An Open Letter to Human Resources Teams
Every few years, it seems, the information security community has a renewed interest in, and debate over, the value of certifications, degrees, experience, etc. in helping information security professionals land jobs. Along with this renewed interest comes a spate of blog posts and articles that aim to help those new to the industry advance, and advice for varying levels of professionals who want to move up, move on, and so on. Unfortunately, we’re still talking to one another (security folks talking to other security folks). Nothing wrong with that, but I want to direct this post to human resources teams. I hope that’s you, and I hope you take my words to heart. If you’d like to read some other posts that I find useful and relevant, I’ve linked them at the bottom of this one, as well.
First, please learn to differentiate between technical security positions and compliance/risk/governance positions. While that sounds like a banal statement, I really think many HR teams don’t understand the difference intrinsically, and it’s a critical one. GRC professionals need a different background and skill set than technical ones, although there is certainly some overlap. When hiring people for GRC positions (risk analyst, compliance analyst, etc.) look for the following:
- Backgrounds in IT audit, risk assessment, and IT governance
- Knowledge of, and experience with, any relevant compliance mandates and regulations
- Skills with GRC tools like RSA Archer or…spreadsheets
- IT certifications like the ISACA CISA/CISM or the CISSP (it’s relevant here, more in a moment)
For technical positions, well…things are a little different. And here’s the fact of the matter today (and critical point #2): THERE ARE NO CERTIFICATIONS THAT PROVE A TECHNICAL SECURITY PROFESSIONAL CAN DO THE JOB. ALMOST. Lest you think me wishy-washy, let me explain. Much has been said about certain certifications in the realm of information security. As someone who teaches regularly for SANS (https://www.sans.org), and helps numerous students attain the GIAC certifications that go along with SANS courses (http://www.giac.org), I see both sides of the certification argument. Most do not do anything to really prove technical proficiency, to be fair. Do they show a bit of motivation? Sure. Maybe some knowledge. But the GIAC exams are open book. You can look up the answers during the test. It’s a lot of material, and so it’s not necessarily easy, but these are exams that show some knowledge and motivation, and not a lot more. The CISSP is even worse, in many ways. It’s held up as the “gold standard” in the industry, but does NOTHING to indicate that a technical security professional knows how to do the job. So here’s my request:
STOP REQUIRING CERTIFICATIONS FOR TECHNICAL SECURITY JOBS. PLEASE.
Instead, make certifications “nice to have” considerations – if you are going into forensics, a GCFA (http://www.giac.org/certification/certified-forensic-analyst-gcfa) or GCFE (http://www.giac.org/certification/certified-forensic-examiner-gcfe) is great. However, I’d value experience performing investigations, using tools like EnCase and open-source tools like the Coroner’s Toolkit, etc much more. Same goes for event management and network intrusion analysis (the GCIA is great, http://www.giac.org/certification/certified-intrusion-analyst-gcia). There are only a handful of hands-on security certifications – in the GIAC spectrum, only the vaunted GIAC Security Expert (GSE) requires hands-on practical time. If you really want to require a cert, there are a few that may make sense, whether a hybrid like the Cisco CCIE, or the CREST certification for pen testers, but honestly? Most don’t really show off someone’s true capabilities.
So what should you look for with technical security professionals?
- Experience. Direct, hands-on experience. Look for specific tools, specific techniques, etc. Lean heavily on your technical security team to supply the input to this.
- If this is a junior position, maybe a college degree in computer science or information systems, but most degree programs are woefully inadequate in preparing kids for real work in this field, sadly. Information assurance degrees are barely better. So don’t use this as your true measuring stick, trust my 20 years of experience in this field, seriously.
- MAYBE a certification as a differentiator or proof of motivation, but that is it. Don’t require this – it’s a trap, and a silly one. The CISSP, especially – it is a great general base of knowledge, but has ZERO bearing on true skills.
- More than anything else, challenge your information security team/department to require a TECHNICAL INTERVIEW. As in, hands on keyboard. Do not trust someone’s resume, or great interviewing skills, alone. Make them DO something. This really shouldn’t be a stretch – but for many, it sadly is. Require candidates to actually demonstrate technical proficiency before hiring them. Crazy, I know.
I know hiring talented information security professionals is hard. There’s not enough of us, and it’s getting harder than ever to really find talent. This post may not make your job any easier. But trust me – the certification market is a bit of a racket, and it’s not providing nearly the value you may think it is. For GRC positions, the base of knowledge provided by the CISA, CISM, or CISSP is a good thing to have, and might prove valuable if contrasting one candidate to another. But with technical people, these are largely meaningless. Many of the best security professionals I know have none of them, and do not care about acquiring them. If you are hiring for a senior position (15+ years of experience), don’t even BOTHER with certifications – they are 100% useless and meaningless. Seriously.
Please know, this is not an anti-certification message. They have value. I like seeing people get them, and they should get them if they are so inclined. If you have two TOTALLY EQUAL CANDIDATES, and one has the certs and one does not, the cert may indicate a wider breadth of knowledge or more motivation to learn and improve, if nothing else. But don’t assume this, please.
Additional posts that are useful:
- My friend Robin Sundaram, a well-known CISO, just posted an article talking about the usefulness of certs: “Security Certifications are Useless, Right?“
- My other friend, Daniel Miessler, has written quite a bit on the topic: “How to Build a Successful Information Security Career“
- Another post from Daniel: “Information Security Interview Questions“
Hopefully, you found some of this useful. Good night, and good luck.