There are many routes for an individual to become a cyber security professional. Some people enter the workplace straight after school, with minimal cyber security expertise, and develop on the job. Others study university degrees in cyber security or computer science to gain relevant knowledge before joining the workplace, while yet others study degrees in entirely different subjects which give them transferrable skills, and subsequently work in cyber security roles. Some people transition into cyber security roles after working in adjacent areas, and some people change careers entirely to become cyber security professionals, sometimes accompanied by spending time upskilling on training courses.
In many of these routes, an individual’s first role in cyber security is likely to be entry-level. However, the amount of entry-level job seekers outnumbers the entry-level roles available. It is difficult to generate more entry-level jobs so the challenge becomes how job candidates can get experience in order to apply for roles at other levels, without actually getting work experience – a classic chicken and egg scenario.
Professional certification may provide part of the solution to the problem. Where education at school and university normally focuses on knowledge, employers often want provable practical skills to indicate that a candidate is job-ready. Professional certificates provided by ISACA, SANS, CREST, CompTIA, ISC2, SFIA, and others are intended to provide assurance that the certificate-holder has both knowledge and skills in the area covered by the certificate – some more specific and some more general. It may therefore be possible to position certifications as a bridge in lieu of experience. Additionally, the certification bodies themselves can be bridges within the cyber security community. Because they have relationships with both employers and (prospective) employees they can potentially help connect those who need skills with those who have skills.
For certification to fulfil this potential, a couple of supporting actions are required. Firstly, the aforementioned baseline for a minimum quality standard of cyber security professionals. The baseline would normalise certificates so that no certificate holders fall below the minimum standard, even if most holders would be significantly above the standard. This helps employers understand what knowledge and skills, at a minimum, they can expect to get from a certificate holder. Crucially, a baseline agreed at international level will improve portability of certificates between countries, enhancing the current international recognition of certificates and saving certificate-holders from needing to acquire multiple versions of certificates.
Secondly, the interoperability of professional frameworks. Activities like mapping and recognition, as previously mentioned, should include the role of certifications within each framework so that it is well publicised and understood by policymakers, employers, and employees. Ideally this can be done at a granular level down to individual certificates, although such efforts would need regular updating to account for certifications being redesigned in response to market requirements.