Ladies and Gentlemen, thank you for taking time to read this series on, ‘Why is the norm acceptable within technical fields?’ Throughout this series my objective is to question the status quo, challenging the norms of technical certifications, industry affiliations and degree programs while attempting to communicate opposing perspectives. If you have thoughts, specific points of view or feedback you would like to communicate with me, then please feel free to chime in. All perspectives are welcome.
In today’s business culture, there is a growing number of humans that believe there are logical steps necessary to develop core comprehension of technical ability within the Information Technology, Cyber Security, Data Protection or Privacy fields. Why is a degree relevant? Is a technical certification necessary? What about organizational affiliations? Should you join, attend conferences, volunteer to present your perspective on the latest buzz? Does any of this directly link back to your position? Is any of it actionable?
How do the bad guys prepare themselves to penetrate systems and exfiltrate the crown jewels? Do you think they are expected to embark on the same traditional learning journey as our business culture? If they don’t, should they not be considered worthy of stealing our most sensitive data? Or, in the case of the best ways to use, or misuse, encrypted traffic, are the bad guys better trained than we are?
Why obtain a Computer Science degree? An argument could be structured to suggest a degree never actually expires. Each person possessing this degree is likely to be considered more credible, even years after they graduate and the core of what was learned is now stale. They are usually non-skill specific, instead focusing on the broader ‘why’, ‘what’ and non-technical ‘How’ factors. For example—Why do I need an IT Strategy? What is Infrastructure, Security, Applications, Networking or Architecture? What is a PKI or trust store?
When we look at staffing requirements, what are their respective responsibilities, expectations, and success paths? How do they support each other to benefit the company as a whole? Why are undergraduate level degrees an essential requirement for management level positions? Why do employers require an advanced level degree such as an MBA, in addition to the bachelor’s degree, for these roles? Do you think people with this level of education perform better, are better technical professionals or increase company profitability targets from their educational merits alone? Degrees do not require continuing educational courses to be maintained. Employers may pay a portion of your student debt obtained for acquiring the degree but normally not the entire cost.
What about potential employers that value certifications over degrees? Is this perspective beneficial or harmful? I have heard people suggest that Certifications are validation that a person understands and can demonstrate a common skill. Certifications are usually vendor specific. A few select examples are including, but not limited to— ISC, ISACA, ISSA, IAPP, Cisco, Citrix, Microsoft, Red Hat, AWS, ITIL, PMP, VMware…and the list goes on and on. These certifications are based on a specific skill, is less time consuming to obtain then a degree and are much less expensive. Certifications are usually funded by an employer for a specific purpose. They also come with required continuing education to maintain your qualifications each year. These courses can be costly and are one of many budget items that are scrutinized on an annual basis.
What about the bad guys? I am talking about Hackers, malicious insiders or anyone wishing to exploit weaknesses and monetize the information obtained for profit. Wait, are all hackers’ bad guys? What about ‘Ethical Hackers’? Isn’t that some sort of a contradiction? Are these the virtual superhero’s and villains of our time? What type of training or education does one need to become a superhero or villain? Most professional hackers have at least some basic computer skills with the ability to use the edit the registry and set their own network parameters. They have some Networking abilities and probably understand the functioning of DHCP, Subnetting, IPv6, DNS, Routers, switches, VLANs, OSI and MAC addressing. These individuals have advanced knowledge of the Linux operating system and can use Wireshark for network troubleshooting and analysis protocol. Topics like virtualization, databases and security concepts are second nature. Hackers have some degree of scripting ability and are able to use web applications to their advantage. Sometimes establishing their own website for the purpose of phishing. Except for a couple areas outlined above there isn’t a degree that would teach you those specific skills. There is an Ethical Hacker certification that covers several of these areas but isn’t all inclusive either.
Why aren’t companies seeking out and hiring these individuals to perform penetration testing and to strengthen network security and harden infrastructure or data governance activities? Could it be that these folks don’t have degrees or the appropriate certifications to be successful in a corporate environment? Could they become a corporate intelligence asset by navigating the dark web searching for potential cyberattacks and working with the appropriate personnel within the company to manage each risk appropriately to prevent negative impacts from occurring?
How much is your data worth? Do you know how to classify it? What about your data handling procedures? Does your company perform an analysis on the impact for privacy concerns with regards to data movement or system architecture? What does Privacy mean within your organization? How do you manage these types of risks? In the next post, we will break these concepts down and debate the rationale behind each one.