Accreditation key to enterprise security

We look at how industry-recognised certification enables security chiefs to improve the strength of their security team

This article can also be found in the Premium Editorial Download: MicroScope: MicroScope: The benefits of security certifications

In July 2021, joint research from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) found the area with the biggest shortfall in IT skills to be cloud computing security.

The survey of 489 cyber security professionals revealed that the main ramifications of the skills shortage were an increasing workload for the cyber security team (62%), unfilled job requisitions (38%) and high burnout among staff (38%).

Worryingly, the survey reported that 95% of respondents believe the cyber security skills shortage and its associated impacts have not improved over the past few years, with 44% saying the situation has worsened.

Yet even with a serious shortage of cyber security professionals, skilled candidates say it can be very difficult to begin a cyber security career. When asked for recommendations on getting started in cyber security, nearly half (49%) of respondents suggested getting a basic cyber security certification, 42% proposed joining a professional industry organisation, and 36% recommended finding a mentor who is willing to help develop skills and career plans.

As more businesses adopt public cloud and hybrid services, there is also growing demand for people who know how to secure cloud configurations and have experience of DevSecOps. This is where security is “shifted left” and becomes embedded in a continuous integration and continuous delivery (CI/CD) software development pipeline for introducing new software-enabled products and features.

These skills are prerequisites for CIOs and CISOs delivering a cloud-native digitisation strategy. In a blog post discussing cloud-native security, Melinda Marks, a senior analyst at ESG, wrote: “It’s important to consider time and staff savings and invest in products that drive efficiency and reduce staff burnout.”

Read more about security accreditation

Industry-recognised certification is part of that toolset. It not only helps people take a step up the career ladder, but it also offers them a way to boost their earnings. From an IT leader perspective, certification programmes improve staff retention. People who have their training paid for by their employer are far less likely to be tempted to seek work elsewhere.

The 17th edition of Skillsoft’s IT skills & salary report 2022 found that 91% of the 7,952  IT professionals polled hold at least one certification. The survey reported that respondents hold an average of four certifications in their field. Over half (56%) said the certification helped them improve their work, while 41% said it made them more engaged with their work.

The survey found a correlation between professional, industry-recognised certification and the salary level employees can attain. It found that individuals with Certified Information Systems Security Professional (CISSP) certifications were the top earners. According to Skillsoft, CISSP-certified IT professionals in the EMEA region earn around $104,863, while those with Certified Information Security Manager (CISM) certifications earn an average of $97,304.

When Skillsoft looked at the top cyber security certification programmes among survey respondents, it found Microsoft was first, followed by ISACA, CompTIA, Cisco and (ISC)2. This should not come as a surprise given the dominance of Microsoft professional training, which is usually a prerequisite to becoming a Windows systems administrator.

Microsoft also led the top five security, governance, compliance and/or privacy-related certifications being pursued by the IT professionals surveyed by Skillsoft. It was followed by (ISC)2, Amazon Web Services (AWS), CompTIA and Cisco.

It is no surprise Microsoft and AWS make the top five in security, governance and compliance certification, given the growth in enterprise public cloud deployments.

According to Skillsoft, IT managers are investing in upskilling staff to address their current skills gaps. They cite the hardest-to-fill positions in the same areas: cloud computing (30%), analytics/big data/data science (28%), and cyber security (25%).

“Whether your organisation plans to or already invests in helping your employees get certified, you’ll see a boost to productivity, innovation potential and employee retention”
Maureen Lonergan, AWS

Training benefits employer and employee

Certification also has a positive effect across the business and boosts staff retention. Maureen Lonergan, vice-president of AWS training and certification, says: “Whether your organisation plans to or already invests in helping your employees get certified – and favourably regards candidates who hold industry certifications – you’ll see a boost to your organisation’s productivity, innovation potential and employee retention.”

Given that cyber security skills are in high demand, such investment in people can help CISOs build up a strong team.

“Offering opportunities for skills training can lead to higher employee satisfaction and retention. Additionally, when you take a step further and fund your employees’ certification exam fees, employees are less likely to seek employment elsewhere,” Lonergan adds.

But while certifications are useful – even vital – for security professionals, Piers Wilson, director of the Chartered Institute of Information Security (CIISec), says they should not exist in a vacuum.

“They need formal accreditation to ensure individuals don’t spend their time amassing irrelevant qualifications that look good on paper but don’t improve their essential skills or prepare them for future roles. This is especially important given the ongoing cyber security skills shortage,” he says.

“Formal accreditation [is needed] to ensure individuals don’t spend their time amassing irrelevant qualifications that look good on paper, but don’t improve their essential skills or prepare them for future roles”
Piers Wilson, CIISec

While a “sellers’ market” for skilled employees might seem great for individual careers, Wilson says there is a risk that someone will be appointed or promoted beyond their capabilities, which can have serious consequences both for the organisation and the employee when a real challenge arrives. He also urges CISOs to look beyond technical skills when assessing the level of cyber security training a team requires.

“Professionals also need business skills to understand security’s place in the business, and guide the organisation to improve its overall security posture,” he says. “They need to have interpersonal skills to communicate with the wider business and colleagues at all levels, and present advice, guidance and best practices to the business. And they need analytical skills to identify and investigate new threats.”

For Wilson, such “non-technical” skills offer IT security teams the best way to stay ahead of cyber attackers, as they allow the whole organisation to take a more proactive stance. “Securing accredited certifications for both technical and non-technical skills won’t just help security professionals stay ahead of the risks. It will also help them plan and secure their own careers – for instance by identifying what skills they need at the next levels of the profession, and gaining those in advance,” he adds.

Low-cost training

When looking at a training plan for IT security professionals, Rob Dartnall, CEO at SecAlliance and chair of Crest’s UK Council, believes CISOs should not necessarily just look at big, expensive courses for their staff, but subscriptions to platforms, academies, and even free online tutorials and webcasts. In his experience, training should not be a one-type-suits-all scenario. IT security leaders need to take into account that different people learn in different ways, and everyone benefits from variety. 

Dartnall points out that there are some fantastic resources available – many free – for cyber security professionals to use to train more easily and hone their skills, with certified proof.

“One of the most important things we need to do as an industry is create the time, space, environment and budget to enable talent to continuously improve”
Rob Dartnall, SecAlliance

“One of the most important things we need to do as an industry is create the time, space, environment and budget to enable talent to continuously improve. Where some industries push continuous development for people to become more senior or certified, we in cyber security must also do this – because the cyber threat landscape is continuously evolving,” says Dartnall.

Describing his own approach, Dartnall adds: “Personally, I love resources like Immersive Labs and Hack the Box. Why? Because they can quickly reflect the real threat landscape, with practical labs that can test both defensive and offensive skills against the newest techniques, quickly aligning an individual’s skills with real-life situations.”

In Dartnall’s experience, many of these platforms also align to career development and certification pathways. “The work is mostly done for us,” he says. But he also believes that, to add variety, there will always be a place for classroom-based, tutor-led, intensive training.

The two most effective methods for learning cited by the IT professionals polled in the Skillsoft survey are formal, expert-led training sessions at work, and live, instructor-led, online training sessions. Skillsoft found that roughly 70% of IT professionals who participated in these types of training found them to be very to extremely effective.

According to Skillsoft, the popularity combined with the effectiveness of online instructor-led training has led to a surge in learning, with 54% of respondents having participated in such courses. This method helps people balance work and home life with their training requirements, allowing them to learn effectively at a pace that suits them.

Finally, when looking at which areas of security training to focus on, a recent CIISec survey of 135 IT security professionals found that over half (57%) saw analytical thinking and problem-solving skills as most important in the profession – compared with 24% who rated communication skills as the top priority. Only 18% rated technical skills as more important than other skills, which suggests that cyber security training and certification should emphasise areas such as analytical thinking and problem-solving over technical skills.

Read more on IT education and training