One of the most frequently asked questions we get from students, both prospective and enrolled, is, “What type of security certifications are necessary to be competitive in the field of security?” Although it seems like a simple, valid question that we should have a snap answer for, we believe the students are missing the true question that should be asked: What value do certifications provide in a security professional’s career? We also believe that some security professionals can fall prey to the same trap of assuming there are certifications that are the Holy Grail. They, like our students, need to understand what that certification represents and what it doesn’t. They need to understand both the value and shortcomings of certifications.
In some ways, security professionals have the same demands as other employees in any business, government or educational setting. Technology is rapidly and constantly changing, and all employees need to stay current with the latest tools and techniques in their area of expertise to stay at the top of their game. We can represent this continual technology change along an X-axis that extends to infinity. However, unlike most scientists and engineers, for which the only moving target is ever-changing technology, security professionals incur change along a second Y-axis that represents the growing number of security threats and attack avenues. The rapid movement along both vectors provides security professionals with a constantly changing landscape and, at times, one that is almost impossible to keep pace.
The same axiom we use when recruiting prospective students to study security is also the crux of our problem with certifications: The most exciting thing about security is that unlike most science/engineering disciplines, where the laws of physics and nature don’t change, the knowledge in our discipline has constant and rapid change. Here lies both the glory and the curse of the security profession. The joy of our work constantly changing means we also have the necessary need to continually update our skills and knowledge. Additionally, while many scientists and engineers are looking at challenges presented by nature, in security, our challenges are presented by people. These people can be thought of as adversarial and highly motivated. They also only have to find one weakness in a system to gain the upper hand, while we in security have to find all the holes and plug them. So, when we think of security education in practice, we as security professionals do not have a static route to our career; it’s dynamic. So, how do certificates fit into this? Certificates should be viewed as not an end, but as a measurement of mastery along the pathway of a profession in security. While many educators talk about instilling in students the ability for life-long learning, we can’t just talk the talk—we need to walk the walk. Our students can’t depend upon rote memorization and passing a certification. They need to learn and think independently. Professional development in security is more about continuing education and keeping skills and knowledge current than earning a bunch of letters behind your name.
While this sounds like a denunciation of certifications, it’s not. Certifications have their place. For some individuals, working toward a certification gives them the motivation to learn about something new with the completion of the test helping them visually demonstrate their learning. Certifications can also be used for measurement in jobs which, in some cases, allow employees to earn more money for their effort to update their skill sets. In addition to earning employees a bump on the pay scale, some jobs require certifications, such as those for law enforcement or expert witnesses. Typically, these certifications require renewals at a predetermined time period, which generally includes continuing education work, practice and a test to keep them.
Over the years, on and off, universities get pressured to teach to a certification. Most security educators believe, as we do, that our place is to provide the basic knowledge that will enable students to continue to learn over their career lifetime. Life-long learning in security requires that students have the ability to move along both vectors in the changing graph of security.
So back to the original question, “Which certification should I get?” The answer should be whichever certification will help you continue to learn and stay on top of what is happening in security. Remember that certifications are nothing more than a milestone along a successful security career path: They represent the path that has been successfully completed. They do not represent the end of the journey, but rather the vastness of the road to travel.
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education. Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to [email protected].