The question of certification remains a topic of ongoing discussion. A recent announcement from the Australian Information Security Association (AISA) has especially reignited this debate, raising questions about the effectiveness of current certification models and whether certification increases the barriers to entry in the industry.
In some cases, we have seen an indifference towards certifications not as a response to whether they are necessary but because the costs of working with a certified professional feel too high. But, is this another narrative that hinders organisations from improving their cyber security posture?
In this blog, we’ll look at the role of certification, the value it can bring to your organisation and the certifications that we believe have merit.
The role of certification and training in cyber security
If an airline pilot was not properly licensed, would you board their flight? I’m sure your immediate thought is ‘No’. Would you go to a doctor that had not gone through an appropriate level of training or qualification? While I’m sure an unlicensed medical professional’s use of healing crystals may seem effective, the reality is far from the truth.
For this same reason, you should consider working with certified cyber security consultants with the right skills to suit your business needs. Certification sees professionals commit to a code of ethics, maintain ongoing professional development, and ensure they are competent and meet recognised standards.
Certification attests to a professional’s abilities and fosters industry-wide standardisation. Working with non-certified cyber security professionals can harbour inherent risks. Given the high-stakes nature of cyber security, where a single vulnerability can lead to substantial data breaches, financial losses, and reputational damage, your organisation cannot afford to overlook the value of certification.
Non-certified professionals may lack the up-to-date knowledge and skills necessary to identify and respond to evolving cyber threats effectively. Additionally, without certification, it becomes challenging to gauge a professional’s level of expertise or ability to adhere to industry standards.
Our response to criticisms of certification
Several criticisms have been levelled at the path and process of certification. I often see these presented by vendors who hate paying for salaries and simply want to create a workforce of slave labour — without reducing the cost to the client — to see their stock price increase a quarter per cent. Let’s evaluate these criticisms:
- It creates barriers to entry: I’d say this is partially correct. Certification creates barriers to individuals unsuited to working in the industry, specifically those enthusiastic about the hardware gadgets and T-shirts they purchased to cosplay cyber security professionals with no intention of understanding how things work. Our approach at Mercury has been to foster an environment of professional development with a view towards certification, which I contest creates an avenue to entry that builds a disciplined, proven approach to learning and growth. This should not be a job for easy entry; I do not want someone to become a doctor with four hours of YouTube.
- Certification impedes diversity and gender equality: AISAs criticism has been around diversity and inclusion, which in our opinion, is unqualified. On the contrary, the absence of standardisation removes structured guidelines, programs, and mapping of alternative pathways to creating an equitable, diverse and inclusive profession. Universal guidance and education, delivered through certification and recognition, enfranchise the disadvantaged and places them on an equal foothold with their peers. Without creating a level playing field, we will keep it as ‘jobs for the boys.’
- The industry needs innovation, which certification stifles: Most certifications are a baseline demonstration of knowledge and capability, which must be built upon and innovated continually. When performed correctly, certification sets the groundwork for awesome operators the same way reading, writing and maths create excellent citizens. I would also argue that the medical sector has a structured and empirical path to innovation which requires a process of verification, contrary to us simply saying that our cyber tools are ‘AI-enabled.’
- The skills shortage: Bottom line, we would much rather have a skills shortage than a swarm of unprepared and unqualified individuals. Allowing unskilled people to enter the workforce in such a dismissive manner is a slap in the face of anyone who prepared and trained themselves and wants appropriate compensation for their efforts.
Cyber security certifications that we agree with
We believe some key certifications are worth considering when engaging with a cyber security consultant. Yes, we do have a bias in this area, but only because we are professionals working in this industry and have seen value in the following cyber security certifications:
The Certified Information Systems Security Professional (CISSP) is a globally respected cyber security certification, part of the International Information Systems Security Certification Consortium (ISC)². Cyber security professionals with a CISSP certification have had to demonstrate a breadth of knowledge and hands-on experience to receive this certification.
The Offensive Security Certified Professional (OSCP) focuses on penetration testing, demonstrating a professional’s ability to identify vulnerabilities, create and modify exploit code, and successfully execute attacks. The OSCP’s hands-on approach to learning, based on actual system penetration skills, makes it particularly useful.
The Council of Registered Ethical Security Testers (CREST) indicates that a cyber security professional has experience with penetration testing, cyber incident response, threat intelligence, and Security Operations Centres (SOC). These professionals will have not only demonstrated their knowledge in this area, but they will also have a track record of successful services delivered.
The Zero Point Security Red Team OPS certification is an advanced red teaming certification focusing on full-scope attack simulations. The hands-on examination and implementation of advanced techniques ensure that professionals with this certification have proven their proficiency in the face of a cyber attack.
Cyber security certifications are a key consideration when working with cyber security consultants. Just like you wouldn’t trust an unlicensed pilot, you should also avoid entrusting your cyber security to non-certified professionals. Certifications like CISSP, OSCP, CREST, and Zero Point Security Red Team OPS testify to a professional’s capabilities and commitment to delivering excellent services and staying updated in this rapidly evolving field.
However, it’s essential to be discerning in recognising the value of different certifications, as not all are created equal. Not every certification is perfect, and it is not enough to work with a professional possessing just any certification. The training that person has and the models they use must work for your organisation.
Why work with Mercury as your cyber security consultant?
As a CREST-certified organisation, Mercury has the background to provide guidance and advice when developing a strategy to enhance your cyber security posture. Our experts can create a tailored solution by understanding the issues and risks unique to your business and developing a roadmap to resolve these. Visit our services page for more on our specialities and certifications.