Does testing matter?

It was as if the clients felt compelled to pose the question — but did not know exactly why they were asking it.

"Four years ago, we started having our clients saying, ‘What are you certified in?'" recalls Johnson, vice president of SystemExperts, a networking security firm outside of Boston. "We were like, ‘Which [certification] do you care about, or why does it matter?'"

Then the two men, and their staff of about 25, got to thinking: This was the dawning of a new era in the IT security space, an age in which workers' effectiveness — at least initially — sometimes is expressed not by field experience, but by the often confusing assortment of letters listed next to their name. "I believe it gives organizations some level of comfort," says Greg Kellogg, vice president of security at Calence, a Tempe, Ariz.-based network solutions provider.

So, not wanting to appear unskilled and risk losing business, the team at SystemExperts went out and took the pertinent exams. Gossels and Johnson, by example, acquired the Information Systems Audit and Control Association Certified Information Security Manager (ISACA-CISM) accreditation.

"We did it because we don't ever want to have a hurdle." Gossels, SystemExperts' president, says. "We were just as smart [before certifications] as we are today."

Four years later, there appears to be no slowdown to the industry's dependence on certifications. If anything, the number of accreditations being offered has risen to record levels. Not coincidentally, this proliferation has led to many experts weighing in on the topic. Some are questioning whether the number has gotten out of control, while others defend certifications as a key way to validate authority.

A call for standards

Gossels estimates there are about 100 available information security credentials. Of those, about three quarters are vendor neutral — (ISC)2, Global Information Assurance Certification (GIAC), and Information Systems Audit and Control Association (ISACA) are the main accreditation groups — and one quarter is vendor and product specific.

Higher salaries and prestige, gained by enhancing credibility within the organization, are two of the primary reasons why employees seek certifications, experts say.

Industry observers agree that many certifications, no matter how easy to obtain or what level of competency they test, represent an understanding and grasp of subject matter that offers at least some usefulness to the individual seeking the accreditation. This especially is true with vendor- and platform-specific certifications, such as Cisco, Checkpoint and Red Hat, because they show advanced expertise on specific solutions.

The main problem, observers say, are certifications as a whole. Most agree there are simply too many entry level and intermediate accreditations, which lessens their value and confuses employers and customers as to exactly which certifications mean what. The acronyms have become so widespread, that some mockingly refer to the string of letters listed next to someone's name as "alphabet soup." Others think the industry lacks an all-knowing "expert" certification, the equivalent to, say, a Ph.D.

And some have gone so far as to question the motives of certification bodies, saying they are just offering more credentials to generate additional revenue. After all, these organizations can rake in up to $500 for each exam they administer. The bodies counter by saying they are offering much-needed services.

This issue has become so controversial that one industry group — the Computing Technology Industry Association (CompTIA) — is leading a push to create a first-of-its-kind set of standards, says Neill Hopkins, the group's vice president of skills development. CompTIA, based in Oakbrook Terrace, Ill., offers several IT certifications, including its CompTIA Security + certification. If successful, the standards would enable employers and customers to discern which certifications someone should hold depending on their role within the information security space, Hopkins argues.

And it could effectively narrow down the number of vendor-neutral credentials as practitioners begin realizing the value of certain designations over others, helping to separate veteran employees from the rookies, experts say.

The initiative has the support of CompTIA's roughly 22,000 members and, perhaps more importantly, the backing of the federal Labor and Education departments, says Hopkins, who would divulge little about the "ambitious undertaking" other than to say the industry should start seeing results by the end of this year.

Thomas Dunbar, global CSO of Bermuda-based insurance company XL Capital, says that one of the goals he sets for his employees is to receive the industry benchmark Certified Information Systems Security Professional certification, offered by (ISC)2. "It [provides] a good, well-rounded security education," he says. "It is going to show you have a solid foundation."

Jeff Frisk, director of the Global Information Assurance Certification (GIAC), the certification arm of the SANS Institute, says the information security industry is so hot, employers do not want to hire someone who could be "faking" their intelligence by listing bogus experience on their résumés.

"If I was a hiring manager, and I was going to bring in someone to secure my systems, and they had no letters next to their name, I wouldn't feel confident they would hit the ground running," he says.

Still, others argue that nothing can trump on-the-job learning, especially compared to certifications that sometimes are supported by short training sessions, known as "boot camps." Not only are the boot camps often brief, but, some contend, participants likely retain little knowledge.

Dunbar says certifications certainly carry weight, but — as many other high-ranking security executives would agree — they do not do much more than provide the proverbial foot in the door.

"It's not going to get them the job," he says. "They have to have experience to back it up."

Experience also comes in handy when trying to obtain the certification itself. Elise Yacobellis, acting director of corporate development for Vienna, Va.-based (ISC)2, says the organization offers three to five-day training courses for its popular certifications — but she does not solely recommend them as a way to succeed on the test. "You really have to have the experience behind you to actually pass the exam," she says.

Naysayers argue that the certification exams often cover information that is general and easy to memorize, while failing to gauge a test-taker's real-world critical ability to solve a security dilemma.

"I don't know a single person who's failed to get a certification," says Lloyd Hession, CSO of BT Radianz, a New York-based provider of IP connectivity. "It's widely known that it's pretty easy to get these certifications. If you don't know anyone who's failed, what is the real value to weed out individuals?"

Meanwhile, Frisk of GIAC says to become certified, it takes students about four months, counting training, to pass two required security exams. In the end, the work pays off, he says.

But Gossels says accreditations are only one indicator of aptitude. "These credentials don't tell you some of the most important things: intelligence, judgment and work ethic," he says.

Most agree there are upsides to receiving certifications. For one, they can serve as a indicator of who to promote within an organization. In addition, having a certain credential improves the ability to communicate with others who hold that same accreditation by creating a uniform understanding of the subject matter, says Scott Pinzon, editor-in-chief of threat management provider WatchGuard's LiveSecurity Service.

"It's really great when you get people to say the same term and mean the same thing," he says.

 CERTIFICATIONS:
Improving brand image