Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Security Certification: Change Is On Horizon, But Hiring Is Still The End Game

While some security pros grouse, well-known certifications still rule in hiring circles

ORLANDO, FLA. -- (ISC)2 Security Congress 2011 -- Do you need a lot of letters after your name in order to be a successful IT security professional? Nope, but those letters do make a difference in the hiring process -- and that process isn't likely to change anytime soon, experts say.

As hundreds of security pros who bear the CISSP certification gather for their annual meeting here this week, many critics in the security industry are questioning the value of broad professional testing, certification, and credentialing. But virtually everyone agrees: Those letters after your name are still a key differentiator in most hiring environments, and even more specialized certifications are likely to gain attention in the months and years ahead.

While general information security certifications, such as (ISC)2's CISSP and ISACA's CISM, continue to hold sway over many human resources departments, some security professionals -- and even some of the organizations that provide these certifications -- say the value of these broader certs is diminishing.

"What the hirers in the industry really need is a way to find people who know what they're doing," says Alan Paller, director of research at the SANS Institute, which sponsors the GIAC series of professional IT security testing and certification offerings. "Although the numbers of people who have broader certifications are bigger than ever before, my sense is that interest in them has fallen off. There's a sense that whatever security people have been doing at the professional level, it isn't working."

Others who have studied the impact of certification agreed. Just last month at the Black Hat conference, security recruiting and training experts Lee Kushman and Mike Murray outlined the results of a study that indicates the real value of certification could be less than many security professionals think.

"Certification is something that has been perpetuated by the fact that everyone thinks everyone else is doing it," says Murray, founder of MAD Security, which offers career coaching services. "People feel they need to get certified in order to keep up with others -- if that feeling didn't exist, then certification would almost disappear as a requirement."

Still, more than 80 percent of those surveyed by Murray and Kushman said they believe the time and money they spent on certification is a good use of resources, and more than half of respondents said they believe they are entitled to earn more money because they are certified. During the years, studies have consistently shown a positive correlation between certification and salary, as well as hiring.

That correlation is perhaps the single biggest reason why (ISC)2's membership has skyrocketed to more than 80,000 during the past few years, eclipsing all other security professional groups. Here at the group's annual meeting, there is a belief that the CISSP certification continues to be valuable in the marketplace, but there also is realism about how far the certification goes.

"A lot of the criticism [of the CISSP] comes from people who aren't very familiar with it," says W. Hord Tipton, executive director of (ISC)2. "For some people, there's a perception that we issue a Superman cape with every CISSP, and that just isn't the case.

"A CISSP can't make water run uphill, and we have never maintained that it's the only certification that security professionals need," Tipton states. "We have seven different certification programs ourselves, and there are probably 25 other certifications out there that we have respect for as well."

The CISSP is just one point of differentiation that helps hiring organizations to sort out the right candidates for a security job, Tipton emphasizes. "With so many jobs and so many applicants, a CISSP is a starting point to help sort them out," he says. "There are many other credentials you can build on top of it to show the depth of your knowledge or the career path you are trying to take."

Like most others in the industry, Tipton believes that certification -- which already is a jumble of acronyms and titles that has become difficult to sort -- is headed for more specialization and more focused testing.

"Five or 10 years ago, CISOs may have only recognized the most popular certifications, and that's why certain programs stood out," Tipton states. "Today there's a much broader recognition of very specific types of certifications -- they have a pretty good knowledge of what they want, and they are more focused in what they look for when they do their hiring."

Some shorter, more focused technical certifications -- such as the CCSK, which offers a program on cloud security -- might be useful in helping security professionals define their skills and provide credentials to potential employers, says Rich Mogull, founder of Securosis, a security consultancy.

"More education is a good thing," Mogull says. "The smaller certs may be interesting to employers who need specific skills, and they do help provide a filter for the interview process."

But employers and security professionals should be wary of treating any of today's certifications as a license to practice, as they might be used in the medical profession, Mogull warns. "There are lots of jobs out there where you don't need a certification," he notes. "There's no certification to be a CEO. A CPA might be helpful to a financial executive, but you don't need one to be a CFO. A security cert is helpful in filtering resumes, but it doesn't really guarantee that you can do a particular job."

Some proponents of security certification have compared it to a medical certification. But Mogull, who has been certified as both an emergency medical technician and as a paramedic, says there's no comparison.

"First, the certification required to be an EMT or a paramedic is way more extensive," Mogull says. "Second, the range of tasks that might be required of a security professional is so wide that it's really difficult to define. There's no way that security certification will ever reach that level."

So what will security certification look like in the coming decade? Most experts agree that it will become more specialized and that the number of certifications -- both the meaningful, ongoing kind and the quick-and-dirty certificates you can get with a week's instruction -- will likely proliferate. And it likely will be even more difficult for hiring firms -- and security professionals -- to sort out which certifications are worth earning and maintaining.

Paller holds out some hope for the National Board of Information Security Examiners (NBISE), which has been looking to help validate some of the security testing and certification practices and offer guidance on how security professionals and certification organizations should work together.

"What we need is something like the National Board of Medical Examiners that can establish metrics by which security education and certification programs are measured," Paller says.

When it comes to hiring, Kushman, who is a top recruiter in the security industry, says the industry should rely more heavily on a complex skills matrix in which education and certification are only one element.

"There are so many other things that need to be considered when hiring a security professional, such as their experience, their reputation and linkages with other professionals, their integrity and personal character," Kushman says. "Certification has a place in that matrix, but not one of those elements should be the single determiner of who should get hired."

On a broader level, Tipton says organizations such as (ISC)2 and others have a responsibility to reach beyond the relatively small community of security professionals and help educate young people and everyday computer users about online security.

"We have to start working together, whether it's professional organizations such as ISACA and CompTIA, or just individuals who know and understand the issues," Tipton says. "We need to get into academia, into our schools, and make young people aware of the dangers and the ethics associated with online behavior while they're still young. That's where we can make a difference."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...
CVE-2021-2300
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of...