(ISC)² today announced plans to pilot a new entry-level cybersecurity certification exam to add its existing lineup of professional certifications and provide aspiring security practitioners with a professional development path early in their infosec careers.
Officials describe the new qualification as a "foundational certification" that will also play a role in helping businesses, educators, and governments bring more security pros into the workforce. An entry-level certification will help to narrow the gap that currently exists between entering the security industry and being able to verify and advance skills through industry qualifications.
Organizations have long been challenged to find qualified security practitioners for a growing number of open positions. There are several factors driving the problem, among them a disconnect between employers seeking specific skills and the job candidates who have those skills. (ISC)² believes an entry-level certification is one solution to help address the issue.
"While there are many contributing factors, we believe one solution is to create a certification that enables candidates — including students, young professionals, and career changers — to demonstrate to employers their familiarity with foundational cybersecurity concepts as determined by cybersecurity professionals and practitioners already in the field," (ISC)² writes.
There is a need for a security certification that is both accessible to newcomers and recognizes many people want to transition into cybersecurity roles but don't have direct experience in. Recent (ISC)² data reveals half of security practitioners new to the field (with less than three years' experience) came from an IT background, compared with 63% of those with three to seven years' experience. A certification might help entrants demonstrate their skills without years of experience or a degree.
"Employers need confidence that when hiring new entrants into the field that they have a solid grasp of the right technical concepts and have demonstrated an aptitude to learn on the job," (ISC)² says.
Entry-level security positions often require certifications like the CISSP, which is unrealistic for entry-level applicants because it requires five years of experience. As a result, many of these open positions remain vacant and aspiring security pros have fewer options to get a start in the field.
How can this certification help industry newbies demonstrate they're ready to take on a security job? That's still in the works, (ISC)² says. The organization is seeking input from the security community to develop a pilot exam outline and has published a survey to help validate core skills and abilities security practitioners think are necessary for early-career professionals.
(ISC)² has not yet announced a publication or testing date for the pilot exam.
Bridging the Employer-Employee Gap
In a panel at this week's virtual (ISC)² Security Congress, experts discussed the challenges of hiring in today's security workforce. The obstacles for aspiring security pros often depend on where they apply. Some organizations, such as larger corporations and government agencies, still require advanced degrees but many, especially small and midsized businesses, are starting to place more value on experience than degrees, said Rodney McLeod, CEO of McLeod Information Systems.
Still, he added, it takes a good amount of work to prepare for an entry-level security role and tech experience does help.
"Entry-level cybersecurity … you still have to have a lot of knowledge to be entry level," McLeod said. "You can't be, in my opinion, a two-year college student and jump right into entry-level cybersecurity."
He advised those looking to get started in security to seek out opportunities to build that knowledge; for example, with a help desk or IT support role for a larger organization. Once they have their foot in the door, they can work hard and communicate with the security team to demonstrate they understand security and they're willing to work their way up to a position.
It's this willingness, combined with the aptitude for critical thinking and troubleshooting, that can also set entry-level practitioners apart, McLeod added. "If you have someone with that natural ability in some other field, they'll come over real easily," he said.
This idea has been echoed among security experts across the field: in a discipline that is quickly and constantly changing, what's important is knowing the fundamentals and being motivated to stay on top of the issues businesses face and the technologies they use. Employers are encouraged to be more open-minded when hiring new security pros. They don't just need skilled hackers; they need people who can think critically and solve complicate problems.