This feature first appeared in the Fall 2019 issue of Certification Magazine. Click here to get your own print or digital copy.
An advantage of having longevity in the information technology field is that you gain an understanding of where we are today and how that compares with circumstances of the past. That kind of perspective informs lessons that can be passed on to the next generation of IT professionals and students.
One such lesson relates specifically to economic principles associated with supply and demand. Broadly speaking, a long-term perspective on supply and demand strongly suggests that where a resource is in short supply, the demand for that resource is high, resulting in the cost for the resource rising.
Mindful of the fact that IT certifications, from a historical standpoint, rose in importance during the final decade of the 20th century (1990-1999), it is helpful to review the conditions of that place and time. Among established programs, Novell was the primary leader in the certification arena with its CNA and CNE certifications.
Microsoft made great strides in the latter half of the decade, leading the charge with its MCSE certification, and cementing that leadership in the early years of the 21st century. Every aspiring IT professional wanted to achieve the coveted MCSE certification, and for most who received it — by passing the six (6!) required exams — employment opportunities arose, even for students without work experience.
When we turn the clock back to the present day, the identities of popular certifications have changed. Gone from the scene is Novell and its popular Netware operating system. Microsoft is still around, with its workstation server products continuing in popularity, but facing strong competition from the open source community.
The former clamor for MCSE certification has died down. In its place, we have a broad array of certifications that focus on cloud technologies, cybersecurity, and some surprising emerging technologies.
Starting your cybersecurity career path
For some current perspective on cybersecurity certifications, the Cyberseek website, sponsored by the U.S. Department of Commerce, is useful. It details on a national level, as well as state and metropolitan area levels, the size of the cybersecurity workforce and the total number of cybersecurity job openings.
Cyberseek also tracks five certifications — CompTIA's Security+, the CIPP offered by IPPA, (ISC)2's CISSP, and the CISA and CISM credentials managed by ISACA — and one distinct class of security certification, GIAC (which includes more than 35 individual credentials). Cyberseek lists the number of people who hold each certification for a defined region, along with job openings in that area requesting that certification.
Cloud security certifications are relatively new to the field and fall into two major categories. Those categorized as vendor neutral (i.e., not tied to a specific product or technology) include CompTIA's Cloud Essentials+ and Cloud+, the Cloud Security Alliance's CCSK certification, and the (ISC)2 CCSP certification. On the vendor side, the two front runners are the Amazon Web Services Certified Security — Specialist cert and Microsoft's new Azure Security Engineer (AZ-500) cert.
Having some familiarity with these credentials, I judge that for most people considering an IT/cybersecurity career, it makes sense to begin with lower-level certifications. For security job roles, consideration should be given to the CompTIA line of certifications considered by some as the certification trifecta. That is their A+, Network+, and Security+.
These three certs serve a foundational role, providing evidence of both a willingness to learn and some proof that you understand the basics of information and communication technologies. The importance of the big three used to be measured in terms of landing that first job as an IT specialist for the U.S. Department of Defense, which requires CompTIA certification as a prerequisite to employment.
Even with the benefit of certification, however, job seekers in this industry are likely to struggle without any professional work experience. We are all aware of that long-lived catch-22: In order to get a job, you have to have work experience, but in order to get work experience, you have to have a job.
This is where creativity becomes important. Ask yourself the question, How can I get an employer to hire me with my limited level of certification and little or no work experience? The answer may well be: by following some of the career development suggestions detailed below.
Demonstrate a passion for both lifelong learning and the cybersecurity industry
I often tell people considering cybersecurity as a career pathway that there is only one requirement. You must be a lifelong learner willing to take the time necessary to keep up with technology. If you do not have a LinkedIn account, then get one. Use your profile in a manner that tells a story about what you are doing that evidences a commitment to lifelong learning. For example, display certifications you hold, providing sufficient information for a potential employer to verify certification attainment.
LinkedIn provides the ability for you to become an author, composing articles that establish your ability to write in a quality manner. Pick content that you are both familiar and comfortable with to write about, and stay within your knowledge, skills, and abilities. Bear in mind that your work will be read by others and you will be judged on your communication ability. Have a trusted colleague proofread your work before you click Publish.
Consider participating in cybersecurity-related organizations. I've provided the list below to students in Southern California as a means of identifying networking opportunities. This is region-specific and you may not have access to some of these organizations in your local area — but you do have internet searching capability. Try finding groups that may interest you through websites like MeetUp.
Here in southern California we have a variety of national and international organizations that provide this ability to network on a local level. Specific networking opportunities available here, and which may be available in other locations, include the following:
Infragard: An FBI-created public/ private partnership. Joining requires you go through a process characterized as a security risk assessment.
ITDRC: The Information Technology Disaster Resource Center is a volunteer organization that provides communities with the technical resources necessary to continue operations and begin recovery after a (natural) disaster. It harnesses the collective resources of the technology community to provide no-cost Information, Communications, and Technology (ICT) solutions that connect survivors and responders in crisis.
ISSA: The Information Systems Security Association is an international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.
ISACA: This organization engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.
(ISC)2: An international association for information security leaders, committed to helping its more than 140,000 certified members learn, grow and thrive.
AITP: The Association of Information Technology Professionals was created in partnership with CompTIA, and serves as the go-to resource for individuals seeking to start, grow and advance a career in technology.
Consider learning other skills and provide evidence of attainment
When most people think of what is required to thrive as a cybersecurity professional, they think about having the knowledge, skills, and abilities associated with defending and attacking networks. While those skills may be important, there are certainly other skills that play into this role.
Reliance on useful information when making decisions about what we should be teaching is helpful. The New Foundational Skills of the Digital Economy report, issued by the Business-Higher Education Forum and Burning Glass, helps to define the nature of skills employers are seeking for the digital workforce. The report discusses three separate categories of skills.
The recommended skills under the heading Digital Building Blocks are managing data, software development, computer programming, analyzing data, and digital security and privacy. Recommended skills given under the heading Business Enablers are business process, project management, digital design, and communicating data. Finally, under the heading Human Skills we find collaboration, communication, critical thinking, creativity, and analytical skills.
In a recent posting on a closed forum for CompTIA instructors, one of their executives posed the following question: Did you know (that) out of the 129,397 total U.S. cybersecurity job postings during Q1 2019, Project Management was rated No. 4 as a top specialized skill?
When I asked about the source of this information, I was told they got this specific data point from the Burning Glass Technologies Labor Insights Tool, May 2019. I'm not surprised by the finding. Having taken and passed different version of exams for CompTIA's Project+ certification, I know of the value of the information and skills I learned by pursuing this certification.
The New Foundation Skills report also identified what we in education commonly refer to as soft skills. From the perspective of a technical educator, this is a challenging area, and progress in gaining and refining these skills generally results from experiences both inside and outside of the classroom.
Communication skills (including writing) will improve by participating in the activities identified above. Learning how to react in a collaborative fashion can happen through the participating in those groups identified above. Critical thinking, analytical skills, and creativity are a natural byproduct of both learning and working. They will be fine-tuned through both personal networking and on-the-job experience.