A paper tiger is a fake tiger, made of paper. It may appear to be a real tiger, but it has no substance, is unable to stand up to challenge, and can't perform any other tiger duties.
Wikipedia defines a paper tiger as this:
"Paper tiger" is a literal English translation of the Chinese phrase zhilaohu (纸老虎／紙老虎). The term refers to something or someone that claims or appears to be powerful and/or threatening, but is actually ineffectual and unable to withstand challenge.
How do paper tigers relate to cybersecurity?
In my mind the "paper" is often a cybersecurity certification and the "tiger" is the person holding the certification. A person with a CompTIA Security+ certification, for instance, may appear to be a real cybersecurity tiger. If this person just memorized exam questions, didn't learn any material, and passed the CompTIA Security+ certification exam, they are a cybersecurity paper tiger though.
At Alpine Security, we get routine inquiries about our cybersecurity training. Many people assume we will just "teach the test". Some people have even mentioned to us that other cybersecurity training providers offer onsite exams allowing people to take the exam "open book" and "as a group", even though the exam is supposed to be taken solo, closed book. These behaviors breed more paper tigers. Is it any wonder why we have so many data breaches?
Cybersecurity Paper Tigers are Killing Us
Cybersecurity paper tigers are killing us for a number of reasons:
They don't know enough to actually help with cybersecurity defense. Paper tigers are often responsible for cybersecurity controls, plans, policies, training, etc. The paper tigers don't actually know much though, so the risk of them doing something wrong or ineffectively is very high. This is sort of like asking your 5 year old if he can drive your car. He says "yes", so you let him drive to the grocery store. The outcome will not end up well.
They hire other paper tigers. People tend to want to be around people like them. Also, paper tigers typically have fragile egos, so hiring someone that knows less than them is often what they do. Fragile egos stem from incompetence and being "found out".
They devalue cybersecurity certifications. Cybersecurity certifications still have a worth, but they used to mean more before the influx of the paper tigers. In the past, if you hired someone with the Certified Ethical Hacker (CEH) certification, you knew they had a certain level of knowledge, skills, and abilities. Now, you may see someone CEH-certified that doesn't really know anything. I've interviewed CEHs that couldn't tell me what nmap was...
They are not passionate about cybersecurity. This is sort of the elephant in the room. People that are passionate about a topic, industry, career, etc., make efforts to master these areas. Paper tigers are dabblers. They dabble just enough to give the appearance of expertise. If they are dabblers in their career, the chance is they are dabblers in everything in their life.
Cybersecurity criminals are masters of their trade - not dabblers. A dabbler will always lose to a master.
What can we do about the cybersecurity paper tiger issue?
There are two areas to focus on to get rid of paper tigers:
Cybersecurity certifications that require a practical. Many certifications are moving towards having practical components to them. The CEH, for example, has two programs. The first is "Certified Ethical Hacker", where you have to pass a multiple choice exam. The second is "Certified Ethical Hacker Master" where you have to pass both the CEH multiple choice exam and a CEH practical exam. Paper tigers may be able to pass a multiple choice exam, but they will likely fail a practical exam, unless they actually learn some stuff. Learning some stuff may strip them from the paper tiger status!
Hiring procedures. We need to do better at interviewing and screening cybersecurity applicants. Just because someone has multiple cybersecurity certifications, doesn't mean they know the material. It's an employer's duty to screen applicants appropriately. The people doing the interview need to know about the certifications or be certified in those areas themselves in order to discern the paperness of the tiger. For instance, if I'm interviewing someone with a Security+ certification, I should know the basics covered in Security+ so I can validate the candidate’s knowledge.
Let's do the cybersecurity industry a favor and work to get rid of the paper tigers.
Christian Espinosa is Alpine Security's CEO/Founder and a Cybersecurity Professor at Maryville University. He holds over 25 certifications, including the CISSP, CCISO, and PMP. Christian is a US Air Force veteran with a BS in Engineering from the US Air Force Academy and MBA from Webster University. Christian holds multiple patents on cybersecurity attack and defense. Major recent projects include penetration testing and assessments of commercial aircraft, medical device penetration testing, and numerous incident response projects. When Christian isn’t protecting us from cybercriminals, he climbs mountains, travels the world, teaches outdoor wilderness survival, and competes in Ironman triathlons.