Fake it 'til you make it?

I’m on LinkedIn probably more than is healthy, and I recently came across a posting that made me extremely frustrated. I’ll steal Derek A.’s screenshot of it so I don’t need to find the original post.

Source: Derek A. on LinkedIn (he did NOT post this message, just this exact screenshot)

I cannot stress how wrong the above is, for such a large variety of reasons. I’m just going to rant a little on this and hope it changes anyone’s mind from doing the same.

I will mention one last thing before I get into my frustrations here. It’s unfortunate that this field (Cybersecurity) is so hard to get into that people feel the need to resort to these kinds of unethical and underhanded methods. It’s also unfortunate that this kind of activity seems to work, because it is at the expense of the companies you “consult” with.

I said it once, and I’ll say it 1,000 times. This is beyond unethical. You are misrepresenting your experience, your knowledge, and your abilities to any client you are working with. He specifically says to volunteer at a small mom and pop shop to start gaining your experience. It’s bad enough that these small shops already have lacking Cybersecurity, but you go and make it worse.

“Some security is better than no security, right?” This is almost always wrong. You are giving your clients a false sense of security by throwing together random tools and processes with no real understanding of the reasoning behind them. If these tools cost money (which they almost certainly do if you are helping them get good tools), you are almost certainly wasting their money.

Misrepresenting your level of knowledge to gain that knowledge is absolutely horrifying. vCISOs tend to be a laughing stock in the industry because of this. While there are some companies who are doing vCISO right (shoutout to SideChannel as one example), a large amount of vCISOs are only Information Security Managers, or simply the smartest Cyber guy on a team, farmed out to provide vCISO services. They have never been a CISO.

The knowledge needed to be a CISO is far more than the smartest Cyber guy, or even the Information Security Manager. Running and maintaining, or in the case of many small mom and pop shops (and as he specifically says in this post), creating a Cybersecurity program is not a small task. It takes thorough planning, deep understanding, and careful execution to do right. Knowing when to pivot, when to make changes, or when something is working right is an art as much as it is a science.

Not to mention this is against almost any certification’s code of ethics. This particular individual has a variety of CompTIA certs. Let’s take a quick look at their code of ethics.

CompTIA’s code of ethics states the following:

  1. A Certified Person shall offer and provide professional services with integrity.
  • I don’t know about you, but lying about your current level of knowledge and claiming you are capable of providing CISO services when you’ve never been a CISO does not show integrity.
  1. A Certified Person will always conduct themselves in a manner which enhances the image of the profession.
  • How does lying about your current skills and providing CISO services when you have no prior knowledge in Cybersecurity, and encouraging others to do the same, enhance hte image of the profession?
  1. A Certified Person shall provide services to clients competently and maintain the necessary knowledge and skill to continue to do so in those areas in which they are certified.
  • Stressing the word maintain. When you misrepresent your current skillset, you are not providing services to clients competently and you are not maintaining but attempting to gain the necessary knowledge and skill on the backs of misrepresentation.
  1. A Certified Person shall not solicit clients through false or misleading communications or advertisements.
  • Well, this certainly looks like soliciting clients through false communications to me.
  1. In the course of performing professional activities, a Certified Person shall not engage in conduct involving dishonesty, fraud, deceit or misrepresentation, or knowingly make a false or misleading statement to a client, employer, employee, professional colleague, governmental or other regulatory body or official, or any other person or entity.
  • This is definitely engaging in conduct that involves dishonesty (lying), fraud, deceit, or misrepresentation. There’s no arguing there.

I want to stress that this is not a gatekeeping post. Anyone who knows me knows I’m an advocate for opening up the field of Cybersecurity and IT to more people. To make it easier to start and learn in.

However, there is a limit to what someone new can do. When you are learning how to protect organizations from cyberattacks, there is no way you can advise them on the best paths. You may know all of the buzzwords: XDR, SIEM, SOAR, NDR, EDR, AI, ML, CSMA, Data Lake, and so many more. You may even understand them.

That doesn’t mean you know how to properly utilize them, and how to build an effective program that uses them in a way that enhances your program. That doesn’t mean you know how to create a security program from nothing (of which small mom and pop shops almost certainly don’t have). That doesn’t mean you can properly maintain an existing security program.

When it comes to security, a CISO should have years of experience in the field, and have a deep understanding of business so they can properly advise companies on the best way to use their limited budget.

When you misrepresent your abilities and knowledge and claim to be able to this, you are actively hurting the company who hired you. You are actively hurting the image of the profession. You are actively damaging your reputation for anyone who may want to hire you.

Please don’t do this.

Also, this is not an attack on volunteering. Volunteering to assist small and micro businesses, churches, other nonprofits, and other similarly disadvantaged organizations is a great way to gain experience. However, you need to be clear on your level of experience. Claiming to have the knowledge of a vCISO by artificially giving yourself that title, without having the experience to back it up, is extremely unethical. I'm arguing against the unethical way this individual says to get into the field, not against volunteering as a way to gain experience.

Cody Dostal

Cody Dostal