As hundreds of security pros who bear the CISSP certification gather for their annual meeting here this week, many critics in the security industry are questioning the value of broad professional testing, certification, and credentialing. But virtually everyone agrees: Those letters after your name are still a key differentiator in most hiring environments, and even more specialized certifications are likely to gain attention in the months and years ahead.
While general information security certifications, such as (ISC)2's CISSP and ISACA's CISM, continue to hold sway over many human resources departments, some security professionals -- and even some of the organizations that provide these certifications -- say the value of these broader certs is diminishing.
"What the hirers in the industry really need is a way to find people who know what they're doing," says Alan Paller, director of research at the SANS Institute, which sponsors the GIAC series of professional IT security testing and certification offerings. "Although the numbers of people who have broader certifications are bigger than ever before, my sense is that interest in them has fallen off. There's a sense that whatever security people have been doing at the professional level, it isn't working."
Others who have studied the impact of certification agreed. Just last month at the Black Hat conference, security recruiting and training experts Lee Kushman and Mike Murray outlined the results of a study that indicates the real value of certification could be less than many security professionals think.
"Certification is something that has been perpetuated by the fact that everyone thinks everyone else is doing it," says Murray, founder of MAD Security, which offers career coaching services. "People feel they need to get certified in order to keep up with others -- if that feeling didn't exist, then certification would almost disappear as a requirement."
Still, more than 80 percent of those surveyed by Murray and Kushman said they believe the time and money they spent on certification is a good use of resources, and more than half of respondents said they believe they are entitled to earn more money because they are certified. During the years, studies have consistently shown a positive correlation between certification and salary, as well as hiring.
That correlation is perhaps the single biggest reason why (ISC)2's membership has skyrocketed to more than 80,000 during the past few years, eclipsing all other security professional groups. Here at the group's annual meeting, there is a belief that the CISSP certification continues to be valuable in the marketplace, but there also is realism about how far the certification goes.
"A lot of the criticism [of the CISSP] comes from people who aren't very familiar with it," says W. Hord Tipton, executive director of (ISC)2. "For some people, there's a perception that we issue a Superman cape with every CISSP, and that just isn't the case.
"A CISSP can't make water run uphill, and we have never maintained that it's the only certification that security professionals need," Tipton states. "We have seven different certification programs ourselves, and there are probably 25 other certifications out there that we have respect for as well."
The CISSP is just one point of differentiation that helps hiring organizations to sort out the right candidates for a security job, Tipton emphasizes. "With so many jobs and so many applicants, a CISSP is a starting point to help sort them out," he says. "There are many other credentials you can build on top of it to show the depth of your knowledge or the career path you are trying to take."
Like most others in the industry, Tipton believes that certification -- which already is a jumble of acronyms and titles that has become difficult to sort -- is headed for more specialization and more focused testing.
"Five or 10 years ago, CISOs may have only recognized the most popular certifications, and that's why certain programs stood out," Tipton states. "Today there's a much broader recognition of very specific types of certifications -- they have a pretty good knowledge of what they want, and they are more focused in what they look for when they do their hiring."
Some shorter, more focused technical certifications -- such as the CCSK, which offers a program on cloud security -- might be useful in helping security professionals define their skills and provide credentials to potential employers, says Rich Mogull, founder of Securosis, a security consultancy.
"More education is a good thing," Mogull says. "The smaller certs may be interesting to employers who need specific skills, and they do help provide a filter for the interview process."
But employers and security professionals should be wary of treating any of today's certifications as a license to practice, as they might be used in the medical profession, Mogull warns. "There are lots of jobs out there where you don't need a certification," he notes. "There's no certification to be a CEO. A CPA might be helpful to a financial executive, but you don't need one to be a CFO. A security cert is helpful in filtering resumes, but it doesn't really guarantee that you can do a particular job."
Some proponents of security certification have compared it to a medical certification. But Mogull, who has been certified as both an emergency medical technician and as a paramedic, says there's no comparison.
"First, the certification required to be an EMT or a paramedic is way more extensive," Mogull says. "Second, the range of tasks that might be required of a security professional is so wide that it's really difficult to define. There's no way that security certification will ever reach that level."
So what will security certification look like in the coming decade? Most experts agree that it will become more specialized and that the number of certifications -- both the meaningful, ongoing kind and the quick-and-dirty certificates you can get with a week's instruction -- will likely proliferate. And it likely will be even more difficult for hiring firms -- and security professionals -- to sort out which certifications are worth earning and maintaining.
Paller holds out some hope for the National Board of Information Security Examiners (NBISE), which has been looking to help validate some of the security testing and certification practices and offer guidance on how security professionals and certification organizations should work together.
"What we need is something like the National Board of Medical Examiners that can establish metrics by which security education and certification programs are measured," Paller says.
When it comes to hiring, Kushman, who is a top recruiter in the security industry, says the industry should rely more heavily on a complex skills matrix in which education and certification are only one element.
"There are so many other things that need to be considered when hiring a security professional, such as their experience, their reputation and linkages with other professionals, their integrity and personal character," Kushman says. "Certification has a place in that matrix, but not one of those elements should be the single determiner of who should get hired."
On a broader level, Tipton says organizations such as (ISC)2 and others have a responsibility to reach beyond the relatively small community of security professionals and help educate young people and everyday computer users about online security.
"We have to start working together, whether it's professional organizations such as ISACA and CompTIA, or just individuals who know and understand the issues," Tipton says. "We need to get into academia, into our schools, and make young people aware of the dangers and the ethics associated with online behavior while they're still young. That's where we can make a difference."
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.