- CPA to Cybersecurity
- Posts
- Simply Cyber Hot Takes! 🌶️ Rethinking Cybersecurity Certifications with Jason Dion from AKYLADE
Simply Cyber Hot Takes! 🌶️ Rethinking Cybersecurity Certifications with Jason Dion from AKYLADE
Spicy questions and even spicier Wasabi in Toronto
Steve McMichael
December 20, 2024
Hey there, 👋
While careers and cyber risk reduction are serious business, the (SANS difference maker podcast of the year award winning) Simply Cyber community is all about good times and having fun along the way. That’s why my interview here with AKYLADE co-founder Jason Dion uses a Hot Takes format. I brought him your spicy questions, and even spicier sushi with wasabi!
As usual I walked away from this conversation with Jason inspired and educated. He unpacks why he co-founded AKYLADE: to help close the cybersecurity hiring gap with alternatives to 22-46 year old certifications that have become quite expensive and are often out of touch with the knowledge and practical skills you need to be successful on the job.
I was impressed by the transparency and candor Dion is bringing to what can quickly become a heated, polarizing topic. And speaking of heat, I also walked away with very clear sinuses!
I hope you enjoy and find as much value in this Q&A as I did. Jason provides his email address at the end of it, and you have mine in this newsletter. Please keep the questions coming and I look forward to talking shop on GRC, career crossover and cert prep with you in the community.
Sincerely,
Steve
Table of Contents
Why Start AKYLADE? (02:04)
STEVE:
You seemed to have a good thing going with Dion Training. Why pivot to start AKYLADE?
JASON:
Yeah, it's a great question. So for those who don't know, I'm Jason Dion. I was the founder of Dion Training, which is a cybersecurity training company. We help people pass their A+, Network+, Security+, CySA+, PenTest+, CEH, CISSP, SecurityX, you name it, we help you pass it, right? And over the last seven years, we've helped 2 million students take and pass their certification exams, which is awesome, and I'm really proud of that fact.
But the big challenge that I was seeing is that the students are having trouble getting their job and getting into the cybersecurity industry. And so when I started talking with hiring managers, I asked, "What is the thing that you're looking for?" And every single time, there's always three things they ask for: It's certifications, degrees, and experience. And generally, they want experience first, certification second, and degrees are third. And the problem is, for people trying to break into the industry, how do you get experience?
And so when I started talking to these hiring managers, I said, "Well, what can we do so you'd be willing to take people who are brand new to the field?" And they said, "Well, the problem is we have to have some way to filter down candidates, right? If I get 1,000 applicants for one job, which is pretty typical, even in my small company, when we put out a new position, we get around 800 to 1,000 candidates applying. I don't have time to read 1,000 resumes because I'm busy doing the next thing I need to do. And so we have to have a way to filter that down. And generally, what we use in the industry right now is certifications. And so we'll say, "Oh, you must have a CISSP. You must have a CEH. You must have a blank, blank, blank. Name the certification."
But the problem that hiring managers are starting to have a kickback against these certifications is the fact that they get people with a certification and they can't do the job, right? And if you look at something like Security Plus, it's a great example of that. It is asked for by far more than any other certification out there. But there are five people who are certified in Security Plus for every one job available for somebody who needs a Security Plus. So you have a 5-to-1 ratio there. And most of these people are coming straight out of high school or college. They're going through Western Governors or one of those other colleges like that where you're getting 5, 10, 15 certifications and a bachelor's degree. But then you have zero experience. And so when I talk with the hiring managers, I say, "Well, what we really need is a way to identify people based on their skills and not just what they've learned but what they can actually do." And that's why at AKYLADE, we're really focused on not what you learn but what you can do. And so our certifications are very hands-on. They're very practical. And so it's not, "Yes, we need another certification," because honestly, there's a million certifications out there. And I work very closely with a lot of the other certification brands including CompTIA and others. And I try to get them to go more into the doing part of the certifications. But the feedback I kept getting was, "It's too hard. It's too expensive. We're already doing well the way we are. Why are we going to change it?"
And the problem is that's not helping the industry. So long answer to your question, but really, I started AKYLADE as a way for us to change the industry and be able to get a way for people to break into the industry by showing they have skills and that they can actually do the job. And so when you take an AKYLADE certification, for instance, the CCRF or CCRP, which is our cyber resilience foundations and cyber resilience practitioner exams, those actually show that you can do the job of a cybersecurity consultant. You know how to implement the NIST cybersecurity framework, not just what is the NIST cybersecurity framework like you would find out in CISSP has a page in the textbook on the NIST cybersecurity framework. Security+ has two paragraphs in their textbook, right? We actually have a 300-page textbook that goes into not just what it is but how do you do it and how do you use it on a daily basis. So long answer, but the answer is we want to make sure that people can actually do the job and then get hired based on the skills they have and the fact that they can do something as opposed to just what they know, it's what they can do.
Certs can be a heated, polarizing discussion (06:00)
STEVE:
When we talk about certs, it can be a very heated, polarizing discussion.
But what we can all agree on is there's a problem that needs to be solved. How do we bridge that gap?
The size of the problem has come into question -although that’s a tangent. But the point I think everyone would agree on is that we need a better way. We need some change. What can we do to improve? And that's pretty interesting that no one would know what's going on with the most popular cert in the world that is on all of – or most of the job postings leading the pack than you do. And you said, "Hey, I'm right in the middle of this and I see an opportunity to help."
The value of NIST Cybersecurity Framework skills (06:45)
And then also when you look at the skills that you're bringing and kind of deepening, I have lived the value that cybersecurity framework can bring to my job on day one, and wanting those skills on my team and with applicants. I mean it helps you reduce cyber risk, speak the language of business, and so it's valuable stuff. So that's very cool.
JASON:
And the one thing I'd say on that is that when we look at these type of things, right, what we're doing at AKYLADE, we are not designed to be a replacement for Security+ or CISSP. That is not our goal, right? We know they're out there. We know that we will never be able to compete with a Security+ because they've been around since 2003. They've got a reputation. They're on every list out there. They're on every job application out there or every job posting out there. But what we are trying to do is differentiate the skills inside of the other certifications.
So, for example, in Security+ or CySA+, there is one objective out of 35 that talks about doing Incident Response. One of the things we're planning on doing is having an Incident Response certification that really goes into what do you do as a hands-on incident responder to actually take care of these issues.
We have another one being focused on being a SOC analyst and how do you actually do that job versus I teach CySA+ from CompTIA. It's a great certification. It teaches you the foundations, but it doesn't teach you how to actually do the job.
Turnover and training before vs after getting hired (08:00)
And that's the problem that hiring managers have because nobody these days – and I come from an American market. I know you're in the Canadian market primarily, but I'm in the American market. And in America, people stay in their jobs 12 to 18 months and then they move. And with that kind of a fast, rapid turnover, an organization doesn't want to spend $20,000 or two or three months of your salary training you on how to do the job. They want you to show up on Monday and by Tuesday, you need to be doing work.
STEVE:
I won't train you to go from zero to hero. I need you to add value on day one.
JASON:
Bingo.
Certifications and education are only 10% of a Career Development Plan (09:39)
STEVE:
And you're highlighting this hiring managers’ pain. I've gotten very close lately talking to people wanting to break in their pain. Give me a chance! Right. It's a chicken and egg problem. How do we solve it? And so, with certs, I'm very consistent in saying that it's 10% of your Career Development Plan.
Ninety percent of the discussion is not certs, right? But it is valuable – it's where you need to go where you don't have the experience. And it's an important component.
Trends in certification and degree value to hiring managers over the years - peaks and valleys (09:45)
JASON:
So one thing before we go to the next question, you were mentioning 10% is certifications. I would agree. I think that's right. One of the things that – especially if you're a new person and you're trying to break into a company, you'll talk to some of the older folks and you'll go to a gray hair guy like Steve or a balding guy like me and be like, "How'd you get in the industry? How'd they get into the industry 20, 30 years ago?" Completely different than how you're going to get in the industry today.
Back then, certifications were not as big of a deal. And we've gone through these peaks and valleys where certifications were a necessity, then certifications nobody cared, and then degrees were the necessity, and then nobody cared. And then we needed both, and then nobody cared. And now we're kind of going back towards certifications and away from degrees.
Missing the mark in addressing the hiring gap: training industry, colleges, employers (10:35)
And I say that as somebody who was a college professor for 10 years. I literally was at a board meeting yesterday for a college as we're developing their program, and we're trying to revamp their program so that it is more doing as opposed to just learning because employers are looking at these people coming out of college. They've got 10, 15 certifications. They've got a bachelor's degree, and they're still not valued at day one. And so we're missing the mark as an industry, as a training industry, as a college industry, and as a workplace industry that you all are trying to get jobs into. So there has to be this new conglomeration where everybody comes together in what is going to be required. And that's what AKYLADE has really been trying to do is trying to lead a lot of these conversations out here.
One of the things that I see with this is that a lot of people, we talk about the cybersecurity skills gap, and it's really not a skills gap. There are plenty of you out there who have the skills, but a hiring manager is never going to find you because you may not have the certification. You may not have the degree. You don't know somebody, and you're being lost in a sea of applicants because right now it is so easy for you to hit apply now on LinkedIn. And that apply now is being done by thousands of people for that same job.
Employers not letting new grads straight in the door with A+, Net+, Sec+ (11:25)
And so I'm seeing some people coming out of degree programs like Western Governors, which Western Governors is a good school. I have a lot of friends who went there. I think they do a great job. I've been talking to a lot of their students, and it's taken them three, four, five, six months to get their first job coming out of after having a bachelor's degree and their A+, Net+, Security+, CySA+, CEH. They've got all these certifications, and yet employers are still not letting them in the door. And that's why the approach AKYLADE has taken is we are getting the hiring managers involved from the beginning, having them help us decide what things we should be building for certifications, and that are going to meet the needs that they have.
And I'm sure we're going to have some more questions about how come you're not seeing AKYLADE on resumes yet and things like that, and we'll talk about that, I'm sure. So anyway, second question!
Just take the training or also write the exam? (12:20)
STEVE:
Regarding AKYLADE being aligned with hiring managers and teaching valuable skills to add value on day one, I think that has landed. I've had my courses out there since July, and everyone has been unanimously happy with the content and agreeing that it's a great textbook, it's a great curriculum, and it does help you add value.
But what I get the most questions about is why take that next step of writing the exam? So maybe you could just tell me, like if I'm a student, I'm saying, "Jason, I love everything about it, but I don't get why I should write the exam." What do you say?
Mastering Cyber Resilience Textbook
JASON:
Yeah, so that's a great question. And one of the things you just brought up in that question was the textbook. So the textbook is Mastering Cyber Resilience. That's for our CCRF and CCRP certifications. The first half of that book covers CCRF, which is the fundamental level, and that covers what is the cybersecurity framework. The second half is the practitioner is how do you actually apply this day to day in your job? And it's basically a step-by-step process. And it goes through the phases and the steps and all that kind of good stuff. Now, I know a lot of people who tell me that textbook has now become their daily on-the-ground reference. They have it in their desk drawer. They pull it out every day they're working.
STEVE:
When I'm writing policies, when I'm doing a risk assessment and I want to understand like what NIST CSF categories are here. G, R, and …C, compliance, right? I want a Rosetta Stone to align ISO 27k, SOC2, TISAX, the different alphabet soups. One hundred percent, it's a handbook.
JASON:
Yep. And I like that. The other thing is that we write it at a very low level. So when I write, I usually write for a 10th or 11th grade reading level. I don't need this to be a doctoral thesis because honestly that just complicates it for people to learn. So we want to make it easy to learn, easy to understand.
Unlike other cert companies, AKYLADE provides the option
Now, the question is why should they get the certification after going through the training? And this really is a personal question. I'm going to get yelled at, I'm sure, by my bosses, but the certification isn't necessarily needed for everybody, right? You may find enough value by going through the training and getting that piece of it. This is something that I disagree with a lot of certification companies on. There are many that now you can't even take the training unless you buy the voucher up front. They have a contractual requirement, and because of that, they've now had to remove courses from Udemy and LinkedIn and other platforms. And I think that's bad, right?
I think it's bad for a couple of reasons. One, it seems to me like a money grab at that point. If you want to learn the stuff we want to teach you, you've got to pay hundreds of dollars. Like one of the things I used to teach and I still teach is ITIL Foundation. It's a great thing of learning how to do IT service management, but unfortunately, you can't take my course unless you pay me $680 because I have to include the official textbook, the voucher, the official slides, plus my training material.
And the cost for me to give you that official content and voucher is like 90 percent of what I'm charging you. I'm making like 10 percent of that $670 or $680. And we didn't want that to happen with AKYLADE where price became a barrier for people to actually learn the material.
So I know I've kind of gone a long way around,
STEVE:
This is all really helpful.
What if an employer doesn't consider your degree good enough, because of the school it's from? (15:45)
JASON:
Why should you get certified? And really the difference is by getting certified, you're proving to an employer that you not only have taken a course, but you have learned the material and you can now do that job because you have been tested on that thing, right?
And really this goes back to having a discussion. In fact, I'm here with you locally in Toronto today because I'm on my way over to Eastern Europe to go meet with some governments over there. And I'm helping them with their programs and how they want to do things for their education in the cyber world. And one of the big challenges that they've been having is people are graduating from their colleges. But then when they're trying to get a job over in America, Canada, other places in Europe, they go, well, yeah, you got your degree from that school. We're not sure that's good enough because a degree from this college and a degree from that college, even though they're both a bachelor's of cyber security or a bachelor's of computer science, they don't mean the same thing.
I mean, you and I could have gone to the exact same college, gotten the same degree for over the same four years. But if we had different instructors, we're going to have a different level of experience.
And that's the difference between that versus a certification.
Why hiring managers and the government value certifications (16:15)
At the end of the day, the certification, everyone is taking the same test. You're all taking the same test that is statistically relevant. And it proves that you have this level of knowledge. That's why hiring managers still love certifications. That's why Security Plus is still asked for. That's why the U.S. Department of Defense requires it of all of their government workers, their military members and their contractors. Every position has it where it says you must have either CISSP or CEH or Security Plus based on the level of job you're in. And they see value in that. And they're spending hundreds of millions of dollars a year on these certification vouchers for this requirement. Right. And so obviously there's people who think this is valuable.
Now, specifically going back to AKYLADE, if you get your AKYLADE certification today and put it on your resume, it's going to show, you know, A, that you have taken the time and energy to go study, learn and get a new certification. So that's good. It shows hiring managers you're current.
B, it's going to put some key words on your resume that there aren't existing certifications for.
And I'm going to go back to CCRF and CCRP here for a moment. But those are tied to the NIST Cybersecurity Framework. So when you list on your resume, you know, certified CCRP, you know, here's my date. You should put a sentence. And I know, Steve, you give this to your students. I give it to all my students on the website as well. It's, you know, this certification covers blank, blank, blank and blank.
And some of those words in there are things like the NIST Cybersecurity Framework version 2.0. If you look right now on LinkedIn, how many jobs are asking for NIST Cybersecurity Framework 2.0? There are a ton of them.
But guess what? There's no certifications for NIST Cybersecurity Framework 2.0 except for AKYLADE’s right now. And that's one of the reasons why we started there is because that's what our advisory council made up of hiring managers and executives said. We need people.
The biggest skill we're missing is NIST Cybersecurity Framework. Nobody knows how to use it. Nobody knows how to implement this on a daily basis. So that's why we went out. We wrote the textbook. We collected the lessons learned from people in the field over the last decade of using this since 2015. We wrote the textbook of how they do it, how we use it. And that is now what people are implementing. So the long answer or the short answer to the long question is it proves you have a minimum level of competency in doing this thing.
In this case, that would be the cybersecurity framework. If you're doing risk management, it's the risk management framework as well as NIST 800-53.
If you're looking at our AI one, it's based on the NIST AI RMF, which is the artificial intelligence risk management framework. The foundations is out right now. Practitioner comes out early next year.
And there's another book coming out, Mastering AI Security for that one as well. And so everything we do, we kind of create this textbook and the certification around it.
Could you just take the courses? Yes. If you go to Steve's course, you're going to learn so much stuff and you're going to get so much value add. The question you have to ask yourself is, do I value getting the certification as well? I would tell you I think the answer is yes, because it shows you have a level of competence at what you've learned in Steve's course.
Because I was a college professor for 10 years. And I could tell you if I walk into a classroom with 50 students, 10 of them are probably listening to me. 40 of them are playing on their phones. But at the end of the day, they all got some letter grade based on how they did on some tests and things like that. But if they took Steve's class instead, they all may have gotten A's and in my class they may have gotten C's because I'm a harder instructor. You never know. But when you're doing a certification, everybody is level set to the same thing.
That's why in the US we use SATs and ACTs to admit people to college, because it gives us a baseline to know how they compare, even though they all came from different high schools. And that's really what I think about when I think about these certification exams.
AKYLADE cert pricing comparison to ISACA, ISC2, SANS, more (20:25)
STEVE:
I think there's some new dynamics that you unpacked that are helpful in this conversation. So one is, depending on where you went to school, if you have that issue, this is an opportunity to have a global certification that maybe gets a more favorable reception from a hiring manager in another country or another place or someone, depending on what you're working with, that can stand out. Two is you're giving people the option.
So if you see AKYLADE as joining the certification industrial complex and not helping with it, probably not going to change your mind, but you have the option.
JASON:
And I'll tell you, this is why my bosses will get mad at me, is we at AKYLADE only make money if you take the certification exam. If you buy Steve's course and take his course, he makes money, but I don't. But if you take his course and then take the voucher and take the exam, then I make some money off of it. And so I'm just being completely heartfelt here.
STEVE:
And very objective. That's just a fact, and I think you're laying it out. You put AKYLADE Certs beside ISACA, ISC2, SANS, and the rest. I have a blog post about this at CPA to Cybersecurity
I think those facts speak for themselves, that you give people a choice speaks for itself. And I think it's fair to be cynical and be very-- a new cert company comes out adding to the 1,800 alphabet soup. But I think you're walking the talk when you describe elements like that.
Question: Why isn't AKYLADE a non-profit? (20:51)
And I know somebody in your guys' community had brought up the fact that AKYLADE is not a non-profit. And I want to talk about that for one second. And the reason why we're not a non-profit is because, honestly, the paperwork involved and the cost involved in being a non-profit is very high. And unless we were going to take money from people as charitable donations, there was no reason to be a non-profit, to be quite honest. And even looking at somebody who is a "non-profit," I'm going to pull out CompTIA here. I'm sure you saw in the news, they got acquired recently by a private equity firm.
How does a non-profit get acquired for nine or ten figures? It was several hundred million to low billion-dollar valuation when they got sold. And yet they're a non-profit. And the reason is not all non-profits are created the same. When you hear CompTIA is a non-profit and ISC2 is a non-profit, they're what is called a non-profit organization. They are not a non-profit charity. And so they are allowed to make money, but they're only allowed to hold a certain amount of that on the books.
And so what happens is, let's say they make $200 million this year, which is probably not far off. They're allowed to pay their executives millions of dollars. They're allowed to pay their team members millions of dollars. They're allowed to spend that money on other things to buy other companies. And they have. They've brought in several for-profit companies like TestOut over the years and incorporated them into the larger CompTIA umbrella. And now that they've built it up so large, they ended up cutting off all the certifications and product side and selling it to private equity.
And then they've kept the non-profit arm, which is doing the advocacy work and things like that. So they've actually split it into a for-profit arm and a non-profit arm. And so for us, as AKYLADE, being a small company getting started, we didn't want to have to deal with the headaches and the regulation of having to be a non-profit.
And we want to be able to run the business how we needed to, to make it sustainable, so that we can be in alignment with what our AdCo wants, our Advisory Council, which is hiring managers and executives. Not what shareholders want. Not what non-profit government regulations want.
And so that was the reason for it. It wasn't because we're a super profitable company making lots of money. That wasn't the intention. It was honestly just the way of running this business in a way that makes sense and gives us the most power and control to go where we need to without having to answer to other people.
STEVE:
Well, I'm literally an accountant, okay? And it makes sense to me that you need a sustainable business to be solving this problem. And looking at a non-profit doesn't mean that there isn't profit being made or some of the problems with the certification industrial complex happening. And it's so great to get more detail unpacked on your objectives and your tactics and the problems you're solving and how you're doing it. And I think that should speak for itself and the people can decide. And just like the cybersecurity framework, it's not one size fits all.
What do you think of this PE money meme, and the implications of CompTIA's acquisition to price and quality? (24:50)
STEVE:
you talked about Private Equity. You’ve seen this meme, eh? What do you think of it?
JASON:
So this is something that's been happening in our industry a lot. So private equity, good or bad, private equity exists. In fact, my last company, Dion Training, I sold to a private equity firm. Not all private equity firms are bad, but there are a lot of bad private equity firms, right? And you just got to realize that private equity, their job is to make money. And so I am a little scared for what the future of companies –
STEVE:
To make money in a timeline aligned in their investment thesis, right?
JASON:
Right. Yeah. So a lot of them have very short investment theses. Like I know some companies, their goal is they're going to buy a company, and within five years, they need to double the valuation of that company, and then they sell it off to a bigger player. I don't know the company that bought CompTIA. I think they're more of a buy and hold private equity firm, but they are going to be very focused on extracting as much value as they can. And so when it comes down to that, what is that going to look like to students? I don't think they're going to invest a lot in the product as far as making it better. I think what they're going to be doing is doing more certifications because they believe more product lines will give them more money.
I think you're going to see higher prices. Traditionally, CompTIA, since 1992, has raised their prices 3% per year every year because that's a cost of living increase, so they can pay their staff.
STEVE:
It was more last year: $350 to 404? I need a spreadsheet!
JASON:
That's right. Security+ went up a little bit more because they moved Security+ into the tier that they had for CISA and Pentest. That's why Security+ went higher. But everything else has gone up 3%. But the CySA and Pentest went up 3%, and then they brought Security+ up into that level.
STEVE:
Moved bands. Interesting.
JASON:
There you go. So they're giving up one to say, "Oh, this is now part of the intermediate level certifications," so they can make a little bit more money off it. But I wouldn't be surprised if we see this year a 5% or 10% increase. I haven't gotten the numbers yet. I am a CompTIA official partner. In fact, Dion Training, my old company, we are the number one CompTIA seller in the world. So it's not that I don't like CompTIA. I sell a lot of CompTIA, and they have a really good place. But I am a little fearful of what it's going to mean for them in 3 years, 5 years, 10 years down the road.
Will they still be the powerhouse they are today, or are they going to oversaturate the market with a bunch of certifications that nobody cares about? Are they going to raise their prices so high that it makes it harder for new people to come into the marketplace?
You know, another certification I teach is ITIL, which is ITIL. And I've been teaching that since 2016. Back when I started teaching it, it was $165 for that exam voucher at retail. Today, if you go to PeopleServe's website, it is $680 at retail. It has gone up 417% over 6 years. That's insane to me. And that is for a certification that helps people qualify to be a help desk technician, running a service desk, being a service desk manager, etc., that generally pays $40,000 to $70,000 a year. And now you're having to pay $700 to take a test to just get your foot in the door. That is crazy.
STEVE:
It doesn't sound insane to me, because it's what the market will bear, but it doesn't sound.
JASON:
Because when they've raised the price, the number of people taking it have dropped and dropped and dropped.
STEVE:
Oh, interesting!
US vs Europe cert price elasticity (28:15)
JASON:
And the reason is that they have a worldwide market. Now, in the U.S. it has dropped, but overseas it hasn't. And the reason is, if you're listening to us and you're over in Europe, you can attest to the fact that when you get hired at a company in Europe, they hire you based on personality, capability, and your past experience.
But if you don't have a certification, that's okay. They'll send you and get your certification. So generally, it's the company paying to get you certified as ITIL if you're in Europe. Here in America, we won't hire you until you have your certifications. And so we put that cost on you, the candidate. And so that's why price sensitivity doesn't exist as much in Europe when it comes down to that, because the company is paying for it, not the individual. Here in America, it's the individual. So as the price goes up, the number of people taking it goes down.
Now, overall, their profit has gone roughly the same, or maybe it's gone up a little bit. But the number of candidates taking that and getting certified is going down.
And that's one of the things that we at AKYLADE have been trying to avoid, is we don't want to have prices super high where it affects the ability of people to be able to actually take these certifications and get the skills they need and prove they have those skills.
Question: Why is AKYLADE raising prices in 2025? (29:17)
JASON:
Since we were talking prices, I'm going to be up front. AKYLADE is changing the prices January 1st. I know those are on your list you want to talk about.
STEVE:
Yes, what the heck, man?! (sarcastic)
JASON:
So in the first two years, we had our prices as low as we could. And at that time, it was $125 for foundation levels and $200 for practitioner levels. Part of the reason why we're having to raise the prices is to get us to a sustainable place where AKYLADE can exist for years in the future. Right. Because these exams aren't cheap to make. Right. It requires us to have going through a ISO process called the ISO 17024, which requires about $20,000 per certification just to get the auditors to come look at your certification and say you're OK.
STEVE:
Really?
JASON:
Yes. It's a very expensive process. But we need that process because once we get that, then we get added to lists like the DoD 8140. We've already gotten some governments overseas that have now approved our certifications under their government programs for reimbursement. We want to do the same thing under the U.S. government side. And to do that, we need the ISO accreditation to go through. We've already applied. We're just waiting for the auditors to come back. But again, that's a very time consuming and very expensive process.
In addition to that, we have been rolling out new certifications over the last two years, and we have several new ones coming up for next year that we're planning on doing that are very hands on and very innovative.
For example, right now, we have just finished the job task analysis for the new AKYLADE NMAP Security Specialist certification. And this certification is a completely hands on certification. Think about it like OSCP. You're going to sit down at the computer and you're going to do these actions and show that you can do scans. You can find vulnerabilities. You can attack those vulnerabilities, all those things using the NMAP tool and the NMAP scripting language.
There is no other certification out there for the skill set. This is a highly available skill that people need as a pen tester or a cybersecurity analyst working in a SOC. And so that was one of the reasons why we started doing this. And we reached out to NMAP and we got permission to use their name and their tools as part of the certification under this partnership that we're doing.
STEVE:
So just like AKYLADE’s approach with CSF: in Security+, CISSP, or similar training I'll see a screenshot of, well, you know, I heard about the cybersecurity framework. Here, it's like, well, I've seen NMAP, right? I've seen a little demo of it, but a certification in it and a hands on test in it? That's really cool.
JASON:
Exactly right. And but to build that, we have to build an entire new training system because none of the existing certification providers out there, including Pearson VUE, have the ability to do this type of a hands on training and doing it in a live proctored environment, which is what's required by ISO. So that is a very time consuming process. It's a very expensive process. We have spent about a million dollars developing the technology we need to support these certifications moving forward to be able to do these hands on certifications.
And so, you know, the long answer to this is the reason we had to increase prices and the new prices are $200 for the foundation, $300 for the practitioner, is to support the development costs and the running of these exams, because when we go into a practical exam, that's not just ABCD and it's actually hands on. We have compute time and every student who goes through, if it takes you two hours to do the exam, that costs us 20 or 30 dollars just in compute time to support the environment, because we've got a bunch of virtual machines being spun up that you're attacking and defending against.
And so as we're doing that, we're working on a SOC analyst, one working on Incident Response, one we're looking on a pen testing, one we're looking at a web application vulnerability tester, one. And if you think about OSCP, that's the level we're going towards.
DoD 8140 list and implications to students (32:40)
The difference is we are going through and getting ISO certified so that we will be recognized by the US Department of Defense. So we are recognized by the Department of Veterans Affairs for reimbursement. So if you're a military person or working in or around the military, which in the US is still about 60 to 70 percent of cybersecurity jobs are tied to the US government. That's why we had to go through these processes.
And like I said, it's expensive. So we had to bring some of that cost down to our end user. And we're now getting to be a little more established. And so we believe that being at that $200, $300 level makes sense. And then our intention is that moving forward, you will only see cost of living increases each year of around 3 percent. The way CompTIA has historically done it, we think that's a reasonable model because the people who work at our team, they would like to get paid as well. And our developers, every year, they're going to expect a 3 percent cost of living increase so they can still buy milk and eggs and bread and feed their family. And so we bake that into our prices.
STEVE:
Again, this transparency is awesome. I think it's very easy as an outsider to come in and say, "Oh, a new cert, cash grab” and be cynical.
But with AKYLADE you said on day one, affordability is a key value. And you're talking about the problems you're solving of helping people get jobs, and add value on day one, with accredited training. There's cost with that, and more hands-on training and there's cost with that too. I can see that you're investing in solving this problem.
And I was already inspired to join the cause early on. But I think we're getting more context and details on how you're advancing that mission. And it's very helpful. And so there are the facts and you decide.
JASON:
And to your point, it's not a cash grab. I mean if it was a cash grab, we would be going to $300, $500, $1,000 like OSCP now is $1,600, right? CEH is $1,200. CISSP is $700, $800. Security+ is $404 going up probably to $450 next year. We don't want to get to that level of price. We want to keep it low. We want to keep it attainable. We don't want price to be the barrier.
And so we have been trying to keep our prices as low as we can while still being able to operate the business and make it successful for the long term.
Bottom Line
JASON:
Yeah, just, you know, if you guys have any thoughts on this, please engage with us. Let us know. You can always reach me, [email protected]. I'd love to hear your thoughts on it. Like I said, I'm a very transparent person in what we're doing. I believe in what we're doing. Otherwise, I would just be, you know, sitting on the beach enjoying life instead of working 80 hours a week trying to make this happen and really make a difference in our industry. It's something that I truly believe needs to happen for us to be able to close the cybersecurity hiring gap. It's not a skills gap. It's a hiring gap.
And we can start getting hiring managers to start seeing that there are qualified people that can do the work if they're only given a chance. And we can do that by having a bar that people have to meet with certain skills and be able to reach that bar. Then hiring managers can be able to select those people, which is really what certifications were designed to do in the first place. But they've now just become this general knowledge area that's really bringing down the industry. So we're trying to change that.
And if you'd like to help us change that, we would love to hear from you. If you are somebody who is an expert in the field, you've got, you know, 5, 10, 15 years of experience and you want to reach out to us. I'm always looking for more people for our Advisory Council. We're looking for good hiring managers, good executives, and people who can help us shape what you all need out there and build the certifications that will meet your needs so we can help fill this hiring gap.
STEVE:
Awesome, dude. Thanks very much, and everyone stay secure!