According to the CISO panel, over-reliance on security certifications can lead to a less diverse and innovative workforce, and processes designed to please auditors rather than improve security.
Speaking at Infosecurity Europe, Trainline CISO Munawar Varji, IASME Consortium CEO Dr Emma Philpott, and BBC CISO Helen Raabe, said professional certifications are a key asset for potential employees. I asked if the hurdles were being set too high, or if the emphasis was on “technical reliability” over practical ones. cyber security skills.
Organizational certification may also be employed to meet the requirements of auditors, cyber insurers, or as required for tenders and bids. This can lead to organizations doing the bare minimum of work required to get certified rather than improving their security.
In some cases, HR departments and even recruiters may demand an “alphabet soup” of qualifications that most candidates don’t possess, Raab warned. However, even applicants with excellent paper qualifications may not actually be able to “perform the requirements of the job”.
“We need to figure out what’s important and if what we’re looking for is realistic,” she says.
Valji acknowledged that certifications play an important role, especially for cybersecurity professionals looking to establish technical credentials early in their careers. However, certifications are not very effective at indicating whether a person has management skills or the ability to communicate with business leaders.
“It’s not necessarily the certificate that matters, it’s about getting the right results,” explained Valji.
Additionally, certificates can be a barrier to attracting new talent, argued Philpott. “Certificates should be accessible and affordable, especially for individuals,” she said.
Talented candidates should not be excluded from the workforce. Also, some industry qualifications are not adapted to the needs of, say, nervously diverse applicants. This happens despite the skills they have to offer the industry.
Read more about information security in Europe: CISOs must be better marketers and negotiators
The Commission has found both benefits and pitfalls with regards to accreditation for organizations. Obtaining certification has both an initial cost and a maintenance cost.
“Maintenance can be time consuming and cumbersome,” says Rabe. “We need to determine if control no longer makes sense.”
However, the same overhead is also part of the advantage. Schemes such as ISO 27001 prove that an organization is continuously compliant, he suggested, Valji. “It’s not something you do one day and finish,” he said. “We are expected to be compliant and to ensure the necessary sanitary conditions.”
