The practice of requiring cybersecurity certification has outlived its usefulness. It now does us more harm than good.
Any benefits to our companies from employee certification are quickly undermined by some worrisome trends that have developed. As it is practiced today, the requirement for cybersecurity certification drives three issues:
- It fosters undesirable mindsets and behaviors by employees;
- It encourages poor resource management by managers; and
- It bars entry into the field by aspiring professionals.
Taken as a whole, the problems far outweigh the benefits.
A flawed system
In the beginning, certification served a purpose. Even today, there are some benefits gained by sending employees through a certification training program. But our community, and our employers, place way more importance on certifications than is appropriate.
In his book “The Smartest Person in the Room,” Christian Espinosa points out that the current certification process actually misleads industry. According to him, the certification process isn’t really adding qualified talent to the talent pool. His rational is that while some certifications are challenging and produce better trained practitioners; others are relatively easy and produce poorly trained practitioners.
Relatively speaking, passing a certification exam is about the same as passing college exam. Both are intended to be “indicators” of knowledge and or skills. But that is also the issue. As with all knowledge/skills-based assessments, their value accomplishment is short lived. The long-term value is the employee’s ability to apply their training to produce value.
So what if the premise that certification is founded on, is false?
What if, as Christian suggests, certification programs aren’t really producing better equipped practitioners; and instead, are producing “paper tigers”? That is, they acquire the “paper” but lack the abilities and or competence to do the job well
Think the idea is nonsense? I don’t!
Many times throughout my career, I’ve been partnered with a paper tiger. They held a Certified Information Systems Security Professional (CISSP) credential, but had zero ability to design and build a secure system. In a few cases, if they were my customer. And then they weren’t able to evaluate our designs because they lacked the engineering skill and experience, or the systems knowledge, or both. They simply fell back on the “book answer” a feeble attempt to complete the task.
Undesirable mindsets and behaviors by employees.
First, the exagerated importance placed on certification is leading to several undesirable mindsets and behaviors. It has created a subculture of elitism within the community that values the number and type of certifications a practitioner holds.
Rather than simply valuing certifications as signposts of achievement, there is widespread belief that the credentials bestow prestige on its holder. And the more credentials you hold, the more prestige you have. The fallout is that there is not just attitude of superiority; but an obsession to get even more credentials.
This phenomena is fueled somewhat by the importance placed on educational degrees. Employees who have advanced university degrees are typically advanced to positions of higher authority, responsibility, and compensation; as compared to those with only undergraduate degrees. And while certifications are not advanced degrees, many companies have begun treating them almost as the same.
The other insidious problem with elitism is, it feeds on itself.
In my experience, far too many cybersecurity practitioners are driven by the desire, to acquire additional certifications beyond what is actually needed for their role. This “cert chasing” is pretty much like big game hunting. It’s done to satisfy the cert hunter’s desire to mount another “trophy” on their email signature wall.
One argument in favor of this, is that the training increases an employee’s value. And that can be true — immediately following the training. But learning and knowledge have shelf lives. Some psychologists report that within 6–12 months of training, nearly 50% of learning is lost if it is not reinforced by consistent application.
And finally, there is the growing concern over the integrity of various certification processes. Rumors abound about the possibility of cheating. Understandably, the credentialing organizations continue to invest heavily in solutions to protect the integrity of their examination process. But doesn’t this issue speak to the heart of the problem? Isn’t it the disproportionate amount of importance placed on certifications that is leading people to cross ethical and moral boundaries simply to get a “trophy”.
All things considered, it’s hard to discount the idea that the requirement for certification is fostering undesirable behaviors and mindsets in the workforce.
Encouraging poor resource management by the managers
The second issue has to do with employers relying on certification programs as a means for talent management. They’ve forgotten that a certification alone doesn’t guarantee a good fit for any position. Nor do does it provide any indication of success — or competence.
Existing employees may perform well in their current role and environment. But take them out of that familiar setting, and place them in a different role with a different infrastructure, and the same level of performance is not guaranteed. This explains why, when managers rely on certification as measures of competence, or talent, they tend to make poor decisions regarding resource management.
Manage people resources efficiently, requires a clear understanding of what the talent slate for the organization looks like. Including on certifications in the view often clouds the manager’s perspective.
Understanding the organization’s talent slate is crucial to making good investment decisions on training. Sending employees who already possess a one or more certifications is usually a poor use of financial resources. The return on that investment, beyond making the employee happy, will be marginal at best given the poor knowledge retention.
In the case where the employee requires re-skilling, or up-skilling because of a job change, certification training programs are often not the best alternative either. It’s likely the employee needs more in-depth training, over a longer period, than is normally provided the certification program.
In my own organization, most of our employees are required by contract to have a basic certification. Some, depending on their role, may require an additional certification; such as required when the employee has elevated administrative privilege.
But once the basic certification requirements are met, future investments in training and development is driven by the needs of the business, my organization, and the employee’s career path needs. Rarely does that necessitate sending them to a conference or another certification training program.
Barriers to entry
The last issue is probably the biggest. Requiring a certification prior to being hired, is without a doubt, the single biggest contributor to the number of unfilled positions in industry today.
And it is arguably unnecessary.
Many organization have allowed themselves to be trapped into “must hire” situations. Either by design, or by accident, the organization has become ‘reactive’ in its recruitment and hiring. When this is the case, hiring managers have but few options beside hiring experience, certified, practicioners.
Unfortunately, they haven’t yet taken the difficult, but absolutely necessary step, of building a talent pipeline. This step is essentially to bread free from the “must hire” quagmire. It is the only one that affords the space and flexibility to hire high-potential candidates who lack hands-on experience, and certification; but possess the foundational knowledge, and most importantly, the intangibles to be successful.
Cybersecurity certification is a double-edged sword. There are several benefits to both employees and employers. But the current practice has taken on a life of its own, spawning some undesirable trends.
Business and technology are transforming at incredible rates, without any hint of slowing down. The pace and scale of change promises to diminish the long-term value of individual certifications; making them on par with a bachelor’s degree in terms of their ability to prepare and predict success.
The practice of certification probably will not go away completely, so here are three recommendations that cybersecurity leaders can take to greatly improve our culture and our community:
- Disconnect certification to hiring decisions. Begin building pipelines that will feed your organization with talented professionals who can learn, perform, and grow with the organization.
- Discourage any notions of superiority connected with certifications. Recognize, reward, and advance, based on performance and contribution to the organization. Kill the paper tigers.
- Refrain from using certifications as metric for competency and talent. Certifications have no correlation with performance. Talent drives high-performance. Figure out what that is for the organization, and then recruit and hire it (the talent). Teach everything else.
Nothing is going change until we take action. It’s time for some leadership around the systemic problem.