Give put-upon infosec bods professional recognition to keep them working for you, says chartered institute

Wednesday 29th September 2021 10:27 GMT Eclectic Man

Certifications

I was an Associate member of the IISP, and a CLAS consultant (now retired). The issue with certifications and examinations is that there was some confusion over what was actually done, and the breadth of experience instead of just knowledge required to gain, for example full membership of the IISP. You not only had to know quite a bit about several different aspects of InfoSec, such as fighting virus infections in networks, business continuity, ISO27001, but have had, and maintained experience of doing it for real over a period of time.

I failed my full membership of the IISP interview because I had never had to actually deal with a virus as a lead consultant, managed to ensure backups were taken so never had to invoke the full BCP / DR plan etc. Oh, and although I had passed the ISO27000 Lead Auditor course, I hadn't conducted a major audit running a team in the past 3 years.

Contrast this with public examinations for, say 'A'-levels or degrees, and there is either specific coursework or a formal examination to assess the candidates. When CLAS went to a two tier hierarchy (just before CESG was transmogrified into the NCSC) looking at my job responsibilities, there was no way I could claim the experience required to get the upper tier, and just maintaining the lower tier would be difficult.

So go for certifications if you must, but there a re a lot of intelligent and able information security consultants out there who will struggle to get them if they have to actually have experience of doing the fire-fighting, DR / BCP, auditing every two years, because they will be working on bids, managing firewalls or other such things as their main jobs and their employers, however keen on staff development, will keep them there because they are good at it.

15 0 Reply
1. Wednesday 29th September 2021 17:10 GMT Mike 137
  
  Re: Certifications
  
  In my experience, the NCSC CCP qualifications are the only ones currently worth a dime. I took my LCCP via the CIISec and it was quite a challenge, as it should be. Instead of just having to answer a bunch of crude multiple choice questions as for most infosec certs (I know, I've had to write and courses and deliver courses for them), I had to, first document, then explain live to a panel of knowledgeable experts what I'd actually done in real world infosec.
  
  That's the only kind of certification that actually means something as it tests ability to deliver, not just to spout jargon. Its the equivalent of CCIE versus a four day powerpoint crammer in the networking world.
  
  On one such crammer on risk management that I was contracted to deliver, on the last day one of the candidates (a working security practitioner) asked me "how do you use a risk matrix?". The course didn't allow me to say "Don't bother - they don't work" as the risk matrix would feature in the exam, so I had to explain that you read up one column and across one row. I wasn't allowed to add "both selected by wild guesswork" either, but I would have thought the basic principle would be rather obvious to a working security practitioner.
  
  Mind you, they've just revised the CCP certifications, so next time round it might well be a different kettle of fish.
  
  0 0 Reply
2. Friday 1st October 2021 09:10 GMT Anonymous Coward
  
  Re: Certifications
  
  Like a lot of engineers a couple of years back I thought about moving into security (as it was well paid and an interesting 'cross-cutting' set of problems to solve).
  
  What I found was you needed to be CLAS or you couldn't get the work to become CLAS. Similar to trying to get security clearance.
  
  The other thing that put me off was in every project I've worked in security is seen as a perpetual negative getting in the way and is never included properly until the last minute, by which point there have usually been some security-contrary design decisions backed into the solution. (It doesn't help that about half of the security SMEs I've worked tend to say 'you can't do that' as opposed to saying 'here's a way to do what you want - if you change this, you can do it this way'...')
  
  2 0 Reply
  1. Friday 1st October 2021 14:20 GMT Eclectic Man
    
    Re: Certifications
    
    AC: "It doesn't help that about half of the security SMEs I've worked tend to say 'you can't do that' as opposed to saying 'here's a way to do what you want - if you change this, you can do it this way'...'"
    
    As for finding a 'legal way to do something, often there isn't if it is, actually illegal.
    
    See: https://www.theregister.com/2021/10/01/ikea_spycam_scandal/
    
    For another example, I attended a web presentation years ago about a wonderful new product that would figure out which of your company's staff were a security threat. All they needed was access to the entire company's HR files, personnel records, medical records (including absences and reasons, especially if off for 'depression'), all e-mails, Instant Messaging messages, Internet access, phone records and time sheets. I did ask about EU (at the time, as before 'Brexit') data protection legislation and was assured it was 'ok'.
    
    It was created in the USA, and after I contacted the company Data Protection Officer with my concerns never heard of it again.
    
    4 0 Reply
3. Sunday 3rd October 2021 15:19 GMT martyn.hare
  
  Describes my situation in a nutshell
  
  I quit working temporarily to go get my MSc Cyber Security in 2019 but haven't truly used it since. I've done a few outsourced pentests but that's about it. In my day to day life, I'm mostly working as a glorified sysadmin but one who ends up answering questionnaires from third parties and who implements as many useful defences as possible while being assumed to be the guy who's broken everything whenever a fault occurs...
  
  Even with a decent employer offering me a pick of whichever certs I want to go for.. I have no idea what is or is not worth going for and whether I even meet the prerequisites given how varied my work ends up being. IMHO, the system needs an overhaul...
  
  2 0 Reply
Wednesday 29th September 2021 10:50 GMT elsergiovolador

Keeps on giving

"People tend to stay in roles if they are being developed,"

One of the effects of IR35 is that specialists running their own business no longer have funding for training, as a consequence of being taxed on revenue. Despite being their own employer and paying employer taxes, they no longer get benefits of being one.

Since they cannot train themselves, their business will eventually decline and they'll go back to the pool of employees and they will no longer be able to decide what's best for them to learn.

Inevitably, the employers will have to spend more money on training - but here is the catch - if employee learns a new skill that is valuable on the market, they are more likely to jump the ship and go to an employer who pays more, so the statement above is not entirely true.

The employers will try to protect themselves by various means, which effectively means further enslavement of engineers - if they want to develop their skills.

10 0 Reply
1. Thursday 30th September 2021 20:42 GMT jmch
  
  Re: Keeps on giving
  
  "if employee learns a new skill that is valuable on the market, they are more likely to jump the ship and go to an employer who pays more"
  
  I'm not sure it's that much of an issue. Pretty much every contract I've had as an employee had some clause that said 'if you resign within x months of getting some training paid by teh company, you have to pay back (x % of)the cost of the training". And that's how it should be. Employers are safeguarded, employees get trained, and trained-up employees who jump ship will only do that if it's worth it to them.
  
  0 0 Reply
  1. This post has been deleted by its author
  2. Saturday 2nd October 2021 19:09 GMT Yet Another Anonymous coward
    
    Re: Keeps on giving
    
    Employer gets in a 'trainer' to show you a PowerPoint on not clicking on spam links.
    
    If you leave you have pay back the 10K worth of cybersecurity training you have just received.
    
    Result - employees never leave.
    
    If only some southern gentleman in the cotton agriculture business had thought of it
    
    2 0 Reply
Wednesday 29th September 2021 11:22 GMT Anonymous Coward

IR35 has busted the Security profession

When I was an employee; I was deskilling myself, so I had to book days off to attend seminars. I would also pay for my own training, as the company would not support new technology development. So I jumped to contracting, less stress and bullying, less ass kissing and more self development and money.

Currently, Inside IR35, no way to offset the cost of training / development, no travel costs. But I pay as much as I can self-sacrifice into pension. I will then take Xmas > March off and claim the tax back, through my limited company (still keeping it going from the war chest). I will then use the time off to re-qualify for my certs and live on the tax I get back. I don't know if I can ask for the Employer NI back that the Umbrella company "stiffed" me on?

If the Outside market picks up, I will start applying for roles. Or if I get an offer, I will just jump ship, I only got to give 5 days notice. Not even working days and no handover or knowledge transfer in my contract.

6 0 Reply
1. Wednesday 29th September 2021 14:05 GMT elsergiovolador
  
  Re: IR35 has busted the Security profession
  
  Just wait when they catch up that some contractors in scope only work 6 months in a year to avoid getting much over the higher tax bracket. I wonder how they solve it... 12 month minimum contracts?
  
  1 0 Reply
Wednesday 29th September 2021 12:03 GMT Anonymous Coward

I worked with plenty of people who have loads of certifications, but are basically useless in the real world.

I've also worked with some brilliant techies who are too busy solving technical problems to spend time going on certification courses.

And if you want good people to keep working for you, treat them right and pay them well. It's not rocket science.

12 0 Reply
1. Wednesday 29th September 2021 18:57 GMT jake
  
  I've been in the biz for over half a century. I'm with you.
  
  Most certification is (in my mind) a means unto it's own ... it only exists to provide the folks offering up the exams a job, near as I can tell. That and giving HR something to filter on ... and HR is almost as bloody useless as unions when it comes to IT.
  
  I almost always trash c.v.s and resumes that lean heavily on certification ... After all these decades in IT, it's painfully obvious that there are those who can do it in the trenches, and those who can learn how to take tests by the numbers. People who can do things only by rote are mostly useless in real world problem solving.
  
  2 0 Reply
  1. Wednesday 29th September 2021 19:15 GMT elsergiovolador
    
    There is one signal that certification gives to a recruiter - it is that a candidate is capable of following through with an expensive and pointless task.
    
    For some clients, this is quite a sought after ability. For example, if their organisation has political / family / favour hires that would want to have subordinates acting on their whims and not complaining.
    
    4 1 Reply
2. Thursday 30th September 2021 11:48 GMT Plest
  
  Everyone forgotten about the glut of MSCEs in the mid-90s when MS server software started to get popular? Everyone had MSCE qualifications, so much so that they were worth absolutely bugger all.
  
  When I was studying for some certs I found a nice little underground network of sites that would trade in the answer sheets to major certs. Anyone taking a cert would record the questions/answers every time for others and they'd build up a answer sheets that would rise in value the more questions were added and more accurate the answers. In the end all you needed to do was hang out long enough and just grab the crib sheets, sign up the for online exams and bingo you can do 8-10 certs a month with 90%+ scores and passes!
  
  I decided at that point that all certs, except physically adjudicated ones, were absolutely fricking worthless and the exams are just money spinners for the companies selling the original software the certs are for.
  
  4 0 Reply
3. Saturday 2nd October 2021 13:41 GMT Warm Braw
  
  I worked with plenty of people who have loads of certifications
  
  I still get phoned up by some of them asking questions which are often quite spectacularly disconnected from How Things Work^TM. I've also accompanied a number on jobs to help translate actual technology into concepts they recognise.
  
  But I'd hate to spend most of my life writing volumes of procedures and policies or auditing firewall rules or whatever most of these people have to do to earn a crust. If they want a few letters after their names in exchange for slogging on, then it's hard to begrudge them it, because, in reality, these things have to be done.
  
  0 0 Reply
Wednesday 29th September 2021 15:47 GMT Anonymous Coward

It will come to a point where sec pros do everyting because everything has a security element.

I know I'm not the only one that gets hit with any problem that has "security" or "risk" in the title

Defining Break/fix, policy, standards, governance and security problems and allocating appropriately would help

2 1 Reply
1. Wednesday 29th September 2021 16:10 GMT Eclectic Man
  
  Umm did you mean:
  
  "It will come to a point where sec pros are blamed for everything because everything has a security element."
  
  ?
  
  2 0 Reply
Wednesday 29th September 2021 19:24 GMT jake

"how should existing companies keep skilled professionals from jumping ship?"

As an employer, I've found two things that work in tandem.

The first is to treat your employees well.

The second is to pay them at the upper range (or over!) of the pay scale people receive in similar positions nation wide. Seriously. Pay them. Money. Lots of it. They are the best you can find, right? Almost impossible to replace, right? You want to keep them, right?

4 0 Reply
1. Wednesday 29th September 2021 20:10 GMT Throatwarbler Mangrove
  
  Or, and I'm just floating this possibility, hire cheap, shitty employees, pay them low wages, and psychologically abuse them to the point that they don't have the confidence to look for work elsewhere.
  
  4 0 Reply
  1. Wednesday 29th September 2021 20:28 GMT jake
    
    All joking aside, it boggles my mind that some try to turn it into a deep, dark art.
    
    C'mon, people, it's not exactly rocket surgery!
    
    1 0 Reply
  2. Thursday 30th September 2021 12:47 GMT Anonymous Coward
    
    That's the public sector methodology, apart from the shitty employee part!
    
    In 2006 minimum wage was 40% of my salary.
    
    In 2021 minimum wage is 58.6% of my salary.
    
    1 0 Reply
Monday 4th October 2021 09:19 GMT Robert Grant

> While Finch says CIISec doesn't endorse any one specific certification or competency framework,

Brilliant.

Basically this is an ad for a professional body trying to legitimise itself enough to become a gravy train for its execs. "Speaking passionately" is not helpful. If the role is rote enough that certifications can help, then enumerate them. Otherwise it's not ready for them and we should work on that before just encouraging people to spend their time on likely useless paperwork.

0 0 Reply