Cybersecurity certification qualifications are becoming the norm in many job descriptions today as organizations seek quantifiable ways of measuring prospective employees’ expertise. But certification alone should not be the yardstick in determining how well a potential candidate will fit into an organization. At the end of the day, experience as well as certification should be the criteria for hiring most security professionals, experts say.
Security certifications cover a range of disciplines and emerging security trends, from cloud computing to secure software coding to overall security management. So security professionals should have a grasp on where they want to take their careers as they try to determine what credentials are right for them.
Philip Casesa, director of product development and portfolio management with (ISC)², says certification validates that a security professional has a specific set of skills and capabilities. For human resources managers, certification provides a screening mechanism to match potential candidates with the skills, knowledge, and experience an organization is looking for in a security professional, he says.
Certification can also mean more dollars for a security professional. According to The 2015 (ISC)² Global Information Security Workforce Study, security professionals with certifications generally are paid $25,000 more than professionals who did not have certifications.
“Collectively, the average annual salary among the security professionals surveyed was $97,778. Differences between (ISC)² members and other security practitioners exist. Non-member security practitioners reported an average annual salary of $76,363. The salaries among security professionals with an (ISC)2 membership averaged $103,117 annually, a 35% premium over non-members,” according to the survey of 14,000 security practitioners globally.
The study didn’t drill down on the benefits of a specific certification over another, Casesa says. “Talking about what makes one certification more valuable than another really gets into what you want as a professional or what an organization is looking for,” he says.
Companies such as Cisco, Microsoft, and Oracle, for example, offer certifications specific to their products, to help ensure that professionals are qualified to install and maintain the products. And while those certifications are limited to specific products, that may be enough for an employer who wants those specific skills.
(ISC)² provides vendor-neutral certifications that focus on principles, knowledge, and capabilities associated with information security, Casesa says. (ISC)² provides two key certifications: the Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) for information security professionals, as well as certification in areas such as information security, system security, authorization, software development, digital forensics, and healthcare.
Other certification organizations include ISACA, which defines the roles of information systems governance, security, and auditing for information assurance professionals worldwide; the Cloud Security Alliance, which partners with (ISC)² on cloud computing certification; the E-Council, which offers an ethical hacking credential; and the SANS Institute, which offers testing and validation for secure software coding and penetration testing.
All of the various security certifications are compatible, but cover different security aspects and expertise. “Depending on what role you are looking for and where you want to take your career will determine what credentials are right for you,” Casesa says.
Certification a double-edged sword?
But certification alone isn't the answer. What about professionals who pass the tests and earn the certs but still don't have the experience and qualifications to handle today’s security threats?
“Certification is a good thing. There’s nothing wrong with having certification,” says Muneer Baig, president and CEO of security consultancy SYSUSA. Baig, who holds at least ten certifications, says that having certification as the only benchmark to validate a professional’s skills and knowledge, which seems to be a common occurrence these days given the computer talent shortage, is just wrong.
Anyone with a good memory and who is a good absorber of text will be able to pass the CISSP exam because it covers what is in the CISSP book and study materials, Baig says. Even so, it's not an easy exam: it takes at least six hours and includes 250 questions.
“You are asked the same questions but in different ways to make sure you know what you are talking about. Having knowledge of the industry helps significantly,” but a good reader stands a good chance of passing the exam, he notes.
Baig says he has come across people without certifications who have experience and are more knowledgeable about security than some people who are certified. So to measure how well a person might perform on the job, you need a combination of certification and a person’s validated qualifications, Baig says. "Any other way is a risk," he says.
“I don’t have a CISSP, but I have an undergrad and Masters [degree] in computer security and a graduate certificate in computer security,” says Adam Vincent, CEO of ThreatConnect, a developer of enterprise intelligence solutions. “However, I have a strong academic foundation and I did the job of a CISSP for eight- to 10 years, so I have the experience on the job of running security programs.”
Vincent says he would have learned some new things going through the CISSP program. The goal is to look at certification as a person’s academic foundation, which says that they can learn, memorize, and hopefully, remember most of what they learned when they come into your company. “But at the end of the day you have to look at what they have done and are capable of based on their experience,” Vincent says.
Casesa says aside from the test element to certification exams, security professionals have to demonstrate auditable experience in the areas they are being tested in. For instance, in the case of CISSP, they need five years of paid full-time work experience in two of the eight domains of the CISSP Common Body of Knowledge (CBK), which covers critical topics in security including risk management, cloud computing, mobile security, application development security, and more.
Moreover, in order to maintain their certification, professionals have to continue education and work in the security profession or the certification can be revoked, Casesa says.
“We consider certification really a lifetime commitment,” he says. Certification says “you have made a commitment to your industry, your profession, and your career, and it will endure as long as the letters [certification acronyms] are on the other side of your name.”