Certifications can be one way to evaluate security consultants, but opinions vary as to their value.
The CISSP carries weight and can eliminate some of the "riffraff," says Paul Fistori, vice president of channel sales and strategic partners at security vendor Vericept. Depending on the work, Global Information Assurance Certifications and some vendor certifications can be important, some consultants say.
As a CISSP, Joseph Granneman, CTO/CSO of Rockford Health System, looks for that credential. However, it "covers so much, I don't know if you can use it other than just an initial qualification," he adds.
When she worked at Bank of America, Rhonda MacLean says she didn't get hung up on whether consulting candidates had security certifications. Rather, she wanted to make sure she was comfortable with their level of experience and that they were suited for the job.
"When you pay a consultant … you're looking for someone who is seasoned and can hit the ground running," says MacLean, who now runs a consulting firm.
Outside of routine tasks, certifications are probably among the weakest criteria to use in judging whether someone is qualified for a security project, says Jon Gossels, president and CEO of consulting firm SystemExperts. "The trouble is that they tend to be relatively low-level or journeyman certifications," he says. "There's no certification that says security expert."
Aric Perminter, partner at Secure Technology Integration Group, advises: "Don't let certifications be a show stopper to hiring a contractor. Let real-world experience be a key driver."