A solid identity and access management program is vital to combating enterprise data privacy and security concerns. But, for many identity practitioners, the rapid rate at which technology and IAM trends change can make it hard to keep up.
In IDPro's 2019 survey of identity professionals, 15% of respondents with more than 10 years of industry experience reported they do not feel proficient in their jobs, and many feel a certification in one or more areas of identity could serve them well in ensuring job success.
"Unfortunately, the identity industry still lacks a vendor-neutral standard for the profession," said Janelle Allen, senior product manager of cloud at IAM vendor ForgeRock. "There is also a lack of training at the university level around identity. This leaves the question of how one embarks on their career to becoming a skilled professional in this field."
Despite the lack of a universal certification path for a career in IAM, there are a few standout options that can assist identity professionals in their careers. Here, explore the benefits and limitations of certification programs, the must-have IAM skills for any identity pro and the best certification options to demonstrate IAM proficiency.
Benefits and limitations of the top IAM certifications
Certifications demonstrate a minimal level of competency, achieved through completing standardized examinations. Taking an exam -- or retaking the exam to renew certification or improve scores -- can quickly become expensive, so candidates should consider if the upfront cost will be worth the investment.
There are many incentives for IAM professionals to pursue certifications. Individuals who complete certification programs may enjoy benefits such as better employment opportunities, job retention and professional credibility. They may also help achieve personal goals or corporate requirements. However, individuals should never assume obtaining an IAM certification will automatically yield better job prospects.
Networking opportunities may also present themselves as a result of certification. Many IAM certifications are completed through nonprofit organizations, such as (ISC)2. Because membership is often a prerequisite, candidates can take advantage of peer resources. Memberships come with additional costs, however, which may deter some individuals from the certification process. But cultivating interpersonal networks can help establish professional mentorships and distribute further expertise among certified members.
Fundamental IAM skills and standards to know
Is IAM certification worth the time, money and energy in an industry that is subject to such sustained technical and regulatory change?
"Yes, there is shifting," said Raghu Dev, director of identity and access management at financial services company BNY Mellon. "But, if you pay attention to the fundamentals, you'll notice they remain the same."
The fundamentals, Dev said, come down to "a) managing the lifecycle of an identity and b) managing the lifecycle of their access." These core IAM skills can be sharpened and demonstrated in the process of becoming certified -- even if the curriculum is focused on larger infosec concepts and not limited to specific IAM principles.
Additionally, the ability to be flexible and to learn on the go is essential for a successful career in IAM, said Eve Maler, CTO at ForgeRock. "There is always work in this area that is in flux," she added.
Studying popular standards, such as Security Assertion Markup Language, OpenID Connect and Open Authorization (OAuth), is a practical way to better understand advanced IAM intricacies and prepare for future tech environments. "For example, the OAuth standard and the stack that is built on top of OAuth [have] powered the API economy -- and the IoT economy is built on top of the API economy," Maler said.
Ultimately, the IAM professional's decision whether to get certified -- and which of the top IAM certifications to pursue -- will depend on their career goals, their job's responsibilities and the specific vendors they use in their work.
The top IAM certifications
Certified Information Systems Security Professional (CISSP)
Offered by (ISC)2, CISSP is considered the gold standard certification for individuals who wish to prove their competency on a wide array of infosec principles and best practices.
"For those looking to either initiate or further a career in IAM, pursuing CISSP is a smart move -- it is a well-rounded security certification, and it touches on some aspects of identity," ForgeRock's Allen said. In fact, she added, many IAM professionals hold a CISSP certification.
CISSP candidates must prove their comprehension of IAM skills, as well as how to successfully design, implement and manage a cybersecurity program. Common Body of Knowledge covers 10 core subject domains, one of which -- Domain 5 -- exclusively covers IAM. The vendor-neutral CISSP certification requires at least four years of relevant work experience and is awarded after passing a 250-question exam, which costs $699.
This certification demonstrates a person's competency with core knowledge required of any infosec role, including IAM. Security practitioners commonly pursue this certification prior to CISSP. The CompTIA Security+ credential counts as one year toward the four years' experience prerequisite of CISSP. It is advertised by CompTIA as a "springboard into intermediate-level cybersecurity jobs."
The CompTIA Security+ program covers the latest trends and techniques in risk management, risk mitigation, threat management and intrusion detection. Candidates will gain hands-on troubleshooting experience and security problem-solving skills. IAM is one of the six core domains covered in the curriculum, constituting 16% of the exam. The exam costs $349 and must be renewed every three years.
Certified Information Systems Auditor (CISA)
The CISA certification demonstrates an individual's comprehension of infosec and IT auditing expertise, but it is not limited to auditing practitioners. Offered by ISACA, the exam includes five job practice domains, including Governance and Management of IT and Protection of Information Assets.
Candidates for the CISA certification study how to perform an audit, in addition to ethics, standards and complex vocabulary. Understanding how to audit and secure information systems -- skills necessary to pass the CISA exam -- can also supplement other infosec careers, such as an identity professional, infosec risk analyst or risk advisory manager. The exam costs $575 for ISACA members or $760 for nonmembers and must be renewed every five years.
Certified Information Privacy Technologist (CIPT)
Offered by the International Association of Privacy Professionals, the CIPT exam certifies an individual's knowledge of privacy-related issues and practices in the context of IT security. The course content includes Fundamentals of Information Privacy lessons and Privacy in Technology topics. The CIPT certification can enable individuals in private and public sectors to demonstrate the practical knowledge required to apply privacy and data protection measures in the development, deployment or auditing of products and services.
With new data protection and privacy regulations cropping up worldwide, the job market for infosec professionals with certified privacy knowledge is strong. To better reflect the changing industry skills landscape, CIPT recently added two new domains to the curriculum: Privacy Engineering and Privacy By Design Methodology. The exam costs $550.
Identity Management Institute (IMI) certifications
IMI has established an independent accreditation process by setting standards of excellence for identity management professionals through various certification programs. To obtain these IAM certifications, the candidate must be an active member of IMI and pass the corresponding exam, which can cost between $195 and $395 each. Certifications include the following:
- Certified Access Management Specialist (CAMS). CAMS-certified professionals gain IAM skills necessary to ensure compliance and risk management requirements regarding system and data access are met.
- Certified Identity and Access Manager (CIAM). CIAM-certified professionals are IAM experts who work for a variety of organizations and demonstrate their ability to design, implement, improve and manage IAM programs, processes and tools.
- Certified Identity Governance Expert (CIGE). CIGE-certified individuals demonstrate their ability to guide and support their organization's management in addressing identity data issues, including privacy, security, regulatory and contractual compliance, customer expectations and authentication.
- Certified Identity Management Professional (CIMP). CIMP-certified professionals prove their ability to develop and implement identity management services that can streamline IAM processes, improve workflow, and coordinate activity tracking and reporting at scale.
- Certified Red Flag Specialist (CRFS). The CRFS program is the first registered workplace identity theft prevention training program. A CRFS-certified individual can identify risks to consumer information to better protect against identity fraud and theft security incidents.