“We need a paradigm shift to focus more on skills and abilities, and less on traditional credentials,” Rodney Petersen, the director of NICE, tells Ars. “Employers must pledge to base their hiring on skills, not on certifications or degrees.”
A greater focus on skills could reduce the total number of security workers needed. Tentler questions whether the skills shortage is as grave as the ISC2 study suggests, and points out that sourcing the right people can dramatically reduce the headcount required.
“One of the reasons why Google and Facebook appear to have wizards running their shops,” he says, “is because three people who know what they are doing and are competent are orders of magnitude more capable and will provide better results than 25 people who have no idea what they are doing.”
Nor are computer science degrees necessarily the answer. Although a solid background in computer science can help, especially with application security testing, Ptacek tells Ars that a CS degree on its own is no guarantee of success as a penetration tester—in fact, a reliance on credentials-based hiring to fill these mission-critical roles is the real problem.
“I push back on the idea that there is not enough talent out there,” he says. “We don’t need to train a new generation; we need to do a better job of breaking down the wall that HR and tech managers put up as an excuse to not bring people in.”
Although I possess a CISSP and value it, the certification alone does not demonstrate any proficiency or ability to practice cyber security. People still need to possess actual skills – such as penetration testing, code review, network security engineering, and other disciplines – before being hired by an employer.
Companies that place more value on mere certifications or degrees over actual skills and experience are hiring wrong.