualified for their dream job.
The truth is the current focus on special cybersecurity credentials doesn’t help companies or agencies improve their overall security posture either. Often times a certification becomes the equivalent of an “HR Firewall”, only providing an easy keyword finder for a recruiter, leaving a massive gap in identifying the skills needed in their staff to competently perform their cybersecurity duties.
The Culture is Changing
While it’s easy to vilify certifications and write them off as useless, or critique the over-emphasis on information systems and related computer science degrees, the new emerging reality is that certifications and formal education are not the ends themselves but merely the goalposts and guides that allows an employer to understand the candidate pools they’re seeing.
What certifications don’t tell you is whether someone will be effective or competent in their particular job role. But that’s not the role certifications should be playing anyway. Certifications, like the CISSP, do tell us whether someone has a fundamental interest and motivation in cybersecurity, along with their ability to grasp and demonstrate a conceptual (and managerial, in the case of the CISSP) understanding of core security concepts. And they are effective at helping to strategically cluster knowledge, a helpful tool for employers looking to move beyond draconian hiring practices.
The Paradigm Shift Starts Here
A new model is emerging in the cybersecurity profession; one that emphasizes the multidisciplinary and fluid nature of the cybersecurity field. NIST’s National Initiative for Cybersecurity Education (NICE) recently released its interactive CyberSeek career pathway map that focuses specifically on the skills needed in key job roles. This provides the field with its first data-driven snapshot of open cybersecurity job positions and allows us to reimagine cybersecurity as a true profession with both lateral and vertical career paths, just like we would think about medicine or law.
However, understanding the data, skills, and career pathways in cybersecurity still isn’t enough. The real key is to build a new approach around education, training, and certifications that fits this new paradigm. Here at CyberVista, we are actively working to determine the training and education pathways that map to the reality of the evolving cybersecurity profession as well as continuing to emphasize the importance of demonstrating real knowledge through certifications.
The result is an educational approach that systematically reinforces knowledge every step of the way. This establishes a broader career education model for job training that focuses on the foundational skills candidates need to enter the cybersecurity profession while simultaneously identifying the specialized skills needed for particular job roles. It also provides a unique perspective to employers seeking to fill some of their most challenging positions because it focuses on quickly identifying the skills that make those roles unique. Moving to this new paradigm opens up multiple opportunities to either upskill current staff or hire staff with non-traditional, non-computer science backgrounds.
Reconciling the New Paradigm with the Old
The beauty of creating a career and training path based on skills is that it can coexist with today’s most popular certifications. By focusing on a knowledge-based approach to training, whether in furtherance of a particular job role or in pursuance of a highly sought certification, both the workforce and its employers win. By mapping existing certifications with the actual skills that must be performed on the job, employers can begin to have greater confidence in the candidates they screen and candidates can more confidently demonstrate their qualifications (and learning potential!) for some of today’s and tomorrow’s most important cybersecurity jobs.