(Photo: Credit: Gorodenkoff/Shutterstock.com) (Photo: Credit: Gorodenkoff/Shutterstock.com)

 

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

 

As the New Year quickly tumbles into our laps, schools and other educational programs begin to offer new programs, classes, certifications, and degrees for January enrollments. Many seem to claim a guarantee that they can offer a new or enhanced career.

For those who seek to upgrade their skills or acquire new ones, it has become difficult to differentiate among programs with similar names offered at different institutions — in class settings and online — at not inconsequential prices. Will certification achieve your goals? Will it address the needs of your next employer? Decisions about career enhancement in Information Security is tough, not just for the student or professional, but for the employer and recruiter as well.

It is familiar to people working in the information security industry that the demand for capable skilled professionals and team players is increasing. For those gaining skills to work in the industry for the first time, the challenge remains to hit the ground running with a position and, better, with a career path. Yet no career path in this industry will sidestep an ongoing foothold in the classroom — onsite or virtual. And while employers and recruiters spin within the chaos of job titles and descriptions, they must assume a discrete understanding of the nuances of each role as performed or required to be performed in each independent workplace.

This year, Cisco reports that those in greatest demand must bridge the divide between networking and software development. Almost contradicting themselves, they suggest that security professionals will need broader skills but also more specialization. Recruiters also will need to become quick studies to evaluate the varied backgrounds and levels of experience of security personnel available, especially if they are going to manage a search for leadership in the industry. At one and the same time, CEOs recognize they don't have the skills within their companies to enable a defensive posture, and professionals say they lack the necessary skills for current — much less future — jobs. Trying to prepare for jobs we only anticipate can be disheartening to the point of disabling. Executives want employees trained and fully equipped, so training has become a regular and routine part of doing the job.

The role of Information Security Analyst appears to be very basic. But this is a good place to start unlocking the high level of skills necessary to work in this industry. At the same time, skills of the superior analyst must include training others. They must have a polished management style, the ability to read and understand the workforce and new demands in the space of many related professionals. Cisco aptly noted that the complexity of the IT enterprise is disrupting the workplace.

At Balance Careers, Alison Doyle writes that to be an Information Security Analyst, a bachelor's degree in computer science, programming, or engineering is a minimal requirement, while many companies require a master's degree and many years' network experience.

Information security analysts work with various members of an organization and must be able to communicate security measures and threats to people from a wide variety of technical and non-technical backgrounds. In addition to the technical networking and software development tools that must fire up on the job, the list of other skills includes desirable character traits and work habits that are developed over time.

Some skills understood as soft skills are those difficult to define or become defined differently depending on the workplace. Time management is an important skill, but time management is easily thwarted when a firm is subjected to a security infraction or responses to emergencies must be made in systems attacks. Evaluating claims that an individual has reached the proper level of achievement in a skill of this soft type is very difficult. Perhaps they have mastered time management software. That may or may not be enough. Customer service and leadership skills are very much the same. It might be a good idea to study job descriptions to see how many of them get to the true nature of the role and a tangible definition of the skills required. It is much easier to identify with a piece of equipment or software than to assess the corporate culture that gave rise to an individual's time management experience.

In Dark Reading, Curtis Franklin, Jr. writes about the top non-technical degrees for entry into cybersecurity. He adds that a computer science degree is not necessarily a requirement; that requirements may hang on the soft skills often described as the employment gap between available skilled personnel and existing demand for skilled workers, now cited as more than four million people. That's a huge demand for the training organizations as well as the placement industry.

The big question Curtis asks is, what degree programs are worthy of consideration? Having looked at many of these programs myself, I also wonder where the lines are drawn between serious programs and those that skirt the edges of the requirements. Many of us faced these questions in our own education. What criteria should we use? One agreement is that the industry needs individuals with diverse experience in observing risk and handling the threat environment. Curtis's list focuses on diversity of experience and problem-solving skills, which are probably essential, but it is hard to assess where one can readily acquire these deeper learning traits.

For the latest training information reflecting the IT job market and, in this case, news on the demand for talent in the information security industry, the latest certifications offered with CompTIA can be informative. Their training is pointed, no-nonsense, task-oriented and favorably priced for ordinary people who do not have a lot of time to sacrifice to any specific program when training is an essential part of their job description. The certificate also counts.

CompTIA is largely critical of the contemporary approach to education and teaching to the test. Too little attention is paid to critical thinking, problem-solving, and initiative. Even after an employee is hired, the fast pace of technological innovation makes it difficult for employees to keep up with the changes. Employers naturally struggle to provide the continuing education and professional development that their employees require. CompTIA has sought to fill this gap for both the employer and the employee or job seeker. Its Creating IT Futures program works to invent a better route to IT careers, then look for the best way to collaborate to identify the best outcomes on a national scale based upon their program content.

CompTIA explains the importance of including training in the soft skills. Holding an advanced degree before training for a technical specialty helps ensure successful application of new skills in the currently demanding environment. Before the introduction of IT-Ready, the workforce development program incorporated a mainly online education model. They say that while appropriate for some individuals who were able to springboard into their first paid IT role, that program failed to lead to IT work for most participants. The online program lacked coaching in job-seeking skills and was missing an employer component. Creating IT Futures was more successful when coaching in the soft skills was introduced.

While it may be easy to summarize that the future of the information security industry is growing and remains brighter than ever, the future of training in information security is scattered, chaotic, and likely to experience pressure as security professionals and those preparing for careers from other IT sectors try to sort out a direction for healthy career growth.

Many employers in the field, such as Cisco, and many other industry leaders have in-house programs in line with their own career paths. Other certifications come from corporate or government agencies or professional organizations providing certification. Still others provide training offered by outsourcing certification programs to a firm such as CompTIA. They can design a custom program or adapt a program to meet an employer's needs. And where training has become part of the job description, it is possible to imagine an employer who distributes training vouchers as a routine employee benefit. So much the better. In the meantime, we should look for more uniformity among programs and more cooperation among course providers to reduce chaos. But in this piece of the industry, we are always playing chess with grand schemers from the hacking universe. They thrive on chaos.

 

Nina Cunningham, Ph.D., is a member of the Board of Editors of Cybersecurity Law & Strategy, an affiliate of Altman Weil, Inc., and president and CEO of Quidlibet Research Inc., a global strategic planning and cost management firm founded in 1983.