A version of this appeared on Infosecurity magazine
The suspension of two CREST exams following an investigation into leaked alleged “coaching” docs highlights the issues with a legacy view of skills development.
First, I want to say that I applaud CREST for updating the tests over the coming three to four weeks to preserve their integrity. As an organization, it has done much to advance knowledge in the cybersecurity space and taking swift action is a sign to the sector that it has earned a reputation for quality.
My problem is not with any specific organization, rather with how many in our industry view the progression of cyber skills as a box-ticking exercise.
Skills are not narrowly defined steps that unlock the next piece of paper – they are abilities that are continually advanced. To use a potentially corny phrase, it is a journey, not a destination.
The best way to do this is to arm people with the ability to learn, not just teach them how to pass tests. This is done by teaching humans to think for themselves and be creative, while making it okay to challenge accepted wisdom. Giving people the ability to pass exams does none of these things.
I learned a long time ago that the most talented people in our space don’t merely retain information – they thrive when challenged to discover answers themselves.
Providing the spark that sets off a chain reaction builds neural pathways which aid future problem solving, creating a sense of ownership of achievement that encourages further development. This, after all, is what makes attackers successful; and any defending force must learn from their adversary.
Done often enough, muscle memory can be built which helps people think their way out of any problem, not just the narrow few they face in an exam or cyber crisis drill.
By comparison, teaching people to pass exams just gets them a piece of paper. It might increase their appeal to recruiters or drive up their day rate, but it won't necessarily make better cybersecurity professionals.
It is this flawed idea that we set out to address with Immersive Labs. By pushing people to learn in a way they enjoy and mapping this against the advancing threat landscape, they equip themselves with the ability to evolve and stay relevant.
Removing the predetermined “finish line” mentality provided by static certifications is crucial if we want to build strength in depth. As a sector we have to ask ourselves the question: when the heat is on, would we rather have an adaptable talent pool full of original ideas on our side, or one which has a certificate? I know which way I lean.
26 August 2020
Chief Cyber Officer,
Continuous integration means continuously embedding security skills
20 January 2021
Cyberattacks are hammering businesses and public sector organizations – but when is it really a crisis?
18 January 2021
Immersive Labs is officially one of the best places to work in Boston!
11 January 2021
Cyber Crisis Simulator: ransomware cripples major energy supplier – live it and learn
6 January 2021
When the sun bursts: responding to global cyber events
22 December 2020
Feel the heat of SUNBURST with Immersive Labs (so your business won’t have to)
18 December 2020