Why your mainstream IT team should be security-qualified
04:00 Monday, 26 July 2021
UK Cyber Security Council
Searches on job sites for IT professionals result in lists of roles that cite mainstream IT qualifications as requirements for applicants. A network engineer needs to hold Cisco’s CCNA; a VMware architect post unsurprisingly demands VCP; a Linux support role asks for CompTIA Network+ - not directly Linux-related, to be fair, but not unusual.
This should not be a surprise, of course: on the face of it, it makes perfect sense to demand qualifications in the field in which one is recruiting. But if we take a step back, we realise that anyone recruiting looks for more than the core qualifications. We look for leadership qualities in senior roles, or those for which promotion is a near-future possibility. We look for experience in the field but we also look favourably on those who have worked in different markets or for different types of company, because it gives breadth of knowledge that can bring a benefit to our own organisation.
Why not, then, take a step forward instead and look for more specific skills that are directly relevant to the IT profession – specifically security?
All the qualifications mentioned in the first paragraph have an element of security about them, but they’re primarily around how to do the hands-on configuration of security parameters, generally on a particular platform. The CCNA teaches you how to configure the different security levels and authentication mechanisms on a router or a switch; VCP teaches you how to manage admin logins on a VMware infrastructure. But few (if any) mainstream security certifications teach you the first principles of security – the ethics, the concepts and the approaches – and this is where pure security certifications come in. I know system administrators, server specialists and the like who have taken security qualifications and have been astounded by what they have learned.
And this learning has made them better at their jobs, because they understand why they’re configuring the security like they are, and will generally identify better ways to do it. And it’s most definitely made them more employable and made their chances better on the job market… but if their current employers have any sense the management will see this and make sure the package is sufficient to keep them more interested in staying than going. After all, mainstream IT staff with proper security problems are a rare species so you should hold onto any that you have and dedicate your training resources to make more.