CREST cancellations expose a wider problem with perception of cyber skills
A version of this appeared on Infosecurity magazine The suspension of two CREST exams following an investigation into leaked alleged “coaching” docs highlights the issues with a legacy view of skills development. First, I want to say that I applaud CREST for updating the tests over the coming three to four weeks to preserve their…
A version of this appeared on Infosecurity magazine
The suspension of two CREST exams following an investigation into leaked alleged “coaching” docs highlights the issues with a legacy view of skills development.
First, I want to say that I applaud CREST for updating the tests over the coming three to four weeks to preserve their integrity. As an organization, it has done much to advance knowledge in the cybersecurity space and taking swift action is a sign to the sector that it has earned a reputation for quality.
My problem is not with any specific organization, rather with how many in our industry view the progression of cyber skills as a box-ticking exercise.
Skills are not narrowly defined steps that unlock the next piece of paper – they are abilities that are continually advanced. To use a potentially corny phrase, it is a journey, not a destination.
The best way to do this is to arm people with the ability to learn, not just teach them how to pass tests. This is done by teaching humans to think for themselves and be creative, while making it okay to challenge accepted wisdom. Giving people the ability to pass exams does none of these things.
I learned a long time ago that the most talented people in our space don’t merely retain information – they thrive when challenged to discover answers themselves.
Providing the spark that sets off a chain reaction builds neural pathways which aid future problem solving, creating a sense of ownership of achievement that encourages further development. This, after all, is what makes attackers successful; and any defending force must learn from their adversary.
Done often enough, muscle memory can be built which helps people think their way out of any problem, not just the narrow few they face in an exam or cyber crisis drill.
By comparison, teaching people to pass exams just gets them a piece of paper. It might increase their appeal to recruiters or drive up their day rate, but it won't necessarily make better cybersecurity professionals.
It is this flawed idea that we set out to address with Immersive Labs. By pushing people to learn in a way they enjoy and mapping this against the advancing threat landscape, they equip themselves with the ability to evolve and stay relevant.
Removing the predetermined “finish line” mentality provided by static certifications is crucial if we want to build strength in depth. As a sector we have to ask ourselves the question: when the heat is on, would we rather have an adaptable talent pool full of original ideas on our side, or one which has a certificate? I know which way I lean.
26 August 2020
Chief Cyber Officer,
Latest Blog posts
Patch Newsday: 14 September 2021 – Lousy Browsers and Arsey RCEs
15 September 2021
Analyzing the CVE-2021-40444 exploit
13 September 2021
Take the power back: Tool-up against a notorious global threat group with our new FIN7 series
13 September 2021
Episode 44: Rotten Apple or Privacy Nuts?
2 September 2021
Patch Newsday 10 August: Ironic exploitation and the spectre of PrintNightmare
10 August 2021
Kaseya supply chain attack: Prepare to respond with the Cyber Crisis Simulator
27 July 2021