ThorstenSchmitt - Fotolia
In the past, when hiring for my security team, I've chosen candidates with various cybersecurity certifications. But I've been let down by their actual ability to perform the required duties, which leads me to believe that perhaps certifications don't really matter. Should I, as a security hiring manager, continue to gravitate toward candidates with certifications? Are they really representative of a person's skills? Are there any particular certifications that are better to have than others?
According to the 2015 Global Cybersecurity Status Report, the global survey of more than 3,400 ISACA members in 129 countries, 86% of respondents see a global cybersecurity skills gap -- and 92% of those planning to hire more cybersecurity professionals this year say they expect to have difficulty finding a skilled candidate.
Candidates with cybersecurity certifications are an obvious solution to this demand. Certifications can assure the hiring manager that the candidate at least has foundational knowledge required for the job. Some of the certifications that provide this assurance are CISSP, CISA, CISM, SSCP, as well as more specialized certifications, such as for healthcare, fraud examiners and computer forensics. However, there are some caveats to certifications. When certifications such as CISA, CISM, CFE and others from CompTIA were first introduced, experienced applicants were extended a grandfather option that would waive the examination. It is not necessarily wrong, but the candidate might have grandfathered the exam and not have kept up with technology or current protection techniques.
Unfortunately, many hiring managers have been disappointed by a certified new hire's actual ability to perform the required duties, which leads them to question whether certifications are sufficient or even make a difference. Cybersecurity certifications do matter, but they should not be the only criteria managers look for when hiring skilled security talent. Instead, look for a well-rounded candidate with other qualifications that include:
- Interviews well: During the interview process, the hiring manager needs to ask the right questions. The resume will list job experience, certifications, educational background and any awards or accomplishments, but the hiring manager needs to ask direct questions that would clearly demonstrate the candidate's ability to do the job. For example, resumes that list knowledge of firewalls, IPS, DLP, privacy, security monitoring and other skills must be subject to specific questions about the product, its implementation, management and benefits to the enterprise. Additionally, the candidate should be given real-life scenarios to respond to that would provide confirmation of stated skills.
- Clean background check: Most companies limit background checks to criminal records and for the most part that may be sufficient. However, information security positions control access to critical assets. Trust should never be an issue for security professionals.
- Relevant and real work experience: Work experience can be more valuable than academic degrees or professional certifications but many times these candidates are never given the opportunity to demonstrate their skill set. The certifications and academic degrees create that opportunity.
- Strong work ethic: Working harder and longer hours does not necessarily translate to a good work ethic. Working smarter and with resolve and passion are key elements of a good worth ethic. These can be asked during the interview process and demonstrated during the probationary period.
- Probationary period: All new hires should undergo a probationary period, which is typically 90 days. This allows the hiring manager sufficient time to confirm skill sets purported by the new hire are competently true.
Cybersecurity certifications clearly are important to have and to maintain with continuing professional education (CPE) credits, but they are only one of several criteria used in hiring security professionals. Interviews are critical in identifying key prospects; asking the right questions to sift out the strictly academics and good exam takers from experienced practitioners, and ensuring the candidate is a good fit in the organization will provide hiring managers the necessary information to hire the desired skilled information security professionals.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Take a closer look at the Certified Information Security Manager certification and find out if the Certified Cloud Security Professional certification is worth pursuing
Dig Deeper on Information security certifications, training and jobs
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading