Last month, I was in the company of two seasoned security professionals who had just completed their CISSP training. I found their opinions and comments very interesting.
The fist point of interest was that both individuals saw their CISSP training as a badge that could be applied to their CVs but not as something that made them better security professionals. One of the professionals, whom I would classify at the top of his game when it comes to UNIX, even pointed out there was very little content in his training experience that brought to life the subject matter of the teaching/learning experience.
For that reason, the two professionals concluded that the value of their CISSP training in an operational hands-on sense was low. While they felt it had been important to attend the CISSP training to augment their professional CVs, both felt it had done little to improve their performance when it came to supporting operational activities in cybersecurity.
To throw my owns thoughts into this conversation, I agree that CISSP training does have its limitations.
High-level training provides an excellent opportunity to inculcate newcomers to the security profession with the basics of security language, but it often fails to accommodate the required depth of knowledge that is necessary to serve real-time protection to the organisational perimeters. CISSP et al has its benefits, but it is not a silver bullet.
As information security professionals, it is our responsibility to protect the planet. I know this might sound like hyperbolic statement, but consider the implications if we all get security wrong.
What would happen if we wandered down the yellow brick road of compliance and governance while we ignored certain areas of technological threats? We’d be telling just one story, and we would fail to tell so many others.
The fact of the matter is that training – such as CISSP, CISM and others – is important, and they do provide a baseline but they need to be underpinned with detailed hands-on training to accommodate the pragmatic level of tuned-in skill sets.
For the time being, other programs and individuals are helping security professionals gain the practical training they need. Indeed, it is in this space that I am honoured to work with all kinds of global training leaders and experts who have helped expose personnel in fields ranging from ITIL to disaster recovery, from project management to cybersecurity to the realities of their profession.
For example, if we look at digital forensics, we see that any training program needs to deliver on a variety of topics including, but not restricted to, the following:
- Case management
- Evidence and artifact handling
- Applicable laws
- Laboratory construction and deployment
- Management of the digital crime scene
- Acquisition of evidence, be that physical or logical
Additionally, with regards to other complex investigations involving external challenges – such as DNS, OSINT and data exfiltration – only by organising a focused training programme that incorporates real-life examples can a teacher impart the necessary hands-on skills to a student of security.
Going back to the introduction of this article, I do believe that training and certification are important. However, it does not give a prospective employee the edge when it comes to handling a real-world cyber-attack.
Individuals who may not actually possess a CISSP or any other form of certification may have ample hands-on experience. As a result, it is important for aspiring security professionals to receive a level of training that will serve them with the skills necessary for them to do security day after day.
To conclude here, there is much talk and conversation these days around the security skills gap. It’s time to consider just what that gap infers.
Does it mean we need more professionals who hold certified status, or do we need more people with the hands-on experience?
When we step back and consider what the skills gap conversation actually implies, I hope we will realize we in fact need both.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.