Salient points - what is probably needed are apprenticeships of some sort, IT training with security paths when appropriate.

I think having Google’s Americas Marketing Leader push is huge, and not to be underestimated. Also google seem to be following first Cisco, then Microsoft, then Amazon in being very serious about training, entry level seekers take note these behemoths along with Amazon have huge partner channels - select you ecosystem and heads down.

There is one thing I do notice about folk going for these certs vs how it was when I swapped Army for IT, then quickly security. People didn’t really ask about getting jobs in cyber so much as you showed an interest and started working on things it IT switches, routers, desktops, server, DHCP, DNS - you weren’t doing it because you though you could get paid six figures, you were having fun. As computers became more disposable and less repairable there was less of that and the feeder of joyful hands on people dried up. General point to societies fix things rather than throw them away to get ahead in tech.

Hands on, to get on!

---

@Early_Adopter wrote:
There is one thing I do notice about folk going for these certs vs how it was when I swapped Army for IT, then quickly security. People didn’t really ask about getting jobs in cyber so much as you showed an interest and started working on things

---

Exactly. One could argue that the growth of security as an industry is due to the widespread tendency of individuals to run with technology rather than walk. Couple that with the tech industry's propensity to incorrectly knot our shoes or even tie them together, and the next thing we know is security jobs are growing faster than IT ones (that makes no sense at all).

 

It's a false bifurcation to say there is IT over there and then over on the other side is security. That's as silly as building a restaurant with both a kitchen and a customer service office to handle all the complaints about the bad food. Meanwhile, we see increasing burnout, frustration, and turnover n both IT and security. I think that reflects a disconnect between the certifiers, trainers, and others selling professional pathways and the actual work environments.

I’d say it’s certainly interesting - from a security standpoint folk at the creation end of software have very little idea about who uses it and how and vice versa. Even to the point we’re someone building things doesn’t know that if the code is present the CVE isn’t a false positive just because you feel you don’t use it/ have a compensating control. DevOps hasn’t helped nearly as much as people think and we now have a priesthood of Site Reliability Engineers talking about error budgets and chaos testing, whilst also not really getting it at least from one perspective… they’ll all have equally valid viewpoints and this dichotomy does wear people out. The tools enforcement functions mean you can’t just whitelist in the vulnerability scanner - it’s probably buried in three layers of other apps UI and access control( invariably creds behind a CyberArk, Humanities least user friendly PAM solution(apart from the others))…. So you don’t ship but that was lucky because if you had of done the Red Team would have got you…

On one side I don’t need to fix that… on the other you won’t be able to deploy if you don’t because it’s high and it just went 30 days… so you need a waiver from the guy who just want on holiday. “New Jobs Please!”

I think ISC2’s strength is in its question writers, rather than the organisation itself - just need to look at public facing systems issues with elections, CPEs, free exam faults etc - however I think most entry level training needs simulation/hands on/labwork. CC is too pumped/marketed in my opinion and CISPPIENESS isn’t going to rub off - especially as CISSP is seemingly loosing clout and not so surprising as the concentrations are now standalone certifications - maybe it’s for the best/time will tell. The big question I have is who will be the CC’s version of Das Furby to ridicule and bully? So anyway CC is probably useful, but candidates are beckoned in by the free offer and the attractive salaries(not realising that to your point you really need to have the first steps in IT).

CompTIA I think is sitting pretty as they just have a Vulcan death grip on early years (in IT as well). Pretty complete with more hands on skills.

ISACA looks more attractive every month - Privacy Engineering was a coup for them(poor IAPP) ISC2 were nowhere near that or just basic privacyOps. I think as I’m probably five or six year of retirement I shan't bother but it’s tempting.

IAPP returned the favour with an AI Governance cert - take that ISACA/ISC2!I hold more certifications with them than anyone else and always fun. Membership fee’s are high - especially versus ISC2 now they’ve proved AMFs for members are perfectly workable at fifty USD!

So guess who wrote this:

“ How can you start your career in cybersecurity? Working cybersecurity professionals agree, certification is the most important way for career pursuers to enter the field. But with so many cybersecurity certifications out there, how do you choose the one that will help you break into the field and help lead you to long-term career success?‘🧐

As a Working Cybersecurity Professional I’m almost certain that anyone thinking about breaking into the field will be better served by experience in a job in IT than a certification. ISC2 is known for having experience requirements apart from CC…

I think big vendors are well placed to move in on the hands on training, and they have labs…everyone needs labs, plenty of labs.

Lastly there’s to your point too much selling of career paths - though I’m tempted to post an email address in a thread, wander into a discord server and maybe ask for my free go on the CC exam so I can start anew… 😛