Earning information security certifications is no easy feat, but evidence suggests that they may not hold the weight they once did for career advancement.
However, that doesn't mean certifications aren't worthwhile pursuits, experts say.
The simple truth is that certifications have become rather commonplace, and the more common something becomes the less special it is, says Lee Kushner (left), president of LJ Kushner and Associates, a New Jersey-based executive search firm for the information security industry.
As evidence, he points to the more than 73,000 people who hold Certified Information Systems Security Professional (CISSP) certification from the independent International Information Systems Security Certification Consortium. SANS Institute certifications also are popular, with more than 35,000 information security professionals having achieved certification through the organization's various training programs, Kushner says.
“What ends up happening is that everybody applying for promotions or external opportunities have the same qualifications,” says Kushner, who also heads Infosecleaders.com, a website aimed at providing career guidance and research to security professionals.
This is not to say that Kushner advises against certification. “When people make investments in their career, security certifications included, that's good," he says. "Anytime people try to make themselves better they can only benefit."
That is what Paul Stewart, a network engineer with LexNet, an IT consulting firm in Nicholasville, Ky., says he figured when he decided to get a Cisco Certified Internetwork Expert (CCIE) certification last year. “I felt I needed to continue to grow, so I did this for me personally, although the company has seen the value in it,” he says.
A top reason information security professionals should seek certification is to show interest in and a seriousness about their careers and continuing education, says Mike Meikle, CEO of the Hawkthorne Group, a management and technology consulting firm in the Richmond, Va. area.
“I know quite a few IT pros who still believe that they will be judged on their experience, and pieces of paper or letters after their names do not add any value to their careers,” he says. "But in a job market where there are dozens of applicants for every open position, an information security candidate will need every edge available to rise to the top."
Naturally, the higher you are up the corporate ladder, the less significant certification tends to be, some experts say.
“Folks who have lengthy careers and have built up a network of peers who know them and their work can leverage that experience and move to another job,” Meikle says. “But that takes a lot of assumptions – that they've networked and have shown their value to others in different ways than through certification.”
Ted Demopoulos, principal with Demopoulos Associates, a New Hampshire-based information security consulting firm, begs to differ. As a frequent SANS Institute instructor, Demopoulos says he has seen a rising mandate for certification over the last three years or so. “People are telling me that they've got to get certified to keep their jobs,” he says.
Surprisingly, he adds, this occurs at all levels. “I would guess that for the most senior-level people, those who have 10 or 20 years of experience in information security, certification wouldn't matter,” Demopoulos says. "And maybe the top one to five percent would never need to be certified in information security."
“Or, maybe everybody will need to be certified as in the medical profession” he adds. "You could be the best doctor in the world, but you still need to be board-certified. Not that I'm trying to say that what we do is as important as saving lives on an operating table. But we are seeing security become more of a profession than just a job we do."
But in keeping with the analogy, being board-certified doesn't necessarily make a good doctor, some would argue.
“Here's the thing about security certifications: A lot of folks believe that achieving an information security certification translates into being qualified for specified opportunities,” Kushner says. “Unfortunately, that's not the case. There's a big difference between being certified and being qualified for a position.”
But unless you're somebody like internationally renowned security technologist Bruce Schneier, finding a way to distinguish oneself is critical. Certification is the obvious, but not the only, way. Being a published author, well-read blogger, frequent conference speaker or participant in information security-related professional associations are some ways to draw recognition beyond the list of certifications that may or may not follow one's professional designation, experts say.
Those attributes, however, aren't search-engine friendly – a bad thing in today's world, Meikle says.
Résumé SEO, or search engine optimization, is another top reason why IT security professionals should get certified, he says. “Without the right keywords in a résumé, you won't get noticed within the automated candidate recruitment tools that recruiters use so extensively today,” Meikle says. “Recruiters use keywords and phrases to filter out résumés. It's not fair to a security pro who has decades of experience with lots of credentials but no certification. Unfortunately, that's the way it is. It has become physically impossible for recruiters to sort through résumés manually.”
CISSP, for example, has become a fairly standard requirement for getting one's résumé through the chute. But, depending on the type and level of security position open, a boatload of more specific technical certifications, such as those from the SANS Institute, might apply as well, Meikle says. Also worth noting, he adds, is that a Certified Ethical Hacker designation from the International Council of E-Commerce Consultants (EC-Council), has moved up the SEO ranking this year with the renewed onslaught of malware and the WikiLeaks situation.
The key thing to understand is that certification is only the ticket in, Kushner says. “It's not going to guarantee you any dance partners.”
With that in mind, he encourages IT security professionals to figure out if and which certifications work to their best advantage. If one wants to be a security generalist, then go for the CISSP or ISACA's Certified Information Security Manager certification, Kushner says. If something specialized, such as penetration testing is one's thing, get training and certification in that particular area, and so on.
“Most important,” Kushner says, “is that you figure out your career plan and map any certifications, or your time and effort, into that.”
With the glut of security certifications, receiving one of these designations is not as much a career differentiator as it might have been 10 years ago, says Lee Kushner, president of LJ Kushner and Associates. Not only that, he warns that too many security certifications may prove detrimental.
In hosting a panel at the recent RSA Conference 2011, Kushner said some CSOs and CISOs agreed that they're more likely to discard the résumé of somebody who has too many certifications listed versus the person who has only one or two strategic certifications. “Why?" he says. "Because the person who has a high number comes across as more focused on achieving certification than on doing work."
Whether he agrees with that sentiment is beside the point, Kushner says. “The point is, it's an interesting observation from people who are leading security organizations. There is a concept of security certification overload.” – Beth Schultz