Those of you that know me – will hopefully agree that I don’t get angry. Well not often anyway. I sometimes get annoyed, often confused but – like most parents – my worst feeling is that of disappointment.
Caveat: My kids don’t disappoint me (quite the opposite!).
It doesn’t happen very often – but if I ever write ‘Disappointed’ on the whiteboard my students know that they have not hit the mark.
There have been a couple of posts I have read recently on LinkedIn – where I have been left a little disappointed.
I rarely bother adding comments to posts that irk me as I don’t want to be seen as ‘that guy’ but just recently a couple got me thinking.
The first one was a whole debate over the fact that employers are looking for experience over certification when hiring new employees in the World of Cybersecurity. It has been the long-old debate about what constitutes ‘experience’.
The author was very vocal in his opinion that certifications and education counted for very little and experience was all that he looked for when hiring new staff. A few comments left were not supportive of this opinion but several agreed with him.
Back when I was a lad and relatively new to the World of IT Infrastructure – somebody magically came up with the fact that you needed 2 years of experience to make you stand out for a job in IT. Which left millions of newcomers adrift.
The reality is that you don’t need 2 years of experience – you just need to know what you are doing. Which could take anything between 5 minutes and 5 decades to learn.
Training puts the foundations in place and gives you the confidence to be competent in a given situation – it doesn’t prepare you for every situation as nothing does that – and this includes operational experience. You make it up as you go along based on your previous experience and training.
When I was in the military – this was exactly how life unfolded. Great training gives you confidence to use the equipment, deal with likely situations, manage risk and work as a team. Other skills you had to learn included people management, communications and reporting.
And when the poo hits the fan (which it invariably always does) you meet a new experience which means you have to rely on your training and previous experiences to deal with it. But good training is essential.
If you are trained and gain certification – in most cases this gives proof to an employer that you understand the knowledge and skills required to perform the usual duties of someone employed in that sector. You might not have the experience of doing it for real (which generally means you have learned how to cope with people and know the short-cuts) but you have the basics which can be built upon.
But what else can you bring to the party?
Everybody comes with a whole host of transferable skills. Working with people, communication skills, trustworthiness, sense of humour and ambition etc. These are the people that I want to work with. If they come into the team with a good set of credentials – even better.
And the reality is that in Cybersecurity – those are also essential skills that are required. You generally don’t get good at these from a book.
I have recently completed a whole range of ‘soft skills’ training on LinkedIn Learning (which I highly recommend). In particular (and I have no affiliation with them) – courses by Dr Gemma Leigh Roberts on emotional intelligence & wellbeing and Chris Croft on project management. These people are experts in their fields and not only present the theory of their subjects but then get you do something with them and get some practical experience at the same time.
You can read lots of books that train you – but you need to put it into practice to get good at it. Reading the book first helps a lot.
Good training courses should have some form of practical element to cement the understanding of knowledge with skills.
The post suggested that experience in the field was essential and that certifications didn’t really count for much. I was disappointed that somebody actually thought this was the case. In my opinion it has to be a combination of aptitude and attitude that hits the mark.
Another post on LinkedIn – which really did get Phil’s disappointed face was when some ‘expert’ stated that ‘Cybersecurity’ was quite simply ‘IT Security’. I think it both disappointed me and made me sad to think that there are people out there that believe this and would look at this statement and agree with it.
I cannot disagree strongly enough with this statement. IT or Infrastructure Security is a fundamental component of cybersecurity that is true – but Cybersecurity is so much more.
Cybersecurity professionals need to understand things like network and endpoint protection systems but also need to understand the underpinning governance, risk and compliance that is in place.
They need to understand the businesses that they work for and the direction of travel.
They need to understand the people that work for the business and their requirements to do a good job.
They need to understand how to communicate at all levels of business.
They need to understand contracts and SLAs.
They need to be able to write reports and respond to requests.
They need to be able to analyse data and make sense of it.
They need to understand what Cyber risk is and how to manage it.
They need to understand what data protection and information security is all about.
They need to stay current with technology, world events, changes to the business and the cyber threat picture.
It is simply not just IT Security!
A lot of the above attributes can be gained from good training and certification. Coupled with that – the vast majority of it comes from previous experience in other lines of business or walks of life and someone’s natural abilities. Let’s call them ‘Transferable skills’.
In my opinion, when employers are looking to recruit the right person into a cyber role – training and experience do go hand in hand. But the experience doesn’t necessarily have to be in the security sector as plenty of great people can adapt their skills to meet the security needs of the business.
And Cybersecurity is simply not just an IT thing. It’s a people thing!
Don’t disappoint and prosper!
