An ISACA survey released during RSA week sought to illustrate the state of cyber security workforce development and its current trends. The results would surprise no-one in the industry: recruiting security talent is hard.
But the ISACA survey makes two particularly interesting statements: firstly, that 70% of enterprises “require a security certification for open cyber security positions”; and secondly, that for 55% of enterprises, “practical hands-on experience is the most important cyber security candidate qualification.” Since a candidate cannot get experience without first getting a position, new candidates for open cyber security jobs need as much help with other ‘qualifications’ as possible.
Today, CompTIA has announced a new security qualification: CSA+. It sits between Security+ (covering essential principles for network security and risk management), and CASP (the CompTIA Advanced Security Practitioner, which certifies critical thinking and judgment across a broad spectrum of security disciplines).
CSA+ focuses on the skills required for the use of threat detection tools, data analysis and the interpretation of results to identify vulnerabilities, threats and risks. It certifies a proficiency in data driven security.
“By placing greater emphasis on data analytics, we get a real-time, holistic view of the behavior of the network, its users and their devices to identify potential vulnerabilities and strengthen them before an intrusion happens,” explained CompTIA’s senior director for products, James Stanger.
This is perhaps the most critical area of the overall cyber security skills gap, and one that is growing faster than most. The Bureau of Labor Statistics states, “Employment of information security analysts is projected to grow 18 percent from 2014 to 2024, much faster than the average for all occupations. Demand for information security analysts is expected to be very high, as these analysts will be needed to create innovative solutions to prevent hackers from stealing critical information or causing problems for computer networks.”
“Data analytics is key,” says Jim Lucari, senior manager of certification at HP Enterprise. “Everybody in technology should have this CSA+. It should be mandatory if you’re going to stay in IT over the coming decade.” The CSA+ qualification could help potential employers gauge candidates’ aptitude and skill level for this critical area.
CSA+ exams are available globally via Pearson VUE Testing centers. However, it is not an entry-level security qualification. Although private individuals could use it as part of a project to get into cyber security, it might better suit career advancement than career entry. “Because of the advanced nature of CompTIA CSA+,” Stanger told SecurityWeek, “we recommend that candidates for the certification have a minimum of three to four years of hands-on information security or related experience; and hold CompTIA Network+ and Security+ certifications.”
One of the recommendations from the ISACA survey suggests that employers should “Groom employees with tangential skills — such as application specialists and network specialists — to move into cyber security positions.”
Putting such staff through the CSA+ certification could provide a cost-effective approach to filling the cyber analyst security gap. “We recommend a minimum of five days of intensive ‘boot camp’ style training,” said Sanger; “or a quarter or semester of academic instruction.”