Problem solve Get help with specific problems with your technologies, process and projects.

Security certifications: Are they worth the trouble?

Security certifications may or may not be helpful in furthering a security career, but many security pros feel they must "comply" with the unspoken expectation that certifications are a must for career advancement. In this special tip, security management expert Mike Rothman looks at what certification means in such a fast-paced business, which certificates may be helpful, as well as possible alternatives to the certification process.

 I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do.

In my line of work I meet a lot of people. Although my professional interactions are less formal than ever, most still exchange business cards. Every so often, I get a card with the person's name and then a long line of acronyms and abbreviations following it. For example, John Doe, CISSP, Security+, CISA, GIAC, CEH and probably another 10 I've never heard of.

My first thought: this person has a lot of extra time on his or her hands. But before I jump to unnecessary and likely incorrect assumptions, let's examine the role of security certifications and whether it's a good idea to invest the time and money to obtain them.

I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do. This has caused me to be generally skeptical of the entire process. After all, certification is a huge business for the certifiers. With over 60 "vendor-neutral" certifications, how can a practitioner decide which one makes sense for him/her?

Yet many companies and hiring managers continue to believe there is a direct correlation between certification and competence. (There isn't, but I'm still swimming upstream on that topic.) The reality is, certifications can be useful at times. Let's examine some situations where that could be the case.

Accomplishing specific objectives
The value of certification is always dependent on the goals that need to be accomplished. When breaking into the security field, a certification is proof of some coursework and a general understanding of the vernacular. A CISSP is out of range (since that requires four years of field work), but getting another, possibly even vendor-specific certification may help ease the process of sliding into a technical role. Some hiring managers use certifications as a coarse filter in the process, so having one may be a leg up.

For more information:
Learn about the vendor-neutral information security certification landscape.

Read more about the job prospects for someone without security certifications.

A certification can also help facilitate a career move within an organization. For example, let's say you want to move from security to audit. Getting an audit-oriented certification (say ISACA's CISA) shows a base level of audit understanding.

A certification may also help in getting a raise at one's current job. Some organizations even pay for the certification, which can mean a positive return on that investment.

Finally, for a management position, it may make sense to look at a management-oriented certification. SANS has one of those, the GIAC Security Leadership Certification (GSLC). Without actual on-the-job experience, a certification can be helpful at times, depending on the organization.

Which to choose?
If a certification will help achieve goals, then it's time to figure out what's the best choice -- security certification or an audit certification? What are the pros and cons of each? Let's go through all of the big ones:

  • CISSP -- The self-proclaimed "gold standard," (especially if you ask the (ICS)2). But in terms of brand recognition, there is still something to CISSP. And the program is evolving, though it is broad and doesn't indicate a specific level of competence.
  • SANS -- The SANS institute has more than 20 different certification tracks, largely based upon which set of SANS courses have already been attended. Like the CISSP, the GIAC line of certifications are well-known and broadly recognized. SANS tends to focus more on technical skills, though it is being broadened via new management- and audit-centric paths.
  • ISACA -- The international group of auditors also has their own set of certifications: Certified Information Security Auditor (CISM) and Certified Information Security Manager (CISM). For auditors, these certs are well-known and regarded. For information security professionals, though, not as much.
  • Security+ -- CompTIA offers a certification called Security+, which is one of the leading introductory certifications available. It's a pretty broad program and is focused on basic skills, but will indicate a certain level of knowledge. Note that I said knowledge, not necessarily competence.
  • Certified Ethical Hacker (CEH) -- The CEH certification is a relatively new entrant and is still largely unknown in the broad market. There is also a stigma attached to the term "hacker," but since I believe penetration testing is one of the most important long-term skills for a security practitioner, I think this one should be considered.

Remember, a certification is like anything else: it's a tool to help further career goals. If it's not possible to get from point A to point B without getting certified, then by all means go down that path. But keep in mind, nothing is a panacea and there is no replacement for actual hands-on experience.

So instead of spending a week in a SANS class, maybe volunteer to do a penetration test for a local religious organization and put in place some defenses to protect them. Maybe the local school or animal shelter needs some help, or the neighborhood homeowner's association. Another option is to apprentice with a local organization through the ISSA or the InfraGard organization.

These all provide the types of hands-on experience that employers look for. There are lots of places to learn and practice the trade. And some even yield better karma than a piece of paper.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about  the Pragmatic CSO, read his blog, or reach him via e-mail at [email protected].

This was last published in August 2008

Dig Deeper on Information security certifications, training and jobs