IT newbs and INFOSEC

I saw this in the SANS NewsBites for today:

The idea that people without technical backgrounds can become
cybersecurity experts merely by obtaining a certification is doing a
disservice to the people and to the cybersecurity industry. The demand
for skilled cybersecurity professionals far outstrips their
availability. One way to address this problem is by defining a
cybersecurity career path, which could include learning foundational
skills in systems administration or tech services, continuous training
and skills development, and eventually more complex jobs.

There’s a myth circulating in the race to recruit and train up cybersecurity professionals that even those without a technical background can become a cyber warrior.
With a radical shortage of skilled cybersecurity talent, experts across the cyber industry have fueled the belief that anyone, particularly transitioning military personnel, with or without a technical background can enter the in-demand field and be successful, Alan Paller, founder of the SANS Institute, told Wired Workplace.“What we’re doing is lying to people getting out of the military to say that if you get, say, a Security+ certification, then you’ll be a security expert,” Paller said. “Then they get a job and don’t know how to do anything. It’s a lie they’re being told, and it’s damaging.”

Why Cyber Jobs Need a Career Path - Nextgov.com

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Devilry

It's like teaching a newborn algebra before what numbers are and mean.

docrice

While I generally agree with the overall sentiment of the article, at the same time I can't help but notice these statements are coming from two very well-known training/certification-related organizations who stand to gain a lot from technology professionals leveraging their services. Not that I don't recommend SANS training, obviously, because I keep taking their courses.

Infosec is a lot about knowledge depth as well as maintaining awareness of the overall bigger picture. This is a difficult thing to do when technology is diversifying, getting more integrated, and increasing in complexity with each passing day. It requires a serious commitment, and a common theme among infosec folks that I've worked with is the constant struggle of catch-up, lack of resources, lack of funding, lack of time, and only a few occasional wins in a field of many losses while maintaining sanity.

It's hard to find good people though. I've been looking through resumes, talking to candidates, and trying to locate a needle in the haystack but getting someone with a good combination of self-ambition, mindset, skill, and communication ability is not easy.

zxbane

This does raise some very valid points, as I have heard others on this forum say before, how can you possibly protect something when you have no clue how it functions? I do agree with docrice as well that it is coming from a organization that would benefit greatly from increased training of individuals going into the field. However, I don't think it is unfair for Paller to make those statements because the fact that his organization would greatly benefit from increased training of individuals going into the field doesn't change the fact that they are inexperienced to begin with, his organization just happens to be in a great place.

Being prior military myself, I saw/see it a lot where people say "oh you got a clearance and sec+?, you'll be fine!" But in reality that isn't or shouldn't be the case because many of those people honestly don't know much about anything outside of a few simple tasks they performed daily while in the military. The worst part is it is those very same individuals who frequently fill government/DoD positions and are left responsible for securing systems that could potentially impact national security.