Barriers to entry and why it is needed in Cybersecurity.
Grant Hughes
IT Manager: Cybersecurity & GRC at Engen (CISSP, CLP, CISA, CEH, CISM, CDPSE, CCSK, CSTP, CCSP, Master's Degree) | ISC2 Authorized Instructor
Whenever two or more gather in the name of Cybersecurity, the topic of skills shortage, promptly followed by barriers to entry is likely to come up. My observation is that there is a genuine problem and dislike toward the idea of having barriers to entry. Barriers in this case refers to the minimum requirements a candidate must meet before they are allowed to join the cybersecurity field. There is the belief that attitude and willingness is enough.
My take: If you find yourself on an operating table, about to undergo a life-or-death operation, would you be comfortable if the surgeon was appointed on the basis of attitude and willingness, or would you prefer a skilled and knowledgeable person who has completed a defined body of knowledge, who with a great degree of certainty has been taught and assessed according to universal standards?
Why do bridges last and software fail (in most cases)? Could it be because engineers who build bridges all had to study engineering, and they consistently apply mandatory universal standards? On the other hand, engineers who build and secure software, sometimes they train themselves, other times they go to university, and other times a friend or private academy will train them… at this point it really is like a box of chocolates, you just don’t know what you are going to get.
Recommended by LinkedIn
My view: Barriers to entry are required to maintain the integrity of the cybersecurity industry. The question is not how we lower the barrier, but rather, how do we enable and support those who want to break into the field, to rise up to the occasion. The answer is never to lower the standard, it is always to increase the quality of the candidate to meet the standard.
Note: The issue of incorrectly specified jobs is not what I am addressing. An entry level role asking for a CISSP is an entirely different problem. I agree, that is a valid problem 😊
IT Manager | DIT | ISC2 CC | CompTIA CYSA+ | Qualys Certified | AZ-900 | Philomath
8moA well written article Grant Hughes. Very good points made. People want to spend on professional services and not so much by a Jack of all trades. With that said, the bar to get into Cyber needs to remain. Its a frustrating bar to deal with, but it has to remain in place.
The Silicon Boy of Africa | ISACA Young Professional Award 2023 | Certified Information Systems Auditor | BCom Information Technology Management | Founder/CEO | AI Evangelist | Former Creative Director |
8moNot everyone has to be in the Industry however everyone should have the knowledge. Remember People is the biggest weakness in every Cybersecurity solution we put in place.... Let everyone know very few will show interest based on its complexity
CompTIA Security+ | ISC2 Certified in Cybersecurity (CC) | End-user secure computing.
8moGreat article Grant Hughes , especially when you drive it home with the analogies you used. It makes one see things from a different perspective and always creates ease of understanding.
Information Security Officer (CISO) | Co-Founder of Journeys to Inspire | Mentor | Top Cyber News Top 40 under 40 | Top 50 in Cyber South Africa | Top 100 Women in Tech South Africa | Nominee Wired4Women Mentor Award
8moI agree that we need minimum requirements as there does need to be a level of some understanding. The issue of diversity though can be addressed through changing our job specs which are limiting the pool of applicants who apply. If we asked for the minimum then anyone who had that will apply. CISSP is not the min so I agree to your last statement 😂
DLP Officer | Endpoint Security | DLP | EDR | ISC2 CC
8moA lot of young people want to skip the steps of learning fundamentals of IT and just go straight into high paying cybersecurity roles which is impossible. To overcome barriers to entry I think people should be willing to start by learning the basics first.