Certification: check. Now what?

There has been a lot of buzz lately about the cybersecurity workforce – its significant gaps and myriad opportunities, and the lack of clarity in how to bridge the two.

One critical problem is the absence of an agreed-upon barometer for experience and expertise, which makes it difficult for managers to determine the best hire and for job-searchers to determine if a job is the right fit. In recent months and years, programs have been cropping up to address this issue, including school outreach, university degree programs and a slew of certifications.

In an era when a bachelor's degree is the barest of minimums for getting into the cybersecurity field, IT certifications have emerged as the new standard. But it's a new and still-wobbly standard.

"There is some concern in the plethora of credentials and people trying to navigate the field – which ones reflect the right level of credibility and functional knowledge?" said Terry Erdle, executive vice president of CompTIA Certifications. "Certifications don't reflect a full depth, but neither does a computer science degree reflect two other degrees in philosophy. There should be stackable and really recognized credentials, industry-backed and industry-recognized, that anybody can understand what skill sets that credential reflects."

Already there are several certifications that are widely considered to be standard, an alphabet soup that includes CISSP, CompTIA, Security+, A+ and others. Still more are popping up and becoming more specific, such as credentials in cyber forensics.

In the government, certifications have become a primary HR tool, with the National Institute of Standards and Technology developing a National Cybersecurity Workforce Framework. Credentialing is even a requirement in some cases, such as the Defense Department's Directive 8570, which stipulates training, certification and management for all employees involved in information assurance activities.

"Under DOD 8570, you can't hold a job in cybersecurity unless you have one of these certifications – so DOD is using that in a much more regulatory way than private industry tends to," said Dan Ryan, an attorney who does consulting work for (ISC)², an information security training and certification group.

Making sense of the sea of certifications is one thing, but what happens after attaining them is another. A one-time credential is only so effective when dealing with the rapidly evolving environment in cybersecurity.

"In any event, none of [the certifications] guarantees real depth or understanding. What they guarantee is somebody has worked in the field for a while and was able to pass the test," Ryan said. "This is a highly technical field, and there needs to be a code of ethics and some enforcement mechanism so those who claim to be practicing this discipline as professionals are held to appropriate standards. And there needs to be some kind of continuing education. If you got your Ph.D. in digital forensics 10 years ago, if you didn't keep up with the literature and conferences, you're way, way out of date in a short period of time."

The idea that IT certifications could take a cue from the medical field is one that is beginning to take root.

"It's much like how doctors stay conversant with various things – continuous education, opportunities to recertify. You have to recert every three years or you lose your edge and the timeliness of the content you're supposedly expert in," Erdle said.

Erdle, Ryan and others noted that with the cybersecurity profession in its nascent stages, the pieces and the partnerships are still coming together.

"It's a dance back and forth a little bit, but it's getting healthier and healthier in terms of taking advantage of academic strengths as well as the IT certification world," Erdle said. "We're collaborating more and more to demystify the landscape."