IBM’s cybersecurity division has hired nearly 2,000 professionals to its security team since 2015. Leaders recognize that the skills needed to succeed don't always come in the form of a traditional degree, but “the sheer volume of new certifications being created does pose challenges,” says Diana Kelley, global executive security adviser.
It’s a growing problem for many employers. Increasingly, hiring companies must sift through resumes that tout cybersecurity-related degrees, certificates, industry certifications, apprenticeship credentials, digital badges, micro master’s degrees, nanodegrees and other credentials – trying to determine what a candidate really knows and how those credentials fit together.
The influx of credentials is causing plenty of confusion for students, employers, policymakers and for the certifying organizations themselves, says Holly Zanville, senior adviser for credentialing and workforce development Lumina Foundation, a private group focused on increasing success in U.S. higher education.
“It used to be that most of these [credentials] would be awarded by colleges and universities, but not anymore,” Zanville says. “Now it’s industry and professional organizations and third-party groups. “This is making many [people] question the quality of them and, for sure, question what are the meanings of these various credentials.”
It’s also eroding trust in the credentialing industry, says Evelyn Ganzglass, co-director of Connecting Credentials, a collaboration of more than 100 national organizations to make credentials and badges easier to understand, use and interconnect. “There’s a lack of shared understanding of what quality is among the stakeholders, or really trusting that if someone has the certification, how do I know if the person really has that knowledge?” Ganzglass says.
Several credentialing initiatives are in the works to make cybersecurity credentials easier to understand and classify according to their value.
The Corporation for a Skilled Workforce and the Lumina Foundation launched a national campaign in 2015 to create equitable and fair credentialing models.
“All credentials are based on learning outcomes – but many credentials are not transparent about what those outcomes are,” Ganzglass says. Many credentials are not “portable and transferable” from education to the workforce, she says. “There are lots of dead-ends in the system that we currently have.”
Evelyn Ganzglass, co-director of Connecting Credentials
A cross-section of employers, industry groups, institutions, certification providers, quality assurance professionals and tech entrepreneurs collaborated to develop a seven-point action plan for a more transparent credentialing system. Among the points, the group wants to create a common language based on competencies and to pursue public policy that builds pathways to more advanced careers.
This spring the group also completed beta testing of its credentials framework, an analytics tool that connects the dots among diverse credentials using common language to describe what recipients of each credential should know and be able to do. Competencies are broken into knowledge and skills, and then structured into eight levels based on depth, breadth and complexity of learning, rather than subject matter. The framework user can then establish a profile of levels of knowledge and skills associated with a given credential. The Geospatial Foundation, for instance, used the framework in field testing to reconcile 40 competency groups, representing 4,400 competencies, and created a simpler way to determine credential levels, Ganzglass says.
NICE cybersecurity workforce framework
The credential framework complements another new framework -- the national cybersecurity workforce framework developed by the National Initiative for Cybersecurity Education and the Department of Homeland Security. It provides government, academia, employers, training providers and policy makers with a blueprint to organize and describe security work.
The framework draft outlines seven categories of cyber work and provides a common way of thinking about cybersecurity jobs. It further breaks down those categories into 33 specialty areas that often translate into certifications. The framework also recently added 52 work roles, “a more detailed grouping of cyber-related work, which includes knowledge skills and abilities,” says Rodney Petersen, NICE director.
The non-profit Credential Engine is beta-testing its open licensed credential registry, which already has nearly 100 credentialing organizations posting to the site.
The registry allows credentialing organizations to submit their own qualifications. The linked data contains 30 descriptors, including quality assurance, competencies, ownership, cost and value. It also uses a common language for credential descriptions to make them more comparable.
The credential’s descriptors are then ranked according to the depth and breadth of information they provide. No judging "board" or vetting organization evaluates the credentialing organization.
“Some credential entities will not be able to fill out all the cells, such as quality assurance indicators” like endorsements from accredited universities, and will rank lower, Zanville says. But those with solid recommendations, QA, and outcomes will rank higher, she adds.
A third component of the Credential Engine plan will promote an open applications marketplace where developers can build credential apps where students or employers can find and rate credentials themselves based on their own specifications.
All of these plans will take months, or longer, before they’re rolled out for general use. “I think it’s a long-term strategy, and I’m not sure we’re ever going to be totally finished because things keep moving,” Ganzglass says. “Cyber is changing quickly, so we have to figure out how to make this happen in a dynamic, rapid way.”
For now, hiring managers need to look at these certifications with a critical eye, such as whether they come from a trusted and accredited institution, Kelley says. But that’s only one part of the equation, she adds. “Even people with a lot of letters after their names may not always have the practical experience, desire to keep learning, and critical thinking skills to excel in cybersecurity.”