There are a few old security jokes out there, the most common one being about lions and running shoes. There’s another one that has to do with educating employees. Maybe you’ve heard it, maybe you haven’t:
As security professionals, we visualize the security program as an integrated composition of people, technology, and processes. Delivering security services to businesses effectively and efficiently requires people with skills and knowledge to provide critical support. In larger organizations it is common to see a more diverse security team functionally organized to provide relatively granular security program capabilities, such as metrics collection and reporting. Smaller organizations focus on the ‘bigger pieces’, such as risk management, SecOps delivery, and security compliance management.
Regardless of program size, we look for program efficiency, which relies on resource effectiveness. Technology holds great promise, but we still depend heavily on people with strong capabilities within our corporate security functions. We need a broad range of security skills not only to provide security services delivery to the business, but also to help protect the organization by analyzing the threat landscape and how to counter cyberattacks. As leaders we need to enable our security teams to grow and adapt to the ever-changing security landscape by arming them with knowledge. Training and education are foundational for providing professional growth opportunities to employees, empowering and enriching their careers, and demonstrating their value to the organization by committing resources to their continued professional development.
There are several ways we learn and grow professionally. Obviously on-the-job (sometimes referred to as OJT) experience can be the greatest (and sometimes harshest) teacher, but we typically look at more structured or formal methods to expand the professional knowledge base of our security team members. These primarily include attending classes or conferences and pursuing certifications.
Classes are effective for learning a skill or gaining knowledge and insight on a topic within a condensed time frame, sometimes even at a single event. They can be narrow in scope, such as a single session on ethical hacking techniques. Classes can also be very broad in nature, such as a week-long class on global privacy compliance laws and general guidance for supporting them operationally. With the availability of knowledge on the Internet, classes can almost seem somewhat archaic or redundant. However, live classroom training has great value because it allows for interactive knowledge sharing and learning assistance. I recently learned how to use an engineering application on my own from Web-based tutorials, but having someone to provide guidance would have made the learning process easier and faster. Whether delivered remotely or in-person, the primary value of an instructor-led class is the ability to learn in an assisted environment. This approach enhances a structured classroom framework when materials are delivered in an orderly manner that follows a natural progression toward the educational goal of the class.
There are some downsides to classes, the primary one being narrow focus. The cost of classes has gone up significantly for some of the more specialized topics, depending on who is delivering the content. A single class can cost as much as a certification. The last thing to think about is the persistent value of the class. This can be heavily impacted by factors such as instructor quality, content cohesiveness, and true knowledge transfer. The true value of a class relies on the recipient’s ability to absorb, retain, and leverage the information provided by the class.
Conferences are a little different. They are useful from the live event perspective, and much more dynamic than taking a class. They are also typically focused on a single industry or profession.
I tend to look at the value of attending a conference from two perspectives. The first is being able to listen to experts and industry leaders as they impart their wisdom. Sometimes we can get granular and choose specific tracks within a conference for a narrower focus on topics or functions. Regardless, conferences allow us insight into the thoughts and ideas of industry leaders, expanding our perspective or views within our profession.
The second value of a conference is the ability to interact with our security industry cohorts and peers. Mingling and talking to other security professionals certainly creates social bonds, but more importantly it provides the opportunity to share ideas or integrate people into your trusted circle of professional contacts. Collecting a group of professionals that you can talk to about program implementation challenges, cyber threat management, and a wide range of other issues is extremely valuable. Colleagues provide their insight, ideas, and thoughts, which in turn expands your knowledge base, often without going through the same challenges they did to learn them.
There are a few conference downsides. The first is true knowledge transfer. Most conferences I have attended delivered little in the form of net- new, high-value information. The social aspect can be more of a distraction than a business enabler, resulting in a diminishing return for the cost of attending the event. Conferences can also create vendor fatigue when attendees are overloaded with aggressive marketing methods laden with buzzwords and low-value sales pitches.
Certifications are typically thought of as a way of proving what you already know. If that were the case, there would be no study guides or prep classes. When we pursue a certification, we typically gain a great deal of insight from within the wider knowledge scope represented by the certification.
Certifications force us to think across a broader spectrum about our profession. While certifications can be somewhat narrowly focused, such as ethical hacking or business continuity planning, they typically cover a wider and deeper range of knowledge and understanding of what we experience in our day-to-day jobs. Pursuing a certification usually provides an expansion of an individual’s starting base of knowledge.
The second benefit of a certification is that it has persistent, weighted value. They are usually maintained by paying maintenance fees and submitting proof of professional educational credits or additional learning opportunities, resulting in a level of persistence or permanence that does not exist when taking a class or attending a conference.
Certifications also provide recognition and demonstrate a commitment within a professional community, emphasizing a level of expertise within that certification’s scope. Organizations will sometimes list specific certifications as a job applicant requirement, but one thing is always certain: certifications are highly visible on a resume. From a recruiting and professional industry perspective, certifications provide valuable insight into a person’s character, ambition, and capabilities.
The Associate C|CISO
This is somewhat of a sales pitch but hear me out.
EC-Council recently created the Associate C|CISO Program. The idea was to enable aspiring security professionals by giving them access to the knowledge and skills required to be a security executive. If you don’t have the requisite experience required to obtain the C|CISO certification, this path allows you to get the same training and materials provided to candidates with deeper industry experience.
Therein lies the unique aspect of this specific certification. The Associate C|CISO program allows you to gain insight into your current skillset and see what you need from a professional experience perspective. This allows you to envision and implement a career path that will build out your career milestones, allowing you to achieve the goal of executive security industry leadership.
Another bonus of this certification is the exposure it provides to other current or aspiring security executives. The training is the same as that provided for the C|CISO certification, meaning you will sit in classes with experienced security professionals. Some are already executives, and others will be soon. As an Associate C|CISO, you will join the global C|CISO community, comprised of thousands of security program experts.
In summary, I have 2 points to make:
- Security leaders – invest in your team’s knowledge with training and certifications. You don’t know if they will stay or go, but you know your program will continue regardless. Your team needs to grow professionally.
- Aspiring security leaders – invest in your future and build your career roadmap. Consider EC-Council’s Associate C|CISO certification