We invite you to read an interview with Paul Hoffmann, the Director of Certification Programs at Logical Operations. We talked about developing certificates in cybersecurity, getting qualified in the field and Logical Operations’ new exciting project – take a read, it’s worth it!
[eForensics Magazine]: Tell us, how difficult is it to develop a certificate these days?
[Paul Hoffmann]: With all of the tools available, the process is easier than it has ever been, but the environment is difficult, given the perception of paper certificates. In order to overcome that perception, a certification program has to be developed using rigorous controls that validate the process.
[eFM]: What gave you the idea to create a new certificate?
[PH]: There is a gap in cybersecurity at the generalist level that our CEO, Bill Rosenthal, identified. When we tested the idea with our partners, they were highly supportive. Logical Operations has been creating instructor-led training materials that support other certifications for more than 30 years. We already know what it takes to support the learning side of a certification; we just decided that it was time for us to become a certifier ourselves.
[eFM]: What challenges do you think you’ll have to overcome on your way there?
[PH]: The biggest challenge is perception of value. If the certification is perceived as valuable, then it will be successful. Awareness of the certification is a close second. People have to know about it. They go hand in hand.
[eFM]: Certification is now one of the most important ways to prove your expertise in cybersecurity. Do you think that we can trust certification? Can having a specific certificate really tell us how good a professional is at their work?
[PH]: There are two ways to validate skills: certification and experience. With such a great gap between the number of cyber professionals needed and the number with experience, certification is the next best way to determine an individual’s knowledge. However, an individual needs to know what the certification covers and what they need to know. If someone chooses a specific certification as a perquisite for a job just because it is popular, they may not be identifying the right candidate for that job.
[eFM]: This is a point that rarely gets any exposure, almost exclusively when pointing out that HR departments and recruiters have trouble identifying their technical requirements. Do you see a solution?
[PH]: The solution is the Holy Grail for the certification industry. How can you use an exam or some type of measurement to predict performance? I think that standards are important. In Cyber Security, NICE is trying to tackle this solution. They created a standard lexicon, so that at least everyone was able to understand they were talking about the same things. I think every industry kind of settles out eventually, but cyber is moving so fast and is so important that the government is trying to jump start it.
[eFM]: This also ties in with the “saying yes to no college” philosophy. Is college education really becoming this inefficient – costly and not providing opportunities?
[PH]: College for the sake of a degree is really not worth the paper. It really is the same question as using certification to predict performance. If a student goes to college to receive a universal education and really tries to learn to learn, then whether it is a Junior College or Ivy League does not make as much of a difference. Those who have knowledge will always have more opportunities if they seek them. Get as much formal education as you can reasonably afford, but that should not be where anyone stops. Keep seeking knowledge. I think that is where the college philosophy is inefficient. College is not the only source for knowledge, and when you leave, you don’t know everything.
[eFM]: There are already many certifications out there – what do you think will make yours special?
[PH]: CyberSec First Responder (CFR) fits into a gap between existing certifications. There are so many aspects of cybersecurity that you can’t cover all of them in one certification. And many of the certifications on the market today are specific to particular technologies. But, not everyone uses the same technology. CFR is a stepping stone and generalist certification. It is meant to prepare a broader number of people to detect and respond to cyber threats in any environment.
[eFM]: If it’s general in approach, is it also entry-level? How challenging would you say you want the certificate to be? What’s the perfect CFR holder profile?
[PH]: Yes and no. I think that the CFR certification is entry level to Cyber Security and incident response, but it expects that you already know networking. It’s entry level the same way Algebra is entry level to Calculus, but is expects you to know Arithmetic. The perfect CFR candidate would be an IT worker with 2-5 years’ worth of experience who wants to be more effective at identifying and responding to attacks on organizational networks. Data have shown it takes an average of 8 months for a company to detect a cyber breach. Most of those breaches are discovered by people other than the cyber security specialists. CFR is designed to give all IT workers an understanding of cyber security so that they can be prepared to recognize problems more readily. We are hoping that CFR can bring that average detection time down significantly.
[eFM]: We hear many companies are concerned whether the talent pool in IT and cybersecurity fields will be big enough to support growth in the upcoming years. Do you agree with that prediction?
[PH]: We certainly agree that the talent pool isn’t where it needs to be yet. But, that is precisely why we are in the certification business now. All hands on deck.
[eFM]: You state in your summary on LinkedIn: “I believe that which is measured will improve.” Isn’t that a very “cold” approach?
[PH]: I don’t believe in feel good medals and being rewarded for showing up. But that said, is it cold to think that there is nothing that we can’t do? I think human nature is to excel. Channeling that nature to excel personally requires an honest inventory of yourself and then improving those things that you wish to improve. The inventory is nothing more than a measure of where you are. Without the measurement how do you know how you’re doing? It is like a ship without a rudder. How does it get where it wants to go?
[eFM]: How can our readers help with the CFR certification?
[PH]: Take our CFR course and get certified to respond to cyber threats. And, encourage your organization to CyberSAFE certify all end users. The biggest help, however, would be to participate in the process. Certification development requires an incredible amount of subject-matter expertise. Currently, our greatest needs include getting survey responses to validate the exam objectives for the next iteration of CFR and finding subject-matter experts (SMEs) to participate in development workshops.
[eFM]: Thank you for the interview!