Certifications and certification bodies have played a prominent and controversial role in the development of the
information security profession. Attaining certifications has been viewed as a common method to create a personal brand of credibility and knowledge. For many, the effective leveraging of this brand has led to the establishment and the advancement of their information security career. This impact has not gone unnoticed, and the certification industry has become a lucrative business.
Certification and educational bodies that offer training have been able to capitalize by developing a large number of programs that appeal to every segment of the profession. If you include all of the encompassing information security certification programs (i.e. CISSP, CISM, etc), the 24 SANS GIAC certifications programs, and vendor-based certifications (i.e. RSA, Symantec, etc), there are more than 50 options. It can be argued no organization has been more effective in marketing certifications than ISC(2), and its CISSP; as of August, ISC(2) confirmed there are 76,335 active CISSPs worldwise, almost double the number of SANS/GIAC certified security professionals. ISC(2) claims on its website that by holding the CISSP, you will have “higher earning potential”, “expanded career opportunities” and “join an elite network”, it is no wonder that this certification is the most popular.
With messages of this strength, and the corresponding numbers to support it, how are information security professionals expected to respond? Do non-certified information security professionals have any chance in achieving career success? By not holding information security certifications, are your career opportunities limited? Is your earning potential forever diminished? Exactly how elite are networks that boast such large numbers? What is the value of information security certification?
To find out, infosecleaders.com launched an independent survey that was open to all information security professionals, and promoted through the media, conference presentations, and social media. The survey polled those holding information security certifications, those not holding information security certifications, and those holding the CISSP. In total, there were 1349 respondents to the survey, of which 1000 held at least one information security certification. Fifty-two percent of the respondents (699), either currently hold (667) or had once held (32) the CISSP certification.
CERTS AND A FALSE SENSE OF SECURITY
Some of the most revealing findings focused on topics that included access to employment opportunities, return on investment, motivation for certifications, and attitudes toward the certification bodies. In addition, by addressing questions to different sub-sets of the respondents, it was particularaly revealing to see how perceptions differed on these topics, depending on the respondent’s certification status and particular point of view. Looking at the collected data, through my lens as an information security executive recruiter, provided an interesting contrast of perception and practice.
One of the best examples of this difference in perception among non-certified and certified information security professionals focuses on access to job opportunities. Fifty percent of non-certified respondents said they either “strongly” or “somewhat” agree that not having a certification restricts them to access to career advancement opportunities. Conversely, 77% of the certified information security respondents either “strongly” or “somewhat” agreed that having a certification provides them with greater access to job opportunities. In addition, about three quarters (74%) of the certified respondents believe their certifications provide them with a competitive advantage against non-certified security professionals with similar experience.
What I believe is interesting about this information is the false sense of security, certifications provide. While certifications may indeed provide you with access to opportunities, they are a long way from guaranteeing you will be hired. During times when the job markets are tough, certifications are rarely the difference maker. The key in difficult employment markets is relevant experience and expertise. In my experience, many non-certified information security professionals who have developed subject matter expertise in relevant topics and have built strong professional networks have created built-in unemployment insurance that supersedes any industry certification.
It was not surprising that the main motivations of the certified respondents for achieving certifications included career acceleration, professional status and personal pride, and increased earning potential. It was also not a shock to learn the non-certified respondents did not pursue certifications due to perception of value, lack of relevance to their current job, or negative perceptions of the certification bodies. However, it did surprise me that 54% believe they have received a promotion or were selected for a job directly based on having a certification. It was not surprising that certifications played a role in this process, but what was surprising was the perception that being selected for a position or a promotion was a direct impact of achieving the certification.
CASTING CRITICAL EYE ON CERTIFICATION BODIES
When all of the certified respondents were asked if they believed that the certification bodies were primarily concerned with their members’ careers, 37% either strongly or somewhat agreed, and 36% either strongly or somewhat disagreed. In addition, when asked if the certification bodies were primarily marketing organizations primarily concerned with the advancement of their organization’s brand and proliferation of their proprietary certifications, 76% agreed (28% strongly, 48% somewhat) and only 8% disagreed (1% strongly, 7% somewhat). It is these numbers that generally underscore the view of information security professionals who have voiced frustration with the value of their certifications. It should serve as a wake up call to the certification bodies that many of their constituents view them as more concerned with their business and brand, rather than the customers that they rely upon.
Because of the CISSPs’ standing in our industry and due to the fact that more than 50% of the survey respondents either hold or held the CISSP, I found these responses as some of the most interesting and telling. It was not unexpected that 62.5 percent of the CISSPs strongly or somewhat agreed that they believe that the CISSP differentiates them from those who do not possess it. What was a bit shocking was that 25% of the CISSPs stated that in order to be considered an information security professional you must be a CISSP. By utilizing this logic, in the eyes of these respondents, that some of the most well noted and most successful information security leaders and chief information security officers would not be considered security professionals. There is no doubt that some would think this way, but 25% is a surprisingly high amount. What did not surprise me was that 30% of the CISSPs stated that they would make a CISSP a requirement in hiring someone onto their team. In my experiences, many in hiring decisions like to hire people who have shared experiences and credentials, based on this belief, I thought that this number would be a great deal higher.
From my personal perspective, it was very interesting to learn through the data, about how information security professionals perceive the value of their certifications. As an executive recruiter in this industry for the past 15 years, my experiences are much different than the results. For example, very rarely have I witnessed an information security professional offered employment based exclusively on a certification or granted more compensation due to a specific certification. Conversely, on countless occasions I have heard many information security professionals claim not to be able to get through human resource and internet key word filters without the appropriate certifications.
At the end, perception translates into reality. As an information security professional, you would be naïve to ignore market attitudes and interpretations. In the current state, there are two pieces of guidance that I can provide regarding certifications based on today’s market conditions, either join ’em or beat ’em. If having a certification makes breaks down barriers to attain your career goal, do not let this be an obstacle, and go get the necessary certification. The other choice is to make a commitment to your professional development through a combination of experiences, education, talent, and brand that will make certification irrelevant.
Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of InfoSecLeaders.com, an information security career content website.
For complete survey results, please go to http://www.infosecleaders.com/research/2011-survey-the-value-of-certifications/