Certifiably Obstinate: The Hidden Value of the Less Experienced

“The illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.”― Alvin Toffler

Today’s IT universe exists in a state of evolutionary flux. No sooner than one concept, methodology or solution is put into practice, it’s retired in record time and replaced with a newer, better alternative that’s wrapped in a mandate to be enacted by dinner time that evening. And at this particular time, no quote rings more true than the one above.

Having worked in IT for more than 16 years, the latter six consisting of cybersecurity auditing and compliance management for the DoD, I’m no stranger to the constant change of cybersecurity policy and directives. Consequently, I’m also no stranger to meetings that stretch for weeks, months, years on end, all with one thing in common: the burning desire of industry veterans to engage in endless debate over the way things were done in the past and how to move forward under recycled methodology.

While industry directives increasingly demand advanced-level information security certifications of personnel, such as CISSP, CISM or CASP, candidates unfortunately don’t also come with a label reading “Resistant to Change.” It’s an undeniable fact that some of the most technologically-savvy are also the most resistant and argumentative when it comes to adoption of different perspectives and methodologies. Of course, this isn't a universal truth, as I’ve also had the pleasure of working alongside 20- to 30-year industry veterans that hold true to the innovative way of thinking that’s so essential to today’s evolutionary requirements. However, the propensity of the most seasoned professionals to be the most poorly-adaptable still unfortunately trumps that of the latter.

On the other end of the spectrum, we have the recent grads or those several years into the cyber field – those who are knowledgeable enough to hold their own, yet not so embedded in the groupthink of established professionals that their intellectual malleability has been compromised. Their experience isn’t so deep that they feel the urge to compare new to old at every turn and shove a wrench into the wheels of change, but they’re more than capable of taking direction from those experienced enough to navigate pitfalls and lead a team to victory. They’re ready to accept their tasking and move forward to meet or beat deadlines.

There’s just one thing… they don’t hold those advanced certifications. Recruiters are on standby with checklists in hand, but some of the most capable candidates aren’t getting a second look. This isn’t necessarily an issue of laziness or unwillingness to advance their careers, but rather lack of ability to meet time-in-grade requirements that are in place under many of these certifications. Truth be told, many of these junior to mid-level positions simply do not warrant the same advanced certifications that senior-level positions require, yet the cyber industry has become so inundated with advanced certifications that exist more as catchy buzzwords for candidate filtering than anything else, with hiring professionals not possessing a true understanding of related necessity or value they bring to each respective position. Industry decision-makers need to re-think their hiring strategies. Sure, those credentials sound great. Problem is, likelihood of hardened mindsets is enhanced tenfold because of them. While a candidate may have the juice under the hood, this doesn’t necessarily mean they’re willing to hit the gas when it counts.

When interviewing seasoned candidates, focus on change. Discover what innovations they helped put into place and see what ideas might be brewing inside that they’re eager to implement. Narrow in on teamwork and find out what projects they helped see through till completion. Assess their compatibility and willingness to adopt change. In this day and age, it’s not so much about where you’ve been as it is about where you’re able to go. At the same time, take a second look at some of those “less qualified” candidates and, if able to do so, look beyond their lack of shiny credentials and see what they might be able to offer your company. Odds are, you might be surprised at what you’ll find.

Adam Godfrey, CISSP, is a Cybersecurity Policy and Compliance Consultant to the Department of Defense (DoD) for Booz Allen Hamilton. He has spent more than 16 years supporting the DoD in the areas of cybersecurity policy and guidance, IT project management, systems administration, cybersecurity compliance auditing, cybersecurity incident response, and cybersecurity awareness education of DoD personnel. You can follow him on Twitter, Facebook and LinkedIn.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.