Security professionals break into small groups to discuss specific topics of interest during the RSA Conference Peer-2-Peer sessions. Ben Rothke, a senior eGRC consultant with Nettitude, facilitated a P2P discussion about the value of security certifications. Read on for Ben's thoughts about the discussion.
During RSA Conference 2015 in San Francisco, I led a peer-to-peer session where I asked 22 particpants i the room: Should 2015 be the year we ditch information security certifications?
The information security hiring process is often based on which—and how many—security certifications the candidate has. But relying on that number heavily is a poor method to ascertain if the candidate is qualified for the spot. Rivest, Shamir, Adleman (RSA), Diffie, and Hellman may be in the National Cyber Security Hall of Fame, but in today’s reality, they would never get past HR in many firms since they lack the requisite certifications.
We had a lively discussion, but we also had only an hour to discuss the topic and consider some action items to change the predicament. We talked about boot camps, certifications, accurate measurements, and how to work with HR.
Boot camps tend to be a poor way to train information security staff. While they may be intense and cover vast amounts of information, unless one has a photographic memory, most of the knowledge will never be retained. It is time intensive, but the end result doesn't justify the investment.
Certifications tend to ignore the person's past experience and emphasize the person's ability to memorize a specific body of knowledge. It’s better to focus on experience and not book knowledge. It's also hard to measure and assess information security knowledge. That’s really hard. There are ways, but they don’t lend themselves to working on the large scale, when many candidates are involved, as they take significant time, often not available in the hiring process.
HR finds and manages hires. But HR finds them only by looking for certifications. It is the gatekeeper, and even if the CISO doesn't like certifications, it will continue to use it. Guess who wins?
The obsession over certifications only benefits the certification industry, as it profits off this.
We need to turn things around.
One idea is to use industry networking as a method for meeting qualified candidates. Think of it as PaaS–parties as a hiring service.
Two really good ideas came out of this session to try to fix this problem. Create a web of trust, as it may be a better vehicle for measuring skills than certifications. Find someone you trust, and trust the people they trust. Another thing to consider is to have skill competitions, as they indicate experience and real-world knowledge better than certifications. SANS does something similar to this with their NetWars tournament. RSA Conference had its very first NetWars event in San Francisco this year.
How do you work with HR? Educate HR on what to look for when evaluating candidates. Or partner with a recruiter specializing in information security. No one in HR ever got fired for ensuring information security candidates had their CISSP. But that doesn’t mean they did the right thing.