Conversations in Risk-Based Security

Competency: Why Certification isn’t Enough

Posted by Lynx Technology Partners on Mar 25, 2020 10:00:00 AM

LYNX Technology Partners is fortunate to work with industry thought-leaders from around the globe.  We have learned a great deal from conversations with these leaders – these conversations continue to inform our day-to-day business, and the creation of industry solutions.  We thought YOU might like to ‘eavesdrop’ on some of these fascinating conversations. 

In this article, we are visiting with our own, Kerstin Zell, Dir. Risk Management and Operations, at LYNX Technology Partners.

We were in a company meeting discussing the industry concerns related to workforce shortage.  Kerstin quickly took the conversation to a whole other level, with a great deal of insight, based upon work and study she has done on this very topic.  She made a few things very clear, and pointed out a few, current ‘short-comings’ in the field related to education and training.  We asked her to visit with us more about her thoughts, and potentially share some solutions – here’s what we heard, and learned:

LYNX Technology Partners (LTP):  Kerstin – it seems you have a lot of working knowledge about the workforce shortages in cybersecurity.

Kerstin Zell (KZ):   Yes, in my current role, and also in my roles of non-profits I am engaged with, I have had the opportunity to take a closer look at “Cyber Security talent gap” that is always being described. It is correct that finding the right people for the right roles at the right time is an issue for almost all companies when it concerns Information Security.

LTP:  Do you work directly in human resource matters?

KZ:  No, even though I have worked closely with HR in other roles, I am not part of the HR team. But I can support HR and their efforts with the perspective I have gained in the competency space. One thing to also note is that this perspective equally supports the Information Security Leaders of companies, as in some companies Information Security Teams are beginning to take more control over the hiring process, getting more engaged in the early vetting process and creating requirements.

LTP:  Regarding the ‘issues’ that you mentioned; what are your clients and the industry’s greatest pain points?

KZ:  First and foremost, some people may argue that there is a “true” shortage. The question is, by calling the current situation a shortage, are we over-simplifying the problem? Is the number of competent employees the only problem? Or is it an actual shortage or the inability to place the right people in the right positions? In my mind, both points are factors.

A big part of the issue is a lack of standardization of positions across information security, with different companies/industries/sectors asking for completely different skill-sets for the same title or throwing multiple skill-set into one role. Because of this it is often difficult for potential candidates to align their skillset to posted roles. On the other side of the coin, it is also difficult for employers to identify the right candidate based on their competencies.

LTP:  Can you share a little more about the ‘lack of standardization’ – what standards are there, and how can that benefit an employer?

KZ:  Many companies fall back on what they know when hiring, whether it is degrees, certifications or research they have done. But more and more, this is not enough and may even bring people through the door who may not truly be what the company is looking for or needs at the time. As many know, NIST (National Institute of Standards and Technology) has created the NICE (National Initiative for Cybersecurity Education) Framework.  This Framework is a comprehensive and focused resource that establishes a common language and taxonomy to describe cybersecurity work and roles.  It is a great tool, but…it is a big framework with lots of data points - and with over 3000 knowledge, skills, and abilities outlined, it can be difficult for companies to navigate.

LTP:  That seems like it creates yet another ‘issue’ for the industry.

KZ:  In some ways, it does. The way companies utilize the NICE framework, or any framework, differs widely.  Some companies utilize 3-4 key skills from the Framework in their various job descriptions, others try to align positions more closely, and some may not have experience with the framework at all. With few following the Framework at – let’s say – even a ‘higher’ level; that is, integrating more of the skills requirements into their job descriptions, there can definitely be a first a disconnect within companies (and across the industry). What is also alarming is that not having the right talent in the right positions sets a company up for heightened risk.

LTP:  So how does a company work within that Framework, and make it work for them; or what do you recommend for your clients for assessing and benchmarking talent?

KZ: Holistically, I believe it begins with site- and industry -specific Risk and Talent Assessments, which is something (LYNX) helps our clients with every day.  When first looking at it, the NICE Framework can seem a bit ‘clunky’, but here at Lynx we have experience marrying companies needs with the framework content. We can help companies understand their current competencies and potential gaps associated with those, which allows clients to strategically plan and budget for addressing those gaps, mitigating risk and overall building a well-rounded and, in return, also happy workforce. At a minimum, companies should conduct their own assessment of need and risk, and then establish their own competency testing in alignment with industry standards led by NICE & NIST.

LTP:  And there are a lot of certifications out there that help a company ‘get there’, too – right?

KZ: Yes, there are a great number of certifications that can be helpful when working in the cybersecurity field. However, a certificate alone does not mean the person is the right fit for a particular role, or holds the competencies needed. Nor does a certification guarantee risk reduction or risk mitigation, which again is tied to a company’s specific risk profile.

Additionally, the speed of innovation – particularly in the cybersecurity space – can make it difficult for companies to navigate the framework and make it “fit”. And while the framework is extremely helpful and does receive updates,… just based on the pure speed of change, it may not be updated as quickly as needed for some companies. It is also important to remember that the NICE Framework is intended to be applied in the public, private, and academic sectors, but still includes some areas that read more “government/military” related. This is just something to be aware of.

LTP:  Since you have been working with clients on these issues for some time, what can they do?

KZ:  There are a number of steps that can be taken that will help a company better address its workforce shortage, better assure they hire the right people AND keep them; and there are steps that can be taken to make sure that the talent that is hired aligns to that company’s risk profile.  At LYNX, we actually have developed a set of tools to help our clients navigate the NICE Framework, provide real time gap analysis, while matching results to the company’s specific risk profile. 

And we like to share with clients that by using competencies as building blocks, they can create an integrated talent management network within their organization, to ensure they are hiring, developing, and promoting the right people into the right positions.

I truly believe, that the more people we get to speak the same language, the more we will be able to bridge the earlier mentioned “talent gap”. The NICE framework lends itself well to do just that and a big part of what Lynx does is help companies develop a feel for that language (internally first), but that language will ultimately also have a riffle effect and impact the industry.

Our main interest in working with clients is that they have AWARENESS about the necessity of skills alignment; first, to meet guidelines and standards, and more importantly, to manage their own – and their clients’ – risk. The right people, with the right skillsets, aligned with the company’s own risk profile…well…it’s critical.  And again the caution:  certifications should not be simply ‘accepted’ as that ‘ready’ indicator.  Certificates do not replace competencies, they are a part of competencies.

LTP:  It seems the takeaway is one of, competency OVER certification…?

KZ:  Well, it’s definitely a combination of these elements, coupled with the individual’s ability to work within that company’s culture, their soft skills, and so many other things, too. Competencies are crucial for success in all aspects of talent management. I truly believe that by using competencies, organizations are better prepared to tackle evolving job markets, develop effective leadership, hire the best people, improve employee performance and ultimately impact the standardization of terminology in a positive way.  So I think if I could share a takeaway, it would be:  Lean into a framework placing competency as a hiring priority and align talent to meet your company’s risk profile.

LTP:  Got it.  This is great information and food-for-thought.  Thank you for making the time today, and allowing folks to ‘listen’ to your thoughts regarding this very important topic.