Experience Is a Big Risk With Cybersecurity Professionals

When you need a cybersecurity professional to keep company secrets safe, it is easy to get lulled by a lot of letters on a resume. CISSP, CISM, GSEC, and CEH are just a few of the many certifications that indicate a recruit has the chops to take on whatever hackers come your way. But certifications only tell part of the story, said Humayun Zafar, associate professor of information security at Kennesaw State University in Georgia.

Zafar teaches a Certified Information Systems Security Professional, or CISSP, boot camp to help prepare students to take the certification exam, and many of his students pass the test right out of the gate. “It is a good start to a cybersecurity career,” he said. “But it may not be enough.”

In one of his recent courses, he had a student who was an assistant to a paralegal with no prior cybersecurity experience. “She took the course, passed the exam and had a cyber security job a week later,” he said. That’s not to say she wasn’t smart and capable, but it suggests that companies may be relying too heavily on certifications as a measure of skill.

“Ideally you want someone with at least a little experience,” he said. They also need more than just software skills to keep up with the complexity of the role. As hacking attempts have gotten more frequent, and hacks more difficult to track, it has caused the cybersecurity skill set to change, Zafar said. “Ten years ago cybersecurity was a technical role, now it’s a business role.”

While cybersecurity professionals still need to understand the technology and stay abreast of the latest hacking trends, they also need to be able to problem solve, understand business continuity planning and work with the executive team when security breaches occur. “And they will occur,” Zafar warned. “It’s just a matter of when.”

Part of the challenge in finding these experienced and certified cybersecurity professionals is the talent landscape. The unemployment rate among cybersecurity professionals in 2016 was literally zero, with 1 million openings going unfilled, according to Cybersecurity Ventures. That number is expected to climb to 1.5 million by 2019. “It’s a seller’s market and employees are in the driver’s seat,” Zafar said.

While companies may not be able to find the ideal candidate, they can look for characteristics that suggest a person will be a good fit, said Joshua Crumbaugh, CEO of PeopleSEC, a security awareness training company in Huntsville, Alabama. He suggested looking for candidates who are constantly “self-educating” and participating industry groups. “The bad guys are always developing new evasive tactics, so you want people who are interested in keeping up,” he said. And any work experience is great if you can find it, Crumbaugh says. “Experience is better than any degree or certification.”

He encouraged HR leaders to involve their IT or cybersecurity team, or external consultants, in the vetting process to help them gauge the abilities and passion of potential recruits, and to ask detailed questions about how they would respond to specific types of attacks. “How they answer these questions will tell you whether they have the experience you are looking for.”

Education Never Ends

Once you hire someone, regardless of whether they are a newbie or a seasoned professional, training should be a mandatory part of the job. He suggested sending them to at least one annual conference, like DEF CON or BlackHat, paying for them to pursue additional certifications, and giving them the time they need to stay current on continuing education credits.

Many companies require cybersecurity professionals to complete at least one certification per year and pay for the time and training they need to prepare, he said. This ensures their people is up to date on the latest trends, and lets these hard to source employees know that the company is invested in their success.

“The cybersecurity space is always evolving so education isn’t optional,” Crumbaugh added. “The most successful people in this field are constantly learning so they can always stay on top.”

Sarah Fister Gale is a writer based in the Chicago area. Comment below or email editors@workforce.com.