A (10:50)

Kim is always a pleasure.

B (10:52)

That's the lie, but I appreciate it. On today's episode, I'm excited to welcome Simone Petrella to the conversation. Simone is an industry leader who has been working for the better part of a decade to solve the skills gap issues we see across the cybersecurity workforce. Today's conversation revolves around a somewhat controversial topic in cybersecurity do certifications matter? You know, you and I clearly have known each other for a little bit now, but I don't think my audience knows who you are or understands your background. So let's take a few minutes and let them know who Simone is. Talk to me.

A (11:27)

Yeah, sure. So I have been in cybersecurity for the last 20 years, you know, DoD background and then private sector over the last decade or so, and I'd say most notably to this conversation, have spent the last 10 years of my life really in the cybersecurity workforce space, looking at the people and the process challenges that we have in making sure that our nation, our organizations, our companies, have the right skills and talent. They need to actually address our cybersecurity challenges.

B (12:07)

Fantastic. It's funny, you and I, I think, crossed paths the first time over a decade ago in my backyard in Scottsdale, having this same conversation at once, similar fashion.

A (12:21)

I know, I know. It's like both. It's both warming and yet infuriating.

B (12:28)

Yes, both descriptors are absolutely correct. So wanna deep dive a little bit on certifications? And I'm going to start with the basic question that forms the title of this episode. Do Certifications Matter? Yes. No. And why or why not?

A (12:47)

Yeah. Well, I think that, you know, the best analogy I can say is they matter in the sense that if you want a passport to go to another country, you need one, but it's not going to be the plane ticket to get you there. I don't think they guarantee you. They certainly don't guarantee you the job. But they do open the doors. And for those reasons, I will always say that certifications have value. But that being said, I cannot make that statement without acknowledging the kind of dichotomy that we have in the industry right now in the profession where we have people who are going out and they're spending time and money and resources to earn these credentials. And it might open a few doors, but it's certainly not getting them through the door or at least enough into the door so that they can actually get that job at the end. So we have some major issues. I think that we can kind of chat about it, but I don't think I'm willing to throw the utility of certifications, like, totally out the window.

B (13:48)

Okay, so let's begin to dig. I love the passport versus plane ticket analogy. They open the door, but won't necessarily get you there or get you the gig. You know, that seems to indicate a limited value associated with the cert. Why is it that certifications are considered door openers?

A (14:12)

I think, and I'm curious if you have different thoughts on this. I think they're considered door openers because of some of the intangibles that they represent to hiring managers for the job, such as it indicates you've spent time and energy to focus on the fundamentals and foundations of the field. So you have some baseline level of knowledge coming in. You've put in the work, you have shown enough ambition and diligence that you have gone through the exercise of not only studying for it, but sitting for it and taking it. I think those are all qualities that we value in the profession. Very rarely, with some exception, there are some credentials that will say you're working on a certain tool or a certain system and we want someone who is credentialed or certified on this thing. But that's not the majority of cybersecurity jobs and what they're looking for in those credentials. So I kind of put them more in the like. It tells us that you're kind of like in the ballpark, but it's, you know, like you're qualified to get on this flight, but it's not. This doesn't put you at the boarding gate, I guess, you know, like to keep my analogy going.

B (15:19)

Yeah, we're going to play with that for the next hour or so. You know that. But I think I said something, you know, in the opening. Like There are like 450 different certifications out there. And I guess my concern is when you talk about certifications, I get a sense that you're referring to maybe what I would call the professional Certs that are out there and I'll pick on the CISP and the CISM and the CISA and the list goes on of those professional Certs that require a certain level of experience within the field before you can even begin to sit for them. So, and I told this story at the beginning of the episode where, okay, my original CISSP number is four digits long. I then went into consulting and I remember it was a 400 question exam. I studied for it for months. I left there and my brain hurt and I had no idea as to whether I would pass or not. Cut to three years later, I was short cpes because I was on the road consulting constantly. So I'm going to lose my cissp. So I need to, if I want to maintain it, I need to reset the examination. I literally grabbed the reference book and power skimmed it on the plane ride back from Portland, Oregon to the east coast where I was living. Walked in 250 question exam, same number of hours. I left out after about an hour and a Half two hours and passed it easily. I said, oh, yeah, this is cake, and walked in. So a lot of the criticisms that these professional certs get is, as they have become more important passports. To continue your analogy, there's a question as to whether or not the certifying bodies have made it easier to jump through that wicket gate to get it. I mean, yes, I had three more years of experience, but that was a damnably different. I wasn't coming in on experience when I took it the first time. It was a shorter exam. I felt it was easier. And I don't think it's because I had three more years experience, as opposed to the 13 that I had when I sat the exam was really making that difference. So I'm wondering if the utility of utilizing these certs as an entry doorway has created a business of certification that is weakening the original intent of the exam.

A (18:16)

When I first founded Cyber Vista, which we had focused on training and cybersecurity certifications, and we had a period of time where we were really focused on the certification bodies, the professional memberships, and therefore those exams. So think Security plus, think cissp, think anything that kind of falls into that broadcast professional certification category. And the example I want to give you is we had, and I had brought on a Chief Product Officer, which in our world was more like, you know, learning and training. Like, this is the person who knows how to train and pass exams. His background was in finance and had been in education and training for the entirety of his career. And he took, you know, a book and a bunch of research materials. Zero experience in cyber zero. And I think it took him about a month and he passed the cissp.

B (19:14)

You can't see my head hitting the desk, but my head has hit the desk.

A (19:20)

And, you know, and this is someone who, you know, knows there is a science to creating an exam that tests someone's knowledge. And so if you know that science, I'll give him the. You can kind of hack the. The psychometrics behind that and kind of give yourself an edge. But.

B (19:38)

And conversely, you know, on the same boat, I know great technologists and great cyber people who genuinely suck at test taking. I have a use case of someone who I would trust my network with, you know, in a heartbeat, has failed the CSP three times running because they suck at exam taking.

A (19:59)

And one of the things that always struck me is, you know, I started my career in the dod, I ended up in cybersecurity not too many years into that Department of Defense experience. And so when I was first exposed to CSP and Security. Plus, I did not. I knew the exams, I knew the content of them. I knew, like, where they went. I actually did not have a strong sense of the professional associations that ran them. And one of the most illuminating things for me personally, when I kind of came out the other side, because you asked the question, like, has this become essentially a business? And I was dumbfounded by like the cottage industry that is, you know, you have an exam that's supposed to be a professional barrier in some ways, right. And then.

B (20:52)

Or wicked gate.

A (20:52)

So yeah, you can call it something that's maybe a little less, you know, defensive in nature, but then the same organization that issues it is the one that is also offering you the course materials in order to prepare for it. And I look at any other professional body, like, pick an industry.

B (21:15)

Well, let's pick. Well, let's pick yours because one of the things you glossed over is that you are an attorney by training.

A (21:21)

I don't like to tell people that because then people don't like me anymore.

B (21:25)

Well, that's okay. You know, I don't like most attorneys and I have several in my family. Barring them and you, it's a small circle, but you're in the circle, so keep going.

A (21:33)

Okay, well, all right, then we'll keep this analogy going. So, yeah, think about, you know, a law practitioner, a lawyer. The bar exam is created, maintained, and run by a completely separate body that is separate from the bar association. It is separate from the anyone that you might pay as a third party to actually help you cram, to take that, you know, behemoth of a test. And so there is a true firewall between the interests. Meaning like how like that organization and that nonprofit makes money on the exam is different than the dues that you have to pay that state, state's bar to be an attorney. But in cybersecurity, the lines are completely blurred. And this is not. I, I'm going to point fingers at everyone because I don't think it's anyone's fault and it's everyone's fault at the same time. We've misaligned the incentives and this, this profession has grown. I mean, we're still kind of in our like pre teen years, if you think about how long it takes for professions to mature. And you know, we have like these exams, but then the very exam is actually also the same body that's making money off of you being a member, you getting this certification, you maintaining the certification, and then all the other components that are going to allow them to make money at the same time. Like It's a really confusing patchwork of a system.

B (23:07)

Foreign. Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack zero trust networks from the ground up, with security at the core, at the edge, and everywhere in between. Meter designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. So let's go back then to where we started. Given that patchwork, is it still appropriate for this to be the wicket gate? Because I now have individuals who, if I'm good at passing an exam and can afford to take the examination, are qualified to be me. And is that really what we want? Whether we and we've had the trade versus profession conversation back a couple episodes ago, but is that really what we want as a barrier or a wicked gate to entry within the environment? One of my previous guests had talked about, you know, do you really want the junior individual to do your heart surgery and protect your best assets? Well, at least that junior individual has gone through med school. Whereas in this case the wicked gate is, you know, again, I can take a good exam. Is is that really appropriate within the environment?

A (26:09)

You know, what I will say is I think one of the reasons that we have seen in the last four years a push not as big as a push, as I think either you or I would like, in the direction of skills based hiring has started to at least gain a little bit of traction is for this very reason, being able to rely on on a credential alone can't be indicative of someone's true competence to perform the job and that's not the fault of. Actually, I don't think it's a fault of any of the associations that have kind of created these exams, by the way.

B (26:59)

Yeah.

A (26:59)

I think a huge part of the problem lays on. We have now an industry that. That, like, loves putting labels on things and creates these jobs that don't match the packaging for the labels that they've created. You know, and so we. We kind of have fallen on this, like, lazy. Like, we need someone with a CISSP for this role. And it's like, okay, well, they're doing governance, risk and compliance as the job role. Let's say, for an example, GRC is absolutely a component of the cissp. You know, what else is like six other areas that have nothing to do with anyone that does cryptography and other things?

B (27:40)

Yeah.

A (27:41)

Physical security. I mean, you know, you kind of name it. And so I think that it's really hard to sort of say we should create this kind of gold standard of what it means to be a cyber professional. And we haven't actually defined what any of those jobs require. You know, and I just want to even say, like, you say you don't want a junior doctor performing surgery, but we have created a medical system where you don't just go to medical school. You have to go through this much of rotations, you have to do this much residency, you have to take these board exams at the end. And so by the time that person is operating on you, they've done more in person, like, surgery hours than you would, you know, I don't think that you would feel uncomfortable. And by the way, someone's always got to start somewhere. Like, baby attorneys come out and they've passed the bar exam and they can get there. It doesn't mean that they're, you know, they haven't had thousands of hours in a courtroom.

B (28:39)

Yeah, fair enough. Fair enough. And I like what you're saying about labels. I would be more critical. I genuinely think the industry and the profession have gotten lazy because. And it's. Leasing is born of two things. It's one, most of us came up hardscrabble. Now we're trying to put order out of that chaos to say, what are the paths that we want? Everyone is trying to duplicate the path they're familiar with while we're still playing whack a mole with the bad guys.

A (29:10)

Right. And then we've. And what we're left with are, you know, the credentials and certifications that because they have to be all things to all people, they become so general. They're not really useful because conversely, when

B (29:23)

they're specific, they're so specific that I've gotten three certifications to do X, I want to learn to do Y, and I'm considered unqualified to do Y because I don't have this certification here. And this created a huge landscape issue in terms of people looking to. Looking to enter the field. So the question here then becomes, and how do we fix it?

A (30:25)

I mean, Kim, if we had the answer to that question, we would not be having this conversation five years later, ten years later.

B (30:32)

I mean, if you were supreme ruler and empress of the certification environment. Lack of subtlety there. I know. What would you do?

A (30:41)

Supreme Entertainment. You know, I think that the industry, like, you know, I don't. I don't know the history of how every professional association or, like, group has kind of come together and made common standards for itself. But I think it really comes down to, like, what does the profession think are the common standards for itself? And in some cases, that may not be just a skill. I think it's around, like, what are the ethics that we have to adhere to? What are the people doing these jobs as they've evolved? And then what's the deal? And what's happening in corporate or organizational environments where you're always lagging to define the role after it's already kind of evolved onto something else? I was on some panel and I got a really tough question from someone because I made the comment about advanced threat hunting and how, like, ATP and persistent threat hunting was, you know, a role that didn't exist. And I think at the time I was like, this role didn't exist five years ago. And I got challenged on it. It was like, I have been doing that for my whole career. Like, absolutely, that existed as a role. And I was like, no, I hear you. Like, people were doing those tasks and you were doing those things, but no one had come out and defined it as an actual job.

B (32:01)

And you're right, by the way.

A (32:03)

Thank you. Yes, I feel validated, but, like, I understand the challenge where, you know, we have this, like, dichotomy between, hey, we've been doing it, and we're kind of evolving to meet this new threat landscape that's constant changing, but it's really hard to keep up because, you know, at least now we say a cardiac surgeon, like, we know they work on the heart and the human anatomy evolves. Not as fast as the cyber threat landscape.

B (32:30)

Yeah, also true. So let me take it back a sec. You've been talking in a Lot of cases regarding professional certifications, you know, and some of the challenges with that. You have a background that also deals with what I would refer to holistically is entry level certifications in terms of security plus etc. Which I call those that required no formalized experience like the 5 year mark CSP has in order for you to take the cert. You have to demonstrate the knowledge and then make sure you test well. So let's go back a little bit and talk entry level certs and come at it. Blakely. I want to get into cyber or I'm just getting into cyber. And while there are different areas of emphasis depending upon role, do you believe that there's a core set of knowledge that I would want anybody entering the profession in any form or fashion to have? Yes or no. And if yes, what are two or three of the things that you would want anyone who purports to want to get into cyber to know and or understand in either theory or practice. So knowledge or ability or knowledge or skill.

A (33:57)

I think there is a baseline core set of knowledge that you need to do this job. I think it's more than two or three. But if I had to really give me your top five, I would say networking and computing. Anything on the OSI layer model just so that you understand how it all

B (34:16)

fits the OSI layer because there are a lot of places not teaching it anymore.

A (34:20)

Yeah, like so you know, understanding the basics of computing and how all of those layers work and communicate with each other I'd say is paramount. And then from there it's like I'd say the next layer and I'm biased because I have an intel background and a threat. Intel background is understanding adversarial like threats. And what are the primary ways that then those types of human holes we've created in our computing systems could be exploited by people with bad intent. And I'd say like the third one that I would just sort of like throw in there because I think that it is overlooked and I'd love to see it in there is again that like contextual now why does this matter for the organization that I am in and in charge of protecting?

B (35:10)

So let's talk a little bit regarding and we've talked about both the trade versus the profession standpoint. We've talked about the need for training and growing are people using certifications to use that as an excuse not just to differentiate but to either A be lazy for hiring and or B to preclude the need for understanding that you still need to train within your environment.

A (35:38)

Oh, like, my. My gut reaction was I was gonna say yes, but then I also was like, is it that we're just so lazy that I don't even think it's intentional? I think, you know, I don't know

B (35:51)

if it's right for me.

A (35:52)

Well, I just think about how many times for any position, you know, hiring manager goes, you know, I have these thousand fires that we have to actually put out day to day. And we're chasing down, you know, this many things happening on the network and we're instituting these new controls that we have to do on our security strategy. And now we have all these open positions. And so, like, the easiest thing you do is you're like, I have to have this job filled. Here's the closest thing I had X amount of months ago that was sort of like, it, like, let's modify it. Those types of terms are already in the job description from whether it was intentional then or not. Like, they're just in there. So you just kind of keep them in and you riff off that old job description. And I think it just kind of perpetuates it. Like, I don't know if it's a. I don't know how many. I've had so many conversations with hiring managers and like, cyber executives who will say, certifications give me this indication of someone, but I don't, like, it's not a requirement for me. Or they can get it on the job and yet their job descriptions all

B (37:00)

have it in there screening on them because of that.

A (37:03)

Well, right. So, like, I'm sitting there going, either you're lying or. Or you have it in there and you just haven't thought to remove it.

B (37:10)

Like it's careless or disingenuous. Yeah, I want to talk in terms of certifications, and I'm going to go down a path that I do go down in some depth in one episode, but I'm going to go down a path that may make some of our listeners feel uncomfortable. And I'm going to talk about diversity and the role that certifications potentially play in either helping or in some cases hindering diversity within the environment. Because one of the things. And again, it gets into some of the entry that we talk about, certifications cost. Certifications cost dollars for the study material, if you can afford it. You know, dollars for the exam as well as if it's one that required CPEs to maintain dollars associated with that. So it does not only become a wicked gate, but there's an economic component to it that gets in the way, even for entry level certifications, of people getting that check mark, that they need to be considered. And then we add to that the fact that. And I cannot remember the name of the study, but you and I have talked about it before. If a job description goes out, and I'll start with just male and female, a male says, hey, I meet 30% of the requirements, they're going to throw their resume in. You as a woman say, I only meet 75% of the requirements. I am not qualified and I'm not going to throw in. So are these wickets that we're establishing creating an hopefully unintended yet very real discriminatory situation within our profession? I would welcome your opinion.

A (39:07)

I mean, I think some of the just like time and service requirements, in order to get them kind of perpetuates what has already been a really unbalanced representation in the field. So once you just play out those numbers, if you're saying, well, you need the five years of experience and you have to pass this exam to get it, well, you know, we've been making some progress. But if you look at the numbers now, you know, it's still.

B (39:32)

The workforce only looks 20% like you.

A (39:34)

Yeah, like I was going to say like 20. I was going to say generous, right? And that's like a generous interpretation. And then if you add in, you know, African Americans or Hispanics or anything

B (39:44)

else of anything 100% total still.

A (39:46)

Right. So it's um, so I think it's impossible for that to just not perpetuate if you don't make a conscious change to the system. Because all of a sudden you're like, that's just, you're just keeping that pipeline going and you're continuing to set up this almost impossible barrier to those who want to get into the field who, you know, especially now. Like, we've talked about this, I know, in previous conversations and it's been reported in a lot of just the past year and a half in like workforce studies. Whether it's ISE2s or I saw Frost and Sullivan had one. Like, there have been multiple versions that have shown we do not have a shortage of entry level roles right now in the market. Okay, no, we have a surplus. We have like, we have more qualified entry level candidates than actual available jobs. If you go on cyberseek.org and you look at like that supply, demand, we actually have more supply and less demand for that, that role at entry level.

B (40:48)

I thought I missed, I thought I had interpreted what you said in the reverse. So let Me reflect back. We have a surplus of entry level professionals.

A (40:58)

Yes.

B (40:59)

And not enough entry level roles out there.

A (41:02)

Right. But like, but like, carry that thought through. So now you have this surplus of candidates who can't get jobs because there aren't enough roles for them at that entry level. But then in order to get the certification that's kind of in demand for the next level, they have to have the five years. How do you get there? If you have, you have, you've just given them a, you know, you've closed the door in their face and walked away. And so that's, and that's where we see the most diversity coming into the field is in entry level. I think we've made the most progress in attracting more diversity and more candidates from different walks of life and different perspectives and different angles into the field. But like, then we close the door on them before they even get there.

B (41:49)

What is the one thing that you would tell the audience to be aware of or to do differently? And I'll modify that to also say what is the one thing we haven't discussed regarding the certification topic that you want the audience to hear? Answer either or both of them. As you wish.

A (42:11)

I think the biggest takeaway that I would want anyone listening to to really absorb and take some time to put it to heart is cybersecurity is a long term game, but we're playing it with short term incentives. And if we're going to play this long term game, which is actually getting better at security, then we're going to have to focus on the things that are frankly, hard, the hardest things, which are how do we have the right people with the right skills doing the right things and all of the obsession that we often take with, you know, new tools, new technology, whether AI is integrated, those are all great and they're making our lives easier, but it's not helping us solve that long term problem.

B (43:01)

Yep, yep.

A (43:02)

Well, and I say, I'd say to sort of tie that into the certification conversation that we're having. I think that certifications have to, I think that there's an opportunity to say, how does, how do certifications help this kind of long termism as opposed to short termism, like let's go for long term capital gains here with human capital. And what does that actually look like? If we said, what's that common core of knowledge? How do we get people there? And then how do we maybe work with industry, meaning employers, so that there is actually an alignment between what we need and what we have? And I think that would be kind of like where you start to bridge that gap between the certs we have and then the needs we have in the market.

B (44:00)

Simone, thank you as always. You know I I I've missed you.

A (44:05)

I know. This is great. Thanks for having me. This is a lot of fun.

B (44:10)

And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show Notes. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. This episode was edited by Ethan Cook with content strategy provided by by my On Plot, produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliot Pelsman. I'm Kim Jones and thank you for listening. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack, zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.