CREST cancellations expose a wider problem with perception of cyber skills

A version of this appeared on Infosecurity magazine

The suspension of two CREST exams following an investigation into leaked alleged “coaching” docs highlights the issues with a legacy view of skills development.

First, I want to say that I applaud CREST for updating the tests over the coming three to four weeks to preserve their integrity. As an organization, it has done much to advance knowledge in the cybersecurity space and taking swift action is a sign to the sector that it has earned a reputation for quality.

My problem is not with any specific organization, rather with how many in our industry view the progression of cyber skills as a box-ticking exercise.

Skills are not narrowly defined steps that unlock the next piece of paper – they are abilities that are continually advanced. To use a potentially corny phrase, it is a journey, not a destination.

The best way to do this is to arm people with the ability to learn, not just teach them how to pass tests. This is done by teaching humans to think for themselves and be creative, while making it okay to challenge accepted wisdom. Giving people the ability to pass exams does none of these things.

I learned a long time ago that the most talented people in our space don’t merely retain information – they thrive when challenged to discover answers themselves.

Providing the spark that sets off a chain reaction builds neural pathways which aid future problem solving, creating a sense of ownership of achievement that encourages further development. This, after all, is what makes attackers successful; and any defending force must learn from their adversary.

Done often enough, muscle memory can be built which helps people think their way out of any problem, not just the narrow few they face in an exam or cyber crisis drill.

By comparison, teaching people to pass exams just gets them a piece of paper. It might increase their appeal to recruiters or drive up their day rate, but it won't necessarily make better cybersecurity professionals.

It is this flawed idea that we set out to address with Immersive Labs. By pushing people to learn in a way they enjoy and mapping this against the advancing threat landscape, they equip themselves with the ability to evolve and stay relevant.

Removing the predetermined “finish line” mentality provided by static certifications is crucial if we want to build strength in depth. As a sector we have to ask ourselves the question: when the heat is on, would we rather have an adaptable talent pool full of original ideas on our side, or one which has a certificate? I know which way I lean.

TOPICS
Blog
PUBLISHED

26 August 2020

Max Vetter
Chief Cyber Officer,
Immersive Labs

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal