Security certifications: Are they worth the trouble?

My first thought: this person has a lot of extra time on his or her hands. But before I jump to unnecessary and likely incorrect assumptions, let's examine the role of security certifications and whether it's a good idea to invest the time and money to obtain them.

I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do. This has caused me to be generally skeptical of the entire process. After all, certification is a huge business for the certifiers. With over 60 "vendor-neutral" certifications, how can a practitioner decide which one makes sense for him/her?

Yet many companies and hiring managers continue to believe there is a direct correlation between certification and competence. (There isn't, but I'm still swimming upstream on that topic.) The reality is, certifications can be useful at times. Let's examine some situations where that could be the case.

Accomplishing specific objectives
The value of certification is always dependent on the goals that need to be accomplished. When breaking into the security field, a certification is proof of some coursework and a general understanding of the vernacular. A CISSP is out of range (since that requires four years of field work), but getting another, possibly even vendor-specific certification may help ease the process of sliding into a technical role. Some hiring managers use certifications as a coarse filter in the process, so having one may be a leg up.

A certification can also help facilitate a career move within an

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

A certification may also help in getting a raise at one's current job. Some organizations even pay for the certification, which can mean a positive return on that investment.

Finally, for a management position, it may make sense to look at a management-oriented certification. SANS has one of those, the GIAC Security Leadership Certification (GSLC). Without actual on-the-job experience, a certification can be helpful at times, depending on the organization.

Which to choose?
If a certification will help achieve goals, then it's time to figure out what's the best choice -- security certification or an audit certification? What are the pros and cons of each? Let's go through all of the big ones:

Remember, a certification is like anything else: it's a tool to help further career goals. If it's not possible to get from point A to point B without getting certified, then by all means go down that path. But keep in mind, nothing is a panacea and there is no replacement for actual hands-on experience.

So instead of spending a week in a SANS class, maybe volunteer to do a penetration test for a local religious organization and put in place some defenses to protect them. Maybe the local school or animal shelter needs some help, or the neighborhood homeowner's association. Another option is to apprentice with a local organization through the ISSA or the InfraGard organization.

These all provide the types of hands-on experience that employers look for. There are lots of places to learn and practice the trade. And some even yield better karma than a piece of paper.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO, read his blog, or reach him via e-mail at mike.rothman@securityincite.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Information Security Jobs and Training,   Information Security Careers, Training and Certifications,   CISSP Certification,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management PCI DSS: The structure of a standard How to choose between source code reviews or Web application firewalls HIPAA compliance: New regulations change the game Data security best practices for PCI DSS compliance Key elements of a HIPAA compliance checklist A preview of PCI virtualization specifications Strategies for email archiving and meeting compliance regulations Information Security Jobs and Training Security jobs survey finds fewer budget cuts, lower security salaries IT security skills and certification pay Information security skills must include communication, expert says Despite recession, pay climbs for top IT security certifications How do I transition to a career in IT security? Information security book excerpts and reviews Security skills pay increases despite economic downturn Getting the CEH certification to join an ethical hacking network Finding a security management job after an economic downturn How to become an information security expert CISSP Certification IT security skills and certification pay Despite recession, pay climbs for top IT security certifications Information security book excerpts and reviews Security skills pay increases despite economic downturn How do I get CPE credits? Finding a security management job after an economic downturn What is the GISP certification and how does it compare to the CISSP certification? Security certifications Certification still pays for CISSPs, CISMs CISSP Domain 1 quiz: Security Management Practices CISSP Certification Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cisco Certified Security Professional (CCSP)  (SearchSecurity.com) CSO  (SearchSecurity.com) security clearance  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.