No topic in the world of information security conjures up more polarizing views than the value of IT security certifications, and specifically the role they play in building the careers of security pros.
The topic of certification has become an even greater lightning rod as certifications have become a lucrative business for both vendor-neutral organizations and security vendors alike. With more than 80,000 CISSPs and 60,000 CISAs among the information security ranks, the certification frenzy is showing no signs of slowing down.
It's important for security pros to show restraint and be selective in the security certifications they choose, as there are diminishing returns and significant curriculum overlap.
Bill Traster, IT security manager, Ford Motor Co.
Among those trying to climb the corporate ladder, the widely held view that certifications will have a positive effect on their information security career is now coming under scrutiny by the very people they’re trying to impress: the hiring managers and executives that run security organizations.
Contrary to the advice of many recruiters, loading up on security certifications simply to stand out from the crowd may be perceived negatively by hiring managers. Bill Traster, IT security manager of Dearborn, Mich.-based Ford Motor Co., believes it's important for security pros to show restraint and be selective in the security certifications they choose, as there are diminishing returns and significant curriculum overlap. To illustrate this, while the CISSP and the CISA essentially cover the same material, the CISSP is designed for practitioners, while the CISA is designed for auditors.
With such a wide choice of security certifications now available, it's important to identify those that are most relevant to one's specific information security career path, those that make some logical sense, and those that show some sense of direction in your security career, says Curt Dalton, CISO of Sapient Corp. This comment is echoed by Thomas Murphy, director of information security at the University of Connecticut, who is wary of resumes filled with certifications that cross into different fields, which he believes shows a serious lack of focus on the candidates’ part, and paints a confusing career path.
Far too often, candidates list every certification they’ve ever earned at the front of their resumes rather than highlighting their achievements and relevant experience. When it comes to finding the best IT security candidates, Stan Black, CISO of Burlington, Mass.-based technology provider Nuance Communications Inc., believes good security professionals are expected to have some certifications, but the truly great security pros are multi-dimensional, have significant experience across IT and operations, and often were thrust into security and compliance functions after beginning their careers in other IT disciplines.
With an ever-increasing arms race between malicious hackers and those charged to protect enterprise systems and data, Dave Miller, CISO of Detroit-based cloud engagement vendor Covisint, argues that technology is changing so rapidly that practical experience and technical expertise far outweigh any certification. He says cloud services, which are the foundation of his business, require a highly technical approach to security that cannot be learned in the classroom or from a book.
IT security pros have long been ingrained with the idea that certifications show how committed someone is to his or her security career. Ultimately, it is impossible to ignore that recruiters draw upon a candidate pool in some part based on the certifications the candidates hold. Jim Murphy, information security architect at North Carolina’s Department of Health and Human Services, believes sourcing candidates by searching for certifications is dangerous, as recruiters do not appreciate the differences among the varieties of certifications available, and as a result they might ignore viable candidates.
David Lam, CISO of Stephen S. Wise Temple and Schools in Los Angeles, feels a balance must be struck between work experience and certifications. Security pros must also consider which certifications are going to have the most significant effect on their career trajectories. Said Traster, “When considering what security certifications should be pursued, you need to take into account the factors that make one certification more valuable than another, such as industry recognition, integrity, recertification requirements, correlation to actual job skills and market demand.”
Tammy Clark, Georgia State University’s CISO, believes candidates who remain in their jobs for long periods need to broaden their knowledge and experience somehow, and attaining security certifications is a good way to achieve that. "Rounding out your experience with certifications and training is valuable to potential employers," Clark said, "as they demonstrate a constant evolution of skills, so long as that’s tied to how they brought significant value to your job.”
However, there is one certification-related topic that the information security community is in full agreement on: The CISSP remains the gold standard among security certifications. Jerry Garland, CISO of Magellan Health Services in Avon, Conn., looks for candidates with a broad base of security knowledge and thinks the CISSP exam is the best test of that knowledge. Jim Murphy agreed, adding “The CISSP is the most comprehensive and recognized certification in the industry, but that the Information Systems Audit and Controls Association’s CISA and CISM are right up there when branching out into risk management and compliance roles.”
Generally speaking, vendor-sponsored certifications do carry some weight, but it depends on the job role held as the certifications tend to be focused on specific products. Jim Murphy holds the view that vendor certifications enhance skills, but don’t add to one's overall information security proficiency, while Thomas Murphy firmly believes those responsible for network security and architecture should have complimentary vendor certifications in addition to the CISSP. Lam offers a word of caution though: “Some vendors create certifications that are easy to pass and not very meaningful, while others show a level of expertise that may be useful in your job hunt.” Miller explains he prefers to send his staff to industry conferences like Black Hat that offer practical training in current trends, although he does recognize the value in obtaining certifications for specific products, such as those from Cisco Systems Inc., if that’s the predominant in-house technology used.
Anyone that works in a highly regulated industry such as financial services knows there are hundreds of certifications that could be applicable, which further highlights the importance of being selective. Clark suggests those seeking a career in the government realm need to pay attention to security certification programs. She’s noticed a greater number of her colleagues in the higher education space have acquired the CISSP in recent years. Providing cloud services to the health care sector, as well as European clients, led Miller to boost his security organization with analysts who have specific expertise in HIPAA regulations and EU data protection. Expect to see more specialization by industry sector, as the regulatory frameworks become ironed out.
From the editors: More on security careers
Learn how security roles are changing with the introduction of new technologies.
Adjust to the rise of the security specialist in the job market.
A growing consensus is also forming among information security leaders for the need to add non-traditional certifications to their skill sets. Both Thomas Murphy and Clark believe the Project Management Institute’s PMP certification provides worthwhile benefits, and those who hold the certification offer skills that can help internal security projects run more effectively. Steve Bartolotta, CISO of Yale New Haven Health Systems, suggests rounding out management experience in the health care industry with a FACHE certification, while Garland favors more executives becoming certified in employee development programs like CPP, the organization that ushered in the Myers-Briggs assessment.
In a world dominated by resumes and LinkedIn profiles that have been optimized for search engines, generalist recruiters have neither the time nor the expertise to sift through resumes looking for relevant experience. They instead search for keywords and phrases, so certifications are an easy qualifier. Yet it's a practice that is unfair and ultimately a negative for the industry. Hiring managers want to see candidates that have the most relevant experience, not those selected based on their list of certifications, but recruiters are not going to change their approach to sourcing candidates. As a result, certifications are likely to remain ingrained in the culture of IT security.
Over time, expect to see more specialized recruiters emerge who only focus on the information security market and who develop long-term relationships with potential candidates. This would be a positive development for the industry, as it would represent a better way of matching skills and experience to job requirements, and enable hiring managers to focus on their day jobs.
About the author:
Peter Rendall is the managing partner of JobSmart Partner's IT Security & Information Assurance Practice, where he places IT security candidates throughout the United States. Peter has spent the last decade focused exclusively on the IT security sector building award-winning teams.