Cyber Security - The Learning & Knowledge validation needs a new way

Author- Arindam Bhattacharya

When technology is changing fast, it's imperative that we need to be at per with the knowledge that technology brings in. However, as we are moving forward, it's validation of knowledge getting more important than the practical know how's. This is moving in a way that technology is adopted just because of certifications but emphasizing on insights are getting lesser or almost missing. Except research professionals or some enthusiast, this trend is falling. 

Industry professionals diverting their full attention towards gathering certifications as much, because this is becoming an industry norm and the need for a start. Till date initial shortlistings done just through how many different skills that one has mentioned, how many certifications, trainings, participations obtained etc. which are the major criteria set for a purpose but out of all these, platforms have some invisible issues.

Taking the "skill" as an example - A company is looking for auditors and they have mentioned ISMS as one of their expected skill but the candidate mentioned ISO27001, so actually candidate missed one skill. Not sure, if this is a platform issue that some correlation is not done or resumes are not parsed properly. 

Because for a recruiter, they will go by the exact matching of keywords and that that keyword missing means "skill" is not there and there is possibilities that a deserving candidate might missing a chance. This looks a bit strange! and gives an hint that there is scope for standardization of such platforms. 

What we need here is a proper mapping of skills or some representation like how many different way a skill can be referred. For example, if a skill required is Threat Hunter but candidate mentions Threat Intelligence, there is a match because Threat hunting if automated is a Threat intelligence offered by a tool and all included. Like wise there may be several.other skills. 

Secondly, the benchmark on selection criteria as they are important towards skills but certifications, training and mappings with the skills is also another criteria. 

So, candidates also need to make sure desired  certifications to meet such expectations. This is good and the need for an employer but there is an issue here as well. 

Such needs become an "opportunity" for others to certify interested candidates which are not free from malpractices. Altogether, it's creating a huge mess while certificates alone are sold through proxy exams, spending average 25-70 K INR. 

The author has personal experience from some person/group to offer him CISSP certification in exchange of the entire course & exam fees and need not attend for the exam. If this is happening with one person, means happening with many others - few shares it and few never and take the advantage of.  Then, how certifications can be a valid source of knowledge validation? 

But is there a better way? Let's explore: 

1. More than a certifications, experience to be given more importance and personal interviews are the right way to do that.

2. Professionals need to develop their profiles by contributing their practical learnings, experience, POVs, insights through articles, papers, journals etc. and can highlight such resources in Resume so that interviewer can go through in advance before the interview.

3. There also can be a forum/ platforms (other than job sites) built to support the need of employer's with collected digital footprints about a specific candidate. Currently such platforms are available but they are not clearly addressing the need of the employers as they look for it. 

4. Professional social media platforms can play a big role to restructure their content publishing strategies and bringing in some point based systems against a trained model that will automatically validate the calibre of a piece of content. Users need to be encouraged to contribute more and such platforms can act as a "Knowledge observatory". 

These are only few suggestions and may not be the end but there could be better ways to solve these issues. 

In cyber security, there is an increasing skill gap and this gap is even after recruiting top certified engineers and this indicates there is a problem at the source itself. Even there are certifications awared as "expert" while expertise can be built only through practice and without experience where is the question of expertise? 

So, these are the fundamental errors that learning and certification industry is ignoring. Candidates blindly go after such certifications after spending good amount of money but  intern they merely produce much result.

There need to have change in the overall course and content design that needs to be closer to real-time requirements. More than skill ready, it needs to be job ready (where skill is an integral part always and applied skills are the need for the job) and that is where we are missing something. Skills by someway can be learnt on the job.and perhaps there is no better way to learn on the job.

For example - There are certifications like SOC expert but what they don't teach is how to handle the SOC engineering or analyst role in a realtime job profile. Threat vectors are getting multi dimensional and constantly changing their behaviours where a lot of understanding is required towards where to start, what to do, how to spot and handle risk. If any of these are missing, no certifications or training can help. These may not be a skill but a knowledge that will enable skills at a later point on the job. 

As there is more technology or tools, there is more options - expertise cannot be built overnight since maturity of new technologies going to take time best practices will be known after a specific period of use. In the current state, everyone is learning but -matter that helps is fundamental understanding with experience. Experience.would enable faster learning and simplification.

We need topics for discussions but not quizzing instead. Knowledge validation to be scenario based, joint explorations, chatting and check what's an aspirant's thought process - that may also help in knowledge validation process. 

Bringing another scenario here is cloud platforms. There are 3 major cloud platforms and ample of services that they offer and each services has different names. If we horizontally scale such services, Network, host, storage security, application, data etc., each provider have given certain names to their services while the service domain is the same.  

When moving to multicloud, it gets very difficult to memorize which service names represent what. So, the Learning experience is not so great. Then comes MCQ and spot them by name. It's stressful😊

While a generic name can help easily helping the learners to identify the services easily but here I beleive majority is stuck and it is practical that once you learn one platform and go to another platform, soon you forget the first platform service names including the concepts associated because there also many sub references of names. 

A person having experience in IT infrastructure, must not take that much time to understand cloud technology. Somewhere we are encountering presentation issues. In place of naming the services, keeping it 'as is" by the service name itself. 

For example, a SIEM, SOAR or a Logging service  can be just referred as their generic names ( as they are known) which would be the same in all cloud. But yes, there may be slight difference in architecture or about a new method specific to a cloud provider that one can understand at the very begining. 

Learners would be the future marketers then if marketers is not clear on technology, how they can market it well. It's required for the better business and spread.of technology. 

Coming back to the learning simplification, the Training and certifications agencies may design their courses, contents, certifications in a way that it makes professional's life easy with simplification so that all understands technology faster and start delivering faster in their job.

New initiatives like story telling FMs can be used to convey tech usefulness just through conversation / stories, so people can grasp faster. Technologists can be invited on such channels and let's chat begins with fundamental  know how's through its  application and methodologies..

Finally, there need to be a paradigm shift on how we really evaluate others on their quality, talent etc in this fast changing technology. Once learners acquire knowledge in new and innovative ways offered by the L& D industry, then such will build confidence in a way so that learners will able to understand and handle any technology builds over the core and that should be the real purpose of knowledge. 


Comments

Post a Comment

Popular posts from this blog

Secure Key Management- An important risk carrier

Author : Arindam Bhattacharya Password and key management are the 2 most important element of data security. As businesses have gained more reliance on data, the data stakeholders along with other application agents, both are slowly developing extended risks. While password weakness can impact the entire business services, weak key management can push towards major data breaches. As of now both are going by the standard technology and processes but there are unknown factors that may cause secure status to marginal.  While data stakeholders are nothing but the business and application users, residents are the application agents (please read as module responsible for authentication and authorization) those are native or integrated with the application. These residents can bring unprecedented risks by the way they are developed or integrated.  Keylogging can happen anywhere - especially in a software driven ecosystem  and it's becoming an open secret. As a user, one may deve...
Read more

BPRFPC: An abstracted Architectural model for an End to end view

Author: Arindam Bhattacharya Good and flexible architecture models are yet to exist while there are several good initiatives on developing some guiding principles to assist the community on Architectural best practices.  However, this article is yet another attempt to simplify the architeutal ingradients at very high level so exploring in depth could be possible with the acquired knowledge.  Architecture is a foundation for any technical know how's and a model is the engine of that foundation that orchestrates everything together. Below are the general components of the proposed model. 1. Business - Keeping business out, no architecture could be meaningful. Business is where the Strategies & Needs are defined and everything else needs to align with the Business. So, business is always the "WHO" context. 2. Product - The purpose of the Business is revenue through a Product. The product may constitute anything which is presented to the clients, even a service, or an app...
Read more

Detection and Response of APTs became an ultimate goal of Cyber Security and security services can't ignore this fact anymore

Author- Arindam Bhattacharya When cyber security compromises taken place, it has already passed through multiple defense layers to attain the final goal of persistence those are very hard to detect because of the family of compromises involved, no independent traffic but a carrier in others service entities. The time such activities detected (appearing  false positives or true positive?) that means the multi layer kill chain compromise already took place prior but the silo incidents are overlooked that intern gave a room for an unknown security breach for longer with no clues. When a network operation is of sensitive nature and that "unknown factor" indicates there is an issue in multiple dimension - Capability, Hygiene and Maturity etc.  Detection challenges are more in "on premise" than Cloud that has an offer for stricter policies & controls but compliance "in the cloud" sometimes remains a challenge due to absence of full stride solutions - meaning...
Read more