Certifications are a lot like attending college. Some people go to get a degree. Some go to learn something.
Security certifications are on people's minds these days as companies look for certified personnel to safeguard assets while tight economic times have forced IT pros to seek out certifications to bolster their resumes.
For some professionals, the prestige of having a few letters after their name on business cards is cool. Others get certifications to break into security. And then, there is always the extra pay certified professionals receive.
Events such as September 11 and some high profile virus attacks have caused more companies to think about security (and workers certified in it), though certifications have been around for a while.
"I would say it's the infancy of companies paying attention to security certifications (not of security certifications in general)," said Ed Tittel, certification expert and president of LANWrights, Inc.
Security certifications abound, but the most well known is probably the Certified Information Systems Security Professional (CISSP). "The CISSP is by far the most requested security certification in classifieds and online job postings," Tittel said.
The CISSP is not, however, the most popular certification. For example, there are about 23,000 Certified Information Systems Auditors (CISAs) compared to about 6,000 CISSPs. There are also about 9,000 Certified Protection Professionals (CPPs).
So, why get a security certification?
People wishing to break into security may go for a security certification. "Certifications are definitely a good way to get companies and recruiters to look twice at your resume," said Mandy Andress, president of ArcSec Technologies, who holds multiple certifications.
Recently, TruSecure has introduced a new certification on the fundamentals of security TruSecure ICSA Certified Security Associate (TICSA). This certification is within reach for people new to security as class instruction can make up for work experience.
By contrast, CISSP candidates tend to have more than eight years in IT and tend to specialize in security. That certification also tends to be policy focused.
Stan Hoffman, senior network engineer, with Houston-based RealEC is both a CISSP and a GIAC Certified Intrusion Analyst. Those certifications are like apples and oranges. "The CISSP is geared toward administration. The domains are broad, and the depth of knowledge is a minimum to function/interact with that domain," he said.
"The GCIA is a much more focused, in-depth, hands-on cert," Hoffman continued. "The GCIA helped to develop the skills needed to effectively administer a network-based IDS environment."
The benefits of getting a CISSP or other certifications are great. In fact, CISSPs top SearchSecurity's salary survey averaging $83,343 a year. CISA are next with $81,628. Respondents with no certifications average $58,869 a year.
Beside compensation, certifications can be a professional requirement for some positions. "I got some of them because they are expected for anyone in the industry, such as CISA, CPA, and CISSP," Andress said.
"I look at my business card, it doesn't hurt," said Glenn Williamson, a CISSP with Fujitsu Consulting in Ottawa. Having such a certification may get you a job but it's "in-depth knowledge that keeps you employed," he said.
What certifications aren't
Certifications are no magic bullet. In general, hands-on experience still counts a lot toward getting a job, Tittel said. If two equal candidates in terms of experience were vying for a job then the one with certifications would probably have the upper hand. However, a certified person with little experience wouldn't fare so well against an uncertified person with a lot of experience, Tittel said.
Also, security certifications tend to focus more on the technical aspects of the field. There are many other aspects to being a security professional. "It's like teaching about a tree instead of the forest. Learning about the forest is more important in the security space," said Peter Lindstrom, director of security strategies at the Hurwitz Group, a CISSP holder.
Non-technical skills such as risk management are extremely important in security, Lindstrom said. "I know plenty of people who don't know about ones and zeros but do a fine job with security awareness and policy," he said.