Recently I earned a Certified Third Party Risk Assessor (CTPRA) designation from the Shared Assessments Program. This certification intends to validate my knowledge “…within specific IT risk control domains that an individual will need in order to perform a thorough IT risk evaluation of a third party during an assessment.”
The CTPRA is a relatively new certification, but I think it will prove its value as time goes on. Besides attending the workshop and passing the exam, you need a minimum of five years’ experience in assessing the IT risk controls of third parties. Though I’m skeptical of the value of certifications overall, I’m glad I made the effort to attain this one (and so is my boss).
Why am I skeptical about certifications? Because they don’t equate to real-world experience. During my tenure in the field, I’ve seen good performance and poor performance on the part of my peers, and a number of highly certified people have failed to impress me.
I’m not saying certifications are bad, or meaningless, or even misleading. They’re important for helping professionals legitimize and codify experience. But often in the hiring process they get more weight than they deserve.
Many HR and staffing organizations face considerable pressure to find candidates, and they frequently filter resumes and people by certification acronyms and related keywords. This is problematic, especially since most certifications don’t require you to show proof of your expertise “in action.”
In my opinion, what truly legitimizes someone as an information security professional is their real-world experiences. What have they been through?
Information security is an intellectually and emotionally challenging profession that pits defenders against attackers in something very much akin to combat. I’d rather have a CISO at the helm who’s been through a data breach and knows first-hand what to do next time versus someone with a spotless track record who hasn’t had their hand held to the fire. People can spend thousands of hours reading books in classrooms, but that knowledge doesn’t always translate to what happens in the real world. Everyone knows things don’t always go according to plan.
If you’re concerned your information security posture isn’t what it should be and are worried about an imminent data breach, focus your hiring efforts on finding someone who’s dealt with that issue before.
Certifications can be a valuable indicator of professional skills and focus. But especially in today’s job market, don’t pass over valid candidates because they lack certifications. Real-world experience and the ability to perform in real-world circumstances is what counts most.
If your organization faces information security staffing challenges and/or needs to address information security risks in a timely and cost-effective manner, contact Pivot Point Security. We have a full spectrum of proven professional expertise on tap and will design a service offering to meet your specific needs.