When
As applicable, depending on your views.
Why
My opinion, on this surprisingly volatile issue, is that credentials are necessary. If you look at my resume, the last thing I accomplished that the business world would recognize was getting a Master's degree in 1995. And now it's almost 10 years later -- what proof is there that I'm keeping up in my IT-centric world? I don't really want a doctoral degree or to be forced to publish on a regular basis. Telling potential employers "trust me -- I've been keeping up with the industry" doesn't give the same assurance that initials after my name do. I am a CISSP and recently obtained my CISM as well.
As a manager, I feel it's also important to set an example. How can I expect folks working for me to go the extra mile if I haven't demonstrated that I do? Recognized credentials differentiate those who are willing to do a little extra work from those who aren't. I expect more from those with certifications. Are there people who do the work of two or more, are constantly reliable, are up-to-date with technology, even leading it, yet don't have any certifications? Of course there are -- it's just that I have to make a decision, usually a fast one, with a piece of paper in my hand, and not with the firsthand knowledge of their experience, dedication and education, formally earned or otherwise. As a consultant or contractor, I need to supply my customers with people who have proven successes in their field, and customers like everyone else can only point to industry-recognized credentials as something of a "proven measure."
I think one of the pitfalls of credentials is when people of very little experience want these credentials so more experienced people will take them seriously, but those initials after their name have to come from the result of hard-earned experience.
And often the bottom line is: the bottom line. Do people with credentials get paid more than those with a similar experience but no credentials? In my experience, the answer is "usually." I have found that many companies have a pay scale to recognize degrees, but not certifications. My personal philosophy is that I work harder than the average bear, and I also expect to be compensated more than the average bear.
All credentials really allow you to do is make assumptions about an individual's general knowledgebase. Having a bachelor's degree allows the employer to make some assumptions about certain classes taken, and that formal instruction can replace some experience. Only time will tell whether that formal training makes a useful and contributing member of the organization.
To certify or not to certify? I say, "Why not?" As a person who is fascinated by all aspects of security, I'm going to get all the training I can anyway, so why not work toward something my industry recognizes? Yes, testing is a pain, and expensive, and the tests never seem to measure what I think is important. But we have to have something that differentiates the people who talk about it from the people who actually do it, and certifications will work as well as anything until something better comes along.
Strategy
Depends on your career plans, the time you have available to study, if your organization supports it and whether obtaining a certification constitutes going against antidisestablishmentarianism.
More information
For more about information security industry-recognized certifications, see http://www.giac.org for information about the Global Information Assurance Certification (GIAC). For more information about the CISSP certification and its relatives, see http://www.isc2.org. The Certified Information Systems Auditor (CISA) and Certified Information Systems Manager (CISM) credentials are sponsored by the Information Systems Audit and Control Association, see http://www.isaca.org. Microsoft, Cisco, and other companies have certifications for specific types and models of equipment -- see their respective Web site for more information.
About the author
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
Last week:Contingency planning
Next week: New technical manager challenges and pitfalls
