Over reliance on security certifications can lead to a less diverse and less innovative workforce, and processes designed to satisfy auditors rather than improve security, according to a CISO panel.
Speaking at Infosecurity Europe, Munawar Valji, CISO of Trainline, Dr Emma Philpott, CEO at the IASME Consortium and Helen Rabe, CISO at the BBC asked whether professional certifications were setting the bar too high for potential employees or emphasizing “technical credibility” over practical cybersecurity skills.
Certifications for organizations might also be adopted to meet the demands of auditors or cyber insurers, or because it is required for a bid or tender. This can lead to organizations doing the bare minimum required to achieve certification, rather than improve their security.
Sometimes, HR departments or even hiring managers ask for an “alphabet soup” of certifications that few candidates would possess, cautioned Rabe. However, applicants with strong paper qualifications might be unable to “execute the requirements of the job” in practice.
“We need to figure out what matters and if what we are asking for is realistic,” she said.
Valji acknowledged that certifications play an important part for cybersecurity professionals wanting to establish their technical credentials, especially early in their careers. But certifications are less effective at showing if someone has management skills or the ability to communicate with business leaders.
“It is not necessarily about certificates but obtaining the right outcomes,” Valji explained.
Further, certificates can stand in the way of attracting new talent, Philpott argued. “Particularly for individuals, certificates need to be accessible and affordable,” she said.
Able candidates should not be priced out of the workforce, and some industry qualifications are not adapted for the needs of, for example, neurodiverse applicants. This is despite the skills they can offer the industry.
When it comes to certifications for organizations, the panel found both benefits and pitfalls. Obtaining certification carries a cost, both initially and for maintenance.
“It can be time consuming and cumbersome to maintain,” says Rabe. “You have to figure out if controls are no longer relevant.”
However, that same overhead is also part of the benefit: schemes such as ISO 27001 prove that an organization is continuously compliant, suggested Valji. “It is not something you do on one day and walk away,” he said. “You are required to be compliant and ensure that your hygiene is all it needs to be.”