Speaking at the Cyber Recoded conference in London, Steven Furnell, professor of cybersecurity at the University of Plymouth, discussed the quantity of certifications and the need to understand what is most suited for a person.
Pointing to industry reports around the shortage of skilled people in the industry, Furnell said that this “means organizations are employing and wages are increasing significantly,” while the National Cybersecurity Strategy shows that actions to tackle the skills shortage are in progress. However, Furnell admitted that there is “no single path” to a career, and there is a range of certifications you can gain and use.
Referring to the level of skills and focus, Furnell explained that there is a differing level of what certifications require and what they say about the person, and even with a vendor-issued certification, it “doesn’t necessarily mean skills in a particular product, but skills of some degree.”
He added that with different providers and certifications, not all are the same. He highlighted Comptia’s Security (Plus) as being “very much geared towards entry level practitioners” which does not require prior experience, however the salary expectations for someone with a Security (Plus) or a CISSP were very similar.
He said: “The industry is not aware of what a certification brings to the table, but does that mean it is the wrong thing to look at? Experience is the key, and not just getting the certification, but where you get them [employees] from and what they bring to the organization.”
He concluded by saying that security requires proper education and knowing how to fit in, but that professionalism cannot just be taught; you need the right attitude “and if you want to be a pen tester, it is the level of professionalism in which you do that role.”