One of the problems is that many of the people with the CC lack the foundation to go with it.

 

Why can't -- and I'm just spitballing here -- the CC be the foundation?

To Eric’s question I think there’s a seed there, however if we’re looking at professionalisation of a particular part of IT there’s a big interest in getting folk through 3/4 year degrees, and that’s a huge vested interest - same as for most degree subjects. Frankly humanity would probably be better if we went “Khan academy, All the time.” And Launched MOOCs for everyone with awsome content and standardised controlled testing. Philosophically I think it’s not great to leave the future of Humanities learning with a bunch of disparate organisations that are all out to make a buck.

Now, I don’t see ISC2 as any different there and as time has gone it has become Les transparent, probably as a result of chasing members and candidates it didn’t have while focusing less on its existing membership - I do wonder if ISC2 hasn’t somewhat ceded the space CISSP occupies to ISAC/IAPP/CompTIA as it pursues CC, which is a clear loss leader to try to prime pumps for lots more, we’ll need to see candidate to member conversions, and then to test its worth how many people got the job after.

I think that the approach ISC2 takes is very useful for seeing if folk with experience can apply the core conveyors and can select least bad/best from option presented. But everyone’s used to ISC2 certified people having that experience. If everyone entering the market, has a shiny degree in how to be very bored in a SOC, then I’m not sure an online course plus multi-guess exam helps all that much.

Now I think IT Certification, bodies can really help, but they can’t do it in their own - ISC2 has great mid/late career tests but it’s training isn’t that great - money no object would you prefer t train with SANS or ISC2? Exactly, no contest. Presumptuous I know but hands on skills are critical in this industry.

So if all the certification bodies came to gether and built an evolving curriculum for a MOOC that had cost effective degree options - working with a Carnegie or a Royal Holloway then I think that’s potentially gold as you get scale and something accessible and you still go to a controlled environment for testing/finals. A team up like that would be a big shake up and you’d end up with something everyone would understand.

Anyway TL;DR - I think the problem is scale, coverage, methodology, entry level needs lots of hands on. Universities are bad, because of how they make money etc - and ISC2 probably won’t be able to go it alone - SSCP was its entry level and that didn’t get huge uptake - to really fix the foundations all of the certification orgs should collaborate to build an unbeatable cybersecurity degree delivered via the cloud.

With degrees I always saw timing as a big problem. A product needs to be created, accepted into the community, a book needs to be written, the school needs to adopt the book and work it into the curriculum. By this point things are outdated. I remember that with the CISCO CCNA they wanted to spread the classes over four semesters! I self studied and did it in a few weeks.

With the issue of needing a good foundation I am reminded of the old Microsoft MCSE. It required 7 tests to achieve it, and after you were done you were well rounded. One thing that I have noticed, which I don't know how to deal with is what the expected depth of knowledge is expected since is is rarely stated. Take the CC for example, the depth of things is not very deep, so when say IR is listed how do you know if they want an understanding or the ability to run the full response?

 

John-

So regards degrees it’s highly possible to do quicker and better at least in terms of what goes into them. I feel that as long as there is a lead institution and it scales higher education is pretty ready for disruption( in general not just cyber security). Yeah, it’s very true a lot of the vendor certs CCNA for example were used for the programme due to lack of content. The MCSE was fun and my vehicle to break into IT / lots of modules/exams and it was big on how and short on why, but it did teach the whole MS ecosystem as it was - is Contoso still a thing? Who remembers P@ssw0rd? 🙂 At the end of it you could design, build and run an AD and all the trimmings - all in support of MS ecologies everywhere, Cisco was very similar and the ubiquity of solutions and the quality of the labs/examples means you had a very decent if not academically honest training.

Vs these behemoths and degrees CC is going to struggle in scope breadth and depth, and in the entry level it’s not the dominant predator in the ecosystem that say CompTIA is due to being very well known and having more hands on. I think broadly there is a lot of content out there - I’m mentoring a chap and he did CC, struggled with finding a test centre, then started the Google cert leading up to CompTIA security+ - he’s also doing a degree. So he'll come onto the market with a fair amount of book learning, knowledge and paper but he still needs the role and the experience. Would he have sat CC if it wasn’t nearly free? Very unlikely.

That’s not to say it couldn’t grow and fill that space, but it’s going to need a bit more, and the market with need better data on how useful it is in securing infosec roles.

As for IR… I’m sure it is effective in pointing out that the radiation we feel as heat…;) No, you need to learn that in depth, then do the job for quite some time, it can provide conceptual familiarity I guess.

One good thing about a degree vs a certification is there’s time to look at a wide range of texts and even primary sources. Beyond that there is a large section of the economy that has a vested interest in selling its educational products and I don’t think any single cybersecurity certification vendor will challenge that on their own.