Is the holder of a Security Certification certifiable? Or the people that vet for it?
High Technology and certifications. It’s a trend that goes up and down, but hasn’t yet achieved the same commonality as certification exams in other fields, such as passing the bar for lawyers, RN for nursing, DDS for dentists, etc. For decades, there have been certifications in specialized areas of high tech, including security. What you or your organization makes of them is probably unique to you.
Three primary providers (that provide non product / non vendor specific certification) that are often referenced for Security Certifications are (ISC)2, ISACA and SANS. All of these programs (as well as others, such as CompTIA Security+, and other less commonly referenced certs) offer significant value to both organizations that employ security resources, as well as the people who want to work in the security field. This doesn’t mean that the certifications are without everything from reservations to detractors, who feel that without an industry standard (like passing the bar is for lawyers) that the security committee bodies can’t really prove overall current and practical knowledge.
Right now, when popular media declares negative unemployment in the security space, these certifications are booming. For employees, or the unemployed, certification is believed to be a great way to provide more value, and receive more money. However, their very popularity is causing people in the field to consider a more nuanced view of them than Cert==Awesomely skilled person who can do this in the real world.
What does this mean to you? Well, it depends.
On the corporate side:
- Are you in a large enterprise recruiting new security people? You probably provide internal training budget, and have an existing security department, which allows for career advancement through training to higher levels in that department.
- Are you in a small to medium business recruiting new security people? You may or may not have a security team already. If you don’t, you are essentially interviewing on faith. You are using the existence of a certification on a resume to validate candidates have some kind of empirical proof that they know what they say they do. You may not have the resources internally to interview them for depth of knowledge in the security field. This is the roughest place to be. Security certifications do provide some validation of knowledge; but have varying levels of how practical that knowledge really is. Having a strong technical interview on areas you do have internal subject matter experts and combining those outputs with references are really the best way to go for real validation of skills.
As a candidate for a position or promotion:
- Are you in a large enterprise with an existing security department? In many cases, certification is something paid for by the organization; and can allow you to achieve promotion more readily; and create a SMART set of quarterly goals that may even earn you additional bonus money for performance against those goals (assuming you pass.)
- Are you in a SMB? Does it have a security team? Here it’s more nebulous. Many organizations are uncomfortable with the high costs it takes to go to a physical training session, buy reading material and pay for the exam. For SANS certifications, this could be upwards of a 4K investment per person. However, you can challenge exams, or do remote training, which brings the cost down. Like the enterprises, certifications absolutely have an impact on quarterly goals and promote-ability.
Are you unemployed?
- This is pretty unambiguous if you have an option. Some states and organizations are more proactive in helping the unemployed achieve certification than others. The letters achieved by a certification are absolutely used by HR departments (and others) to vet resumes, especially in times (like now) of high unemployment. Having a 4 letter acronym behind your name can be a serious helping to getting face time in an interview.
Diploma image courtesy of Shutter Stock
Tags: (ISC)2, audit, certification, certifications, CISSP, Configuration Assessment, Information Security, Infosec, ISACA, IT Security, IT Security and Data Protection, ITSM, Regulatory Compliance, Risk management, SANS, security certification