Why Your Cybersecurity Certification May (Or May Not) Land You A Job In Information Security
A Misunderstood Profession:
Information security (IS) was, and still is, a misunderstood market segment. Conversely, information technology (IT) seems to be a well-known and pervasive market. And even now, with the overused term “cybersecurity”, information security seems to be the middle child. So what exactly is information security?
Information security or “infosec” is the practice of mitigating risk related to the unauthorized or inappropriate use, access, disclosure, destruction, disruption, modification, corruption, inspection, devaluation or recording of a company’s information. Information can be digital or physical, written, typed or overheard. The most valuable information that companies must protect includes their proprietary information, business strategies and customer data.
The Primary Requirements for A Career in Infosec:
The required skill set for IS professionals is a blend of technical knowledge and policy, process and best practice expertise. IS professionals must understand which safeguards are most effective in which environments against which threats. And they must be able to apply this knowledge in the real world. Experience and continuing education are both needed for IS professionals to be effective and to stay current.
To take a deeper dive into this topic, we interviewed Jeff Stapleton, an experienced information security professional and X9F4 Cybersecurity and Cryptographic Solutions Workgroup Chair. He shared his valuable insight on this topic with us:
Interviewer:
What recent trends have you noticed for recruiting cybersecurity professionals?
Jeff:
In my experience, few recruiters understand what I do for a living, not to mention my area of specialty: cryptography and key management. Sandra Lambert (a founder of ISSA) and I spoke at the RSA 2018 Conference about these issues. The takeaway? Cyber is hot; Crypto is not.
We pointed out that cybersecurity relies heavily on cryptography and key management but does not actually deal with the issues, rather cybersecurity practitioners seem to believe that the Advanced Encryption Standard (AES) solves everything. This mindset bleeds over into recruitment efforts, as companies focus on hiring people with the wrong skill set for information security needs.
Interviewer:
How do you feel about cybersecurity or information security certifications? Are they necessary?
Jeff:
There are many, to be sure. There may be too many. But, they reflect two positive things: (i) a modicum of specialized training that is not available with general education and (ii) continuing professional education (CPE) are required to keep the credential active. The one negative thing is that, like college degrees, they do not reflect experience.
Interviewer:
Which certifications do you recommend for information security professionals?
Jeff:
I’m more familiar with some of the organizations (e.g. ISC2) and credentials (e.g. CISSP) than others. And the type of credential varies depending on the job opening. Some of the organizations are formal, well-established, and accredited, while others are more market-driven. This is akin to interviewing someone from my alma mater versus another college; it’s not that I’m prejudiced towards the college, but I know the curriculum, the professors, and the quality of the programs. To be honest, when I get someone’s resume and they list credentials, that’s a plus but not always a requirement. And often I need to look up the credential (because there are so many) to determine if the training has any relevance to the job opening.
The Takeaway:
Jeff’s comments align with our recruiters’ feedback that most hiring managers appreciate certifications, but they are not the end-all-be-all for deciding who to hire. Experience is key, but all other things being equal, a relevant cybersecurity credential may tip the decision in an applicant’s favor.