Last week I passed the EC-Council Certified Ethical Hacker exam. Yay to me. I am a professional penetration tester right? Negatory. I sat the exam more as an exercise to see if I “still had it”. A boxer returning to the ring. It is over 10 years since I passed my CISSP. The 6-hour multi-choice horror of an exam, that was still being conducted using pencil and paper down at the Royal Holloway University. In honesty, that was a great general information security bench mark and allowed you to go in multiple different directions as an “infosec pro”. So back to the CEH…
There are now a fair few information security related career paths in 2018. The basic split tends to be something like:
- Managerial – I don’t always mean managing people, more risk management, compliance management and auditing
- Technical – here I guess I focus upon penetration testing, cryptography or secure software engineering
- Operational – thinking this is more security operation centres, log analysis and threat intelligence and the like
So the CEH would fit as an intro to intermediate level qualification within the technical sphere. Is it a useful qualification to have? Let me come back to that question, by framing it a little.
There is the constant hum that in both the US and UK, there is a massive cyber and information security personnel shortage, in both the public and private sectors. This I agree with, but it also needs some additional framing and qualification. Which areas, what jobs, what skill levels are missing or in short supply? As the cyber security sector has reached a decent level maturity with regards job roles and more importantly job definitions, we can start to work backwards in understanding how to fulfil demand.
I often hear conversations around cyber education, which go down the route of delivering cyber security curriculum at the under sixteens or even under 11 age groups. Whilst this is incredibly important for general Internet safety, I’m not sure it helps the longer term cyber skills supply problem. If we look at the omnipresent shortage of medical doctors, we don’t start medical school earlier. We teach the first principles earlier: maths, biology and chemistry for example. With those foundations in place, specialism becomes much easier at say eighteen and again at 21 or 22 when specialist doctor training starts.
Shouldn’t we just apply the same approach to cyber? A good grounding in mathematics, computing and networking would then provide a strong foundation to build upon, before focusing on cryptography or penetration testing.
The CEH exam (and this isn’t a specific criticism of the EC Council, simply recent experience), doesn’t necessarily provide you with the skills to become a hacker. I spent 5 months self-studying for the exam. A few hours here and there whilst holding down a full time job with regular travel. Aka not a lot of time. The reason I probably passed the exam, was mainly due to a broad 17 year history in networking, security and access management. I certainly learned a load of stuff. Mainly tooling and process, but not necessarily first principles skills.
Most qualifications are great. They certainly give the candidate career bounce and credibility and any opportunity to study is a good one. I do think cyber security training is at a real inflection point though.
Clearly most large organisations are desperately building out teams to protect and react to security incidents. Be it for compliance reasons, or to build end user trust, but we as an industry need to look at a longer term and sustainable way to develop, nurture and feed talent. Going back to basics seems a good step forward.