Some IT security certifications are overvalued, analyst says

Some IT security certifications are overvalued, analyst says

By Carolyn Gibney, Assistant Editor
30 Sep 2009 | SearchSecurity.com


Security Wire Daily News

With the rise in publicity of data breaches, companies are looking at security more seriously than ever, which means they're looking to hire qualified and, often, certified IT security pros. A recent report from Gartner Research Inc. entitled, "How to Choose the Right Professional Information Security Certification," examines which IT security certifications are most common and valuable in today's job market, as well as how much attention should be paid to security certifications by prospective employers. In this interview, Carsten Casper, research director at Gartner Research and holder of the CISSP and CISA certifications, explains what makes one security certification more valuable than another and how to know when it's worth the financial investment to get certified.

What are the key takeaways from the research?

Carsten Casper: The two major issues are that, on the one hand, we still need security as a profession, and all these certifications provide additional benefit, but [they don't necessarily contribute to] a security profession as such. Some of the [certification] schemes think they have reached maturity in their target group, which I believe they haven't. That led them to conclude that they need to create, they need to diversify and they need to come up with variations of existing schemes. That's not necessary because the certifications we have out there are sufficient for the needs of today. There is enough variety and there are some that are widely accepted. And the tendency to create more schemes seems to address the money rather than the end value [to those being certified].


What are the most important certifications in information security today?

Casper: There's basically two groups of certifications. There are hundreds of certifications that few know about that are [aimed towards] very specific environments, countries, topics and target groups. And then there are a few major ones that are so widely known: CISSP, CISA as the certifications themselves and GIAC, as the group of more technological certifications. I think that's pretty clear. And I almost don't want to say that because it leaves so little room for all the other certification schemes that I believe also have a good reason for existence. They fill very specific market needs. The problem is, if you want to differentiate yourself and stand out from the masses, then these are probably not the right ones, even though they are the most widely known. But then what else do you choose? That depends on the specific needs that you have. It's hard to say.

If a security professional is looking to move into a new or different security role, would you suggest he or she pursue certifications in that niche first to have better chances of obtaining a job? Or has a certification become less significant in that regard?

Casper: If you come from a business background or from a very different technology background and you want to get into information security, getting one of these standard certifications doesn't really help you. You need the experience; you need the information security background. If you have worked in IT security and if you have been a penetration tester for a number of years and you want to [expand your knowledge base beyond your niche] then CISSP or CISA might be a good approach. It shows that you broadened your horizons; that you've stepped up a level and you can deal with other areas of information security as well. If you've worked in the information security field for a number of years, maybe even as a Chief Information Security Officer, and you're moving into a role of IT risk management, then this security connotation can actually be a hindrance. You may want to try to get an MBA. I think earning a certification is good to prove what you know already; it's not so good if you need to change your area; it's not so good if you want to get into that other area, because after all it's a stamp, it's a piece of paper that you put on the wall. There [are] courses attached to it, yes. You attend some classes online or on-site, but it's not a university degree; it's not an MBA; it's not deep and thorough training. It's just a stamp.


How much is the burden on employees to "sell" their certifications to potential employers, i.e. tell them what the certification means?

Casper: One hundred percent. If you don't have one of the major [certificates], you need to tell your employer or your future employer the significance of your niche certification, because it's just a big acronym soup. And even if you spell it out, nobody would know the breadth and depth of that certification. You really need to explain it from A to Z.


Is there any specific way infosec pros should explain it? Do you think attaching a written synopsis of the certification with the resume, or even explaining it in the interview would be a good idea?

Casper: Tell [your current or prospective employer] in which area this certification is used: in which industry, in which country, in which topic area. Explain who the issuing organization is (is it a non-profit or a government entity?) and how many certificates have been issued of this type. Is [the certification] ISO 17024 accredited? Then explain how you got that certification: Was it an exam? Was it a lab? Did you have to show some recommendation letters or some practical experience? You really have to have your facts right and do a little bit of marketing for that specific [certification] scheme if you want to convince your employer of its value.


What should a security employee take into account when trying to decide whether a certification is worth the financial investment?

Casper: I think it's always worth it. The question is: Which scheme do you choose? If you have nothing, I think it's worth it to get something. If you have a degree in computer science and you work in information security, at one point someone will ask: "So, you're a computer scientist, but what do you know about information security?" If you have many certifications then you wouldn't ask yourself that question of whether security certifications are financially worth it. But if you have nothing, I would say, across the board, it makes sense to get some certification.


How much emphasis should enterprises place on a candidate having a particular certificate when searching for a new security staff member?

Casper: It depends on the role. If you are looking for a technical person, such as a file administrator, IPS operator, or forensics investigator, then looking for a certificate is a good idea because it helps you to filter the applications. If someone stands out without a certification and otherwise looks interesting, I would still consider that person. If you're looking for a managerial role, such as an information security manager or a risk manager, then place less emphasis on the certification, simply because such a person typically doesn't have the time and the need to go through such an extensive evaluation. It's less common in that space even though there are some of these certificates that claim to be managerial, like CISM, but it's much less common. So [if you were judging based on security certification] you would probably filter out good candidates too early. So for technical roles, I would say give it, maybe, 20% of attention, for a managerial role give it maybe 5% of attention. Look at all the other things, look at the technical skills and look at the soft skills.