Careers & People
1/26/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Why Cybersecurity Certifications Matter -- Or Not

Job candidates with a certification make more money, but there's more to the equation for cybersecurity professionals.

Cybersecurity certification qualifications are becoming the norm in many job descriptions today as organizations seek quantifiable ways of measuring prospective employees’ expertise. But certification alone should not be the yardstick in determining how well a potential candidate will fit into an organization. At the end of the day, experience as well as certification should be the criteria for hiring most security professionals, experts say.

Security certifications cover a range of disciplines and emerging security trends, from cloud computing to secure software coding to overall security management. So security professionals should have a grasp on where they want to take their careers as they try to determine what credentials are right for them.

Philip Casesa, director of product development and portfolio management with (ISC)², says certification validates that a security professional has a specific set of skills and capabilities. For human resources managers, certification provides a screening mechanism to match potential candidates with the skills, knowledge, and experience an organization is looking for in a security professional, he says.

Certification can also mean more dollars for a security professional. According to The 2015 (ISC)² Global Information Security Workforce Study, security professionals with certifications generally are paid $25,000 more than professionals who did not have certifications.

“Collectively, the average annual salary among the security professionals surveyed was $97,778. Differences between (ISC)² members and other security practitioners exist. Non-member security practitioners reported an average annual salary of $76,363. The salaries among security professionals with an (ISC)2 membership averaged $103,117 annually, a 35% premium over non-members,” according to the survey of 14,000 security practitioners globally.

The study didn’t drill down on the benefits of a specific certification over another, Casesa says. “Talking about what makes one certification more valuable than another really gets into what you want as a professional or what an organization is looking for,” he says.

Companies such as Cisco, Microsoft, and Oracle, for example, offer certifications specific to their products, to help ensure that professionals are qualified to install and maintain the products. And while those certifications are limited to specific products, that may be enough for an employer who wants those specific skills.

(ISC)² provides vendor-neutral certifications that focus on principles, knowledge, and capabilities associated with information security, Casesa says. (ISC)² provides two key certifications:  the Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) for information security professionals, as well as certification in areas such as information security, system security, authorization, software development, digital forensics, and healthcare.

Other certification organizations include ISACA, which defines the roles of information systems governance, security, and auditing for information assurance professionals worldwide; the Cloud Security Alliance, which partners with (ISC)² on cloud computing certification; the E-Council, which offers an ethical hacking credential; and the SANS Institute, which offers testing and validation for secure software coding and penetration testing.

All of the various security certifications are compatible, but cover different security aspects and expertise. “Depending on what role you are looking for and where you want to take your career will determine what credentials are right for you,” Casesa says.

Certification a double-edged sword?

But certification alone isn't the answer. What about professionals who pass the tests and earn the certs but still don't have the experience and qualifications to handle today’s security threats?

“Certification is a good thing. There’s nothing wrong with having certification,” says Muneer Baig, president and CEO of security consultancy SYSUSA. Baig, who holds at least ten certifications, says that having certification as the only benchmark to validate a professional’s skills and knowledge, which seems to be a common occurrence these days given the computer talent shortage, is just wrong.  

Anyone with a good memory and who is a good absorber of text will be able to pass the CISSP exam because it covers what is in the CISSP book and study materials, Baig says. Even so, it's not an easy exam: it takes at least six hours and includes 250 questions. 

“You are asked the same questions but in different ways to make sure you know what you are talking about. Having knowledge of the industry helps significantly,” but a good reader stands a good chance of passing the exam, he notes.

Baig says he has come across people without certifications who have experience and are more knowledgeable about security than some people who are certified. So to measure how well a person might perform on the job, you need a combination of certification and a person’s validated qualifications, Baig says. "Any other way is a risk," he says.

“I don’t have a CISSP, but I have an undergrad and Masters [degree] in computer security and a graduate certificate in computer security,” says Adam Vincent, CEO of ThreatConnect, a developer of enterprise intelligence solutions. “However, I have a strong academic foundation and I did the job of a CISSP for eight- to 10 years, so I have the experience on the job of running security programs.” 

Vincent says he would have learned some new things going through the CISSP program. The goal is to look at certification as a person’s academic foundation, which says that they can learn, memorize, and hopefully, remember most of what they learned when they come into your company. “But at the end of the day you have to look at what they have done and are capable of based on their experience,” Vincent says.

Casesa says aside from the test element to certification exams, security professionals have to demonstrate auditable experience in the areas they are being tested in. For instance, in the case of CISSP, they need five years of paid full-time work experience in two of the eight domains of the CISSP Common Body of Knowledge (CBK), which covers critical topics in security including risk management, cloud computing, mobile security, application development security, and more.

Moreover, in order to maintain their certification, professionals have to continue education and work in the security profession or the certification can be revoked, Casesa says.

“We consider certification really a lifetime commitment,” he says. Certification says “you have made a commitment to your industry, your profession, and your career, and it will endure as long as the letters [certification acronyms] are on the other side of your name.”

 

Related Content:

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
khurt
50%
50%
khurt,
User Rank: Strategist
2/27/2016 | 11:04:09 AM
Re: Show Me the Flag, Not the Paper
When you need a lawyer or accoutant, do you make sure to check if they have any relevant degress or passed a certificaiton exam of some sort?
khurt
100%
0%
khurt,
User Rank: Strategist
2/27/2016 | 10:59:13 AM
Re: Show Me the Flag, Not the Paper
Why do you assume informatoon security is all about technology?  When you are designing an information security architeture, and designing sytems to meet government and contractual complaince obligations, will pen testing skills be the ONE and ONLY skill required?

But then again, I see the tittle of this article is cyber-security, not information security.  You want a pen tester? Look for a SANS GIAC or OSCP cert.  You need someone who can walk into a board room and not GEEK out on the busines people -- you know, the ones who are more concerned with profit centers instead of cost centers -- then you need someone like a CISSP or CISM etc. who can bridge the gap.

The CISSP or CISM doens't need to show you her pen testing tookit becuase it's irrelevant to what they are good at doing.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2016 | 11:00:32 AM
Re: Show Me the Flag, Not the Paper
Preach, Brother Christian!  So too with college degrees.  I'd like to see the higher education bubble burst -- especially with the options for free and effective education online these days (edX comes to mind).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2016 | 10:57:31 AM
Bah.
Certifications are very hot -- especially the CISSP -- so if they help you get a new job and/or a higher paycheck, salud.

But I would caution professionals to stick to the certifications they really need -- the ones that will actually help their careers in terms of money and/or knowledge.  Considering the ongoing costs of certifications (whether that takes the form of continuing education, fees, dues, etc.), and further considering how easy it is to just invent your own certification and start your own certification company, many aren't worth the paper they're printed on.
ArisD224
50%
50%
ArisD224,
User Rank: Apprentice
1/29/2016 | 7:00:37 PM
Re: Show Me the Flag, Not the Paper
Christian

You are so Right.

The paper-trail is littered with lots of time spent, money spent.  If one has good study skills, good memory, one can pass any written-exam. I've met Cisco experienced Net Engineers who don't hold a cert at all, who can BGP, VPN, MPLS with coveted CCIE's. Seen it at a huge government agency I'm not devaluing Cert's, but I think too much is put on the paper alone.
ryasin
50%
50%
ryasin,
User Rank: Author
1/27/2016 | 9:41:26 AM
Re: Show Me the Flag, Not the Paper
A very insightful post, Christian.  When you get a chance can you contact me at [email protected]? I'd be interested in hearing more of your insights on cybersecurity careers, training, testing, etc.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
1/26/2016 | 3:49:06 PM
Show Me the Flag, Not the Paper
I have a stake in this because for the entirety of my career I have had to fight an uphill battle.  When I got my first technical job I had already dropped out of college, but I could demonstrate what I knew quickly and (if I might say so myself) impressively.  For a young software geek, that was my lightbulb moment.  Moving forward, I had a strategy for every role I pursued.  If I knew the material, I blew away the oral interview and made sure I got in front of a terminal at some point to show I could walk the walk I just talked.  If I didn't know the material, I researched, got hands-on experience, and then repeated the process of solid interview, solid demo.  I've stopped trying to return to school and never felt compelled to do the certificate thing because I want to do what I know how to do, whether I know it because it's my core toolset or I just learned it because it interested me.

Now, when it comes to cyber security, I am all the more adamant about one thing:  Show me.  Period.  I can read, too, and I have all the books, papers and software that matters - but it doesn't matter if you can't capture the flag.  If I were hiring pen testers or intrusion analysis engineers, even core infrastructure architects, I'd have a gauntlet ready for candidates to run and show results from.  Pen testing candidate?  Bring your toolset, whatever it is, and show me how you capture the flag on at least three OS (Windows, Linux, OpenVMS, for example).  Intrusion analyst?  Again, bring your toolset of choice and look at two networked environments I've set up and show me all activity relevant to an active hack being performed by a skilled cyber security professional.

Like education, certification is an industry.  Whether that is good or bad, I don't have the credentials to determine, but I do know that intelligence comes in all colors and sizes and in the end, it comes down to what you can do, whether you can do it repeatedly and do it with skill over time without losing momentum, and in fact improving in your skillset over time.  Show me.  Not a piece of paper (or PDF), but the flag I sent you to capture.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.