01:11 AM

Security Certification: Change Is On Horizon, But Hiring Is Still The End Game

While some security pros grouse, well-known certifications still rule in hiring circles

ORLANDO, FLA. -- (ISC)2 Security Congress 2011 -- Do you need a lot of letters after your name in order to be a successful IT security professional? Nope, but those letters do make a difference in the hiring process -- and that process isn't likely to change anytime soon, experts say.

As hundreds of security pros who bear the CISSP certification gather for their annual meeting here this week, many critics in the security industry are questioning the value of broad professional testing, certification, and credentialing. But virtually everyone agrees: Those letters after your name are still a key differentiator in most hiring environments, and even more specialized certifications are likely to gain attention in the months and years ahead.

While general information security certifications, such as (ISC)2's CISSP and ISACA's CISM, continue to hold sway over many human resources departments, some security professionals -- and even some of the organizations that provide these certifications -- say the value of these broader certs is diminishing.

"What the hirers in the industry really need is a way to find people who know what they're doing," says Alan Paller, director of research at the SANS Institute, which sponsors the GIAC series of professional IT security testing and certification offerings. "Although the numbers of people who have broader certifications are bigger than ever before, my sense is that interest in them has fallen off. There's a sense that whatever security people have been doing at the professional level, it isn't working."

Others who have studied the impact of certification agreed. Just last month at the Black Hat conference, security recruiting and training experts Lee Kushman and Mike Murray outlined the results of a study that indicates the real value of certification could be less than many security professionals think.

"Certification is something that has been perpetuated by the fact that everyone thinks everyone else is doing it," says Murray, founder of MAD Security, which offers career coaching services. "People feel they need to get certified in order to keep up with others -- if that feeling didn't exist, then certification would almost disappear as a requirement."

Still, more than 80 percent of those surveyed by Murray and Kushman said they believe the time and money they spent on certification is a good use of resources, and more than half of respondents said they believe they are entitled to earn more money because they are certified. During the years, studies have consistently shown a positive correlation between certification and salary, as well as hiring.

That correlation is perhaps the single biggest reason why (ISC)2's membership has skyrocketed to more than 80,000 during the past few years, eclipsing all other security professional groups. Here at the group's annual meeting, there is a belief that the CISSP certification continues to be valuable in the marketplace, but there also is realism about how far the certification goes.

"A lot of the criticism [of the CISSP] comes from people who aren't very familiar with it," says W. Hord Tipton, executive director of (ISC)2. "For some people, there's a perception that we issue a Superman cape with every CISSP, and that just isn't the case.

"A CISSP can't make water run uphill, and we have never maintained that it's the only certification that security professionals need," Tipton states. "We have seven different certification programs ourselves, and there are probably 25 other certifications out there that we have respect for as well."

The CISSP is just one point of differentiation that helps hiring organizations to sort out the right candidates for a security job, Tipton emphasizes. "With so many jobs and so many applicants, a CISSP is a starting point to help sort them out," he says. "There are many other credentials you can build on top of it to show the depth of your knowledge or the career path you are trying to take."

Like most others in the industry, Tipton believes that certification -- which already is a jumble of acronyms and titles that has become difficult to sort -- is headed for more specialization and more focused testing.

"Five or 10 years ago, CISOs may have only recognized the most popular certifications, and that's why certain programs stood out," Tipton states. "Today there's a much broader recognition of very specific types of certifications -- they have a pretty good knowledge of what they want, and they are more focused in what they look for when they do their hiring."

Some shorter, more focused technical certifications -- such as the CCSK, which offers a program on cloud security -- might be useful in helping security professionals define their skills and provide credentials to potential employers, says Rich Mogull, founder of Securosis, a security consultancy.

"More education is a good thing," Mogull says. "The smaller certs may be interesting to employers who need specific skills, and they do help provide a filter for the interview process."

But employers and security professionals should be wary of treating any of today's certifications as a license to practice, as they might be used in the medical profession, Mogull warns. "There are lots of jobs out there where you don't need a certification," he notes. "There's no certification to be a CEO. A CPA might be helpful to a financial executive, but you don't need one to be a CFO. A security cert is helpful in filtering resumes, but it doesn't really guarantee that you can do a particular job."

Some proponents of security certification have compared it to a medical certification. But Mogull, who has been certified as both an emergency medical technician and as a paramedic, says there's no comparison.

"First, the certification required to be an EMT or a paramedic is way more extensive," Mogull says. "Second, the range of tasks that might be required of a security professional is so wide that it's really difficult to define. There's no way that security certification will ever reach that level."

So what will security certification look like in the coming decade? Most experts agree that it will become more specialized and that the number of certifications -- both the meaningful, ongoing kind and the quick-and-dirty certificates you can get with a week's instruction -- will likely proliferate. And it likely will be even more difficult for hiring firms -- and security professionals -- to sort out which certifications are worth earning and maintaining.

Paller holds out some hope for the National Board of Information Security Examiners (NBISE), which has been looking to help validate some of the security testing and certification practices and offer guidance on how security professionals and certification organizations should work together.

"What we need is something like the National Board of Medical Examiners that can establish metrics by which security education and certification programs are measured," Paller says.

When it comes to hiring, Kushman, who is a top recruiter in the security industry, says the industry should rely more heavily on a complex skills matrix in which education and certification are only one element.

"There are so many other things that need to be considered when hiring a security professional, such as their experience, their reputation and linkages with other professionals, their integrity and personal character," Kushman says. "Certification has a place in that matrix, but not one of those elements should be the single determiner of who should get hired."

On a broader level, Tipton says organizations such as (ISC)2 and others have a responsibility to reach beyond the relatively small community of security professionals and help educate young people and everyday computer users about online security.

"We have to start working together, whether it's professional organizations such as ISACA and CompTIA, or just individuals who know and understand the issues," Tipton says. "We need to get into academia, into our schools, and make young people aware of the dangers and the ethics associated with online behavior while they're still young. That's where we can make a difference."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
PUBLISHED: 2018-10-16
Z-BlogPHP (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.