In cybersecurity there are two kinds of people, those with certifications and those who have proved they don’t need them. Just like degrees, certifications are only as good as the person holding them. If a person has a CISSP, a CISA, or another related certification, but does no more that attend the minimum continuing education to keep their certs in good standing, they will have little relevant security competence. Additionally, these certifications can not be compared to a CPA where the math and rules are clear and do not change at the speed of technology.
A person can show real world cybersecurity competency by building and defending websites and applications, by attending many top cybersecurity conferences and leaving some, by accurately following and blogging about threat actors (Brian Krebs), and by frequently speaking at security conferences – but more importantly their content needs to be validated by other thought leaders.
This is not at all to say that degrees and certifications have no value, but it is to say they are hyped up and not for everyone, especially those like Steve Jobs, Bill Gates, Larry Ellison, Mark Zuckerberg, and about 95% (est) of real hackers and technology security makers. These people are too focused on the synergies of the technology and threats “in the now” that they do not focus on memorizing things for tests that will likely become obsolete in 2-4 years anyway.
The problem with standardized tests is that they teach conformity in a limited non-real-world context based on limited information with no accurate knowledge of the future. A standardized test cannot teach or confirm creativity, quality character, incident response savvy, backwards engineering, your ability to actually build and defend an application, your ability to lead and inspire people in the right direction, stress management, and most importantly that you understand the threat actor profile and landscape and can adapt on your feet.
Many people who study for a security certification realize it’s a memorization and buzz word test. Yes, it will prove you are not a “complete moron” in security, but it will prove no more, and it has nothing to do with creativity. Yet the best security protections must be creative because the enemy is. Hackers use creativity and new technology models to break into systems in ways not thought of before. Yet before they break into these systems they have to learn and backwards engineer them. They do this with a type of intelligence and experience-based creativity that is too high for any standardized test to confirm.
If you survey all the major data breaches and hacks to find out what caused them and what could have prevented them, it is never because an organization “needed more people with standardized security certifications”. Rather, it is usually due to: lack of creativity, corporate silos, office bureaucracy, turfs wars (think why the FBI and CIA missed 9/11) poor communication, not enough real world red teaming, failure to patch, poor internet hygiene education, failure to measure and prioritize risk, and incompetent security leaders who only hire their friends or people who conform to their biases.
If you really want to learn and stay updated about cybersecurity, grab your laptop or tablet and blog real time at the Cybersecurity Summit in MN 10/22/18 to 10/24/18 – register here. Blogging is important because it makes you write down what you are learning, and your followers will force you to talk more about what your posting, so you will learn more by defended or changing it. You must be an active learner by creating and supporting the web technology behind your web-site – 100%.
Also, when attending these events don’t be like most people and hang only with your “established click”. Meet new people and be open to diverse viewpoints even ones that are hard to swallow – you grow more from that. Leave your assumptions at the door. Do not boast about the fact that you have an advanced degree or certification to someone else. You never know what the other person is capable of or has achieved. Remember most hackers and the best technology people are unorthodox.
Here is a run down of the amazing Cybersecurity Summit speakers.
- Bruce Schneier, who will be signing copies of his forthcoming book “Click Here To Kill Everybody”
- Chris Roberts, one of the world’s foremost experts on counter threat intelligence
- Tony Sager, who leads the development of the CIS Critical Security Controls for the Center for Internet Security
- Peter Brecl, Director of Managed Security Services at CenturyLink
- Scott Borg, Director and Chief Economist at the U.S. Cyber Consequences Unit
- Brian L. Levine, who recently engaged in the first criminal trial of a Chinese entity for trade secret theft that cost a U.S. company more than $1 billion
- Tim Crothers, who built and leads the Cyber Fusion Center at Target
And many others!
To learn more and register for the event, go to www.cybersecuritysummit.org Register now now because prices will increase after Aug. 30. Came say hi to me at the event and reach out to my company Abstract Forward Consulting if you have questions.