Security is complex and ever-changing. It takes months and even years to gain understand, experience and context. Certifications are an easy shorthand to collapse large bodies of knowledge and testing into simple acronyms that are understood by non-security practitioners. But, the reality is that most security certifications show that the person can study and take a test. At best, they understand the basic concepts. But, can they translate that to your unique environment and context? I’m not saying that certifications are bad or that they mean the person who holds them is just book smart. I am saying that it’s important to consider other factors when selecting an information security professional to work with you.
I know this has happened to me a time or two. An expert comes in to advise my organization on some security matter or another. He consumes the first twenty minutes of every meeting describing in painful, mind-blinding detail the significance of each acronym. And we’re all wondering the same thing. When is he going to shut up so we can get down to the real work?
We finally get to the agenda, and expectations are high. We’re ready for Dr. Security Superstar to solve all of our problems. We’re ready to hear his innovative, cost effective, practical and do-able plans for how we can get more secure, find and fix the vulnerabilities and pass those audits. But, instead, he begins a lesson on how we need to re-architect our entire environment, apply 10X the resources we have and a host of other pie in the sky suggestions that are completely out of the realm of possibility for our lean, overworked organization. Disappointment sets in – the textbook isn’t going work here. But, I know what to do. There are people who can help!
Bring me the guy who has done this before. The one from the trenches who has the battle scars from working through an audit without unlimited resources and funding. The one who will get creative and find a way to get the job done within the constraints of my reality. Bring me the guy who has managed a team of 3 people who were responsible for the 24 x 7 security at a mid-sized bank. I want to talk to someone who has experienced my reality and has solutions that can actually work.
Whether the background is from a book with certifications or from experience the true key to an excellent security practitioner is someone who can take that background and build on it with the ever changing knowledge of the industry and integrate it with the unique and ever changing context of the organization they are protecting.
I bet you have an opinion on this. I want to hear it. Have you achieved better results working with highly certified security professionals or those with real-world practical experience? Where do you find these experienced, nimble security practitioners?