Certifications have long validated security skills, says W. Hord Tipton of (ISC)2. But do they remain relevant? Dan Kaplan finds out.
As its executive director, W. Hord Tipton may run the show at nonprofit (ISC)2, which manages the security industry's flagship certification – the CISSP – but he knows no credential can serve as a silver bullet.“I once had a CIO at a major [federal government] department ask me how many CISSPs does he need to have to guarantee perfect security,” recalls Tipton, 68, the former CIO of the U.S. Department of Interior. “The answer, of course, is, ‘It's not possible.' Even if you have the perfect person in place, and they write you the perfect policy and configure your systems perfectly, but you don't have compliance with those policies, there isn't a single thing your security person can do.”
Human error remains the Achilles' heel of most security operations. An organization can have all of its ducks in a row, but if an employee decides to click on an email attachment claiming to be a work-related document, but which actually turns out to be a trojan for which there is no detection, the most knowledgeable security pro in the world may not be able to save its network from compromise.
Still, education is a necessity, Tipton insists. And while the computer science curricula offered by colleges and universities continues to expand, certifications remain the defining way for security pros to learn the trade (through training for the exam) and for potential employers to assess their abilities. This is particularly important in a market where the cyber security workforce is in far greater demand than there is supply, a disproportion that is accentuated as data protection becomes more critical in light of emerging technologies, such as cloud, and an increasing number of devices becoming network-connected.
The Certified Information Systems Security Professional (CISSP) credential, which received the coveted American National Standards Institute (ANSI) accreditation in 2004, covers a total of 10 domains spanning the core principles required of the information assurance professional. By holding this certification, available once individuals have achieved five years of full-time security work experience, they can demonstrate they have a broad-based understanding of the discipline and are willing to become – and stay – qualified.
“College graduates are not coming out with the [adequate] skills and knowledge,” Tipton says. “I know one of the selling features of the CISSP is it not only validates they have some knowledge of security today, it will keep them tied to the changing nature of that.” (Holders of the credential must undergo 120 continuing professional education (CPE) credits every three years – or they lose it.)
But Tipton admits perplexity sometimes reigns in an industry where there are scores of security certifications, being offered by vendor-agnostic entities like Florida-based (ISC)2, as well as security solutions providers, such as Cisco.
“We are working with other organizations to try to be explanatory and be simpler in what our credentials mean,” he says. “What is the value from certifications? It's a confusing world where you've got at least 250 acronyms out there.”Rick Bauer, director of research at CompTIA, a Chicago area-based IT trade association, says his organization is bringing providers together so a “roadmap” can be developed that matches certifications to job descriptions.
“I think certifications may have suffered from their friends more than folks who don't believe in them,” says Bauer of the plethora of acronyms that security practitioners display beside their names on business cards, often mockingly referred to as an alphabet soup.
Bauer helped lead the formation of the Cyber Security Credentials Collaborative (C3), which consists of vendor-neutral certification bodies specializing in IT security and privacy: CompTIA, EC Council, GIAC, ISACA and (ISC)2. The stated purpose is to offer a forum for collaboration that “will result in the advancement of IT careers, a more prepared workforce, greater insight into how these certifications are developed and how they meet the IT needs for organizations, including governments, private enterprises, educational institutions and the public at large.”
Bauer says certifications have suffered because there are so many of them. As a result, security pros and hiring managers often are unsure of their value, which results in workers not obtaining the correct cert or organizations being unable to match a candidate with the right position.
“These are our customers who don't understand it,” he says. “We can't communicate the value proposition of certifications, and it's really important for us to help to inform the workplace.”
CISSP: Tests 10 domains
Arguably there is no place feeling the pressure more when it comes to security hiring than the federal government. A 2010 report from the Center for Strategic and International Studies concluded that there are only about 1,000 individuals in the United States with the specialized security needs to defend cyber space, whereas 10,000 to 30,000 are needed. The reasons for this dearth of talent include a lack of interest in pursuing science, technology, engineering and mathematics (STEM) majors in college; poor salaries when compared to the private sector; and complex security clearance processes.
Another, often less-recognized reason is confusion over the value of certifications. That's why one of the initiatives from the nation's National Initiative for Cyber Security Education, to be led by the Office of Personnel Management, an independent branch of the federal government charged with managing civil service, is trying to create a common taxonomy for cyber security professionals that will enable hiring agencies to match roles to competencies.C3, in conjunction with the University of Maryland and several analytics firms, is planning to embark on a study on behalf of the U.S. Homeland Security and Defense departments that will measure the value of certifications, both for the individual who takes the exam – remember, there are months, sometimes years of preparation required – and the organizations who employ the certified workers.
Clearly, demonstrating the value of certifications is a key priority for credentialing bodies. Regardless, the flagship accreditations are doing better than ever. Tipton says December was a record-breaking month, when there were some 3,700 CISSP exams taken (only about half passed).
And it's no surprise that it is one of the most sought-after certifications, considering holders make about $98,000 a year on average, up from $78,000 if they didn't have it. (ISC)2, which also offers well-known designations like the Certified Secure Software Lifecycle Professional (CSSLP) and Systems Security Certified Practitioner (SSCP), counted more than $25 million in assets in 2010.The allure of acronymic designations extends to specific products as well, says Tony Iovinelli, president of West Chicago, Ill.-based SmartSource, an IT staffing company. His firm hires personnel for tech clients, which then outsource these workers to organizations in need of someone certified, for example, a Cisco Gold partner.
“It could be that the vendor is upselling that they have certified people, or it could be the buyers are being more demanding,” Iovinelli says. Either way, a certification embodies dedication. “It gives them comfort when hiring individuals,” he says. “If this individual went through that certification process with a vendor, the certifications kind of screen their willingness to improve their own skills and character.”
Still, the value of certifications is dropping, according to Vero Beach, Fla.-based Foote Partners, which tracks the market. In fact, their value, defined as the portion of a worker's salary tied to the individual carrying a credential, dropped nine percent over the last two years.
David Foote, the company's CEO, says 2011, in particular, was a correction year for certifications. As budgets sprung back to life following the financial collapse in 2008, organizations became more focused on investing in revenue-generating projects, something security oftentimes fails to provide.
“[Certifications] are not as important as they used to be in the overall template of what a security person is,” Foote says. “Now they're influencers, they're marketers, they're evangelists.”
The most desired security hire has become those individuals who can show off multidimensional talents, specifically their ability to connect with the business and speak the language, Foote says. As a result, employees with a narrower, technical focus – and their related certifications – get short shrift.
“When security was thought of as more of a technical issue, security certifications were much more popular,” Foote says. “People have realized you have to do security in the process of the business, so we can't be a hindrance. We have to get people here to talk and influence business people.” (It should be noted that there are a growing number of management-related certifications, such as the Certified Information Security Manager (CISM) accreditation from ISACA.)
Dave Piscitello, senior security technologist at ICANN, views the problem with certifications somewhat differently. He says he still sees value in the technical training aspect, but it's just focused on the wrong thing. Many credentials address compliance audit preparations and offensive security – penetration testing, for example – but fail to really cover some of today's largest needs: monitoring for intrusions, containing breaches and performing analysis, he says.
Many industry professionals, Piscitello says, have accepted the “security fatalist” argument that breaches are a when-not-if proposition. Organizations already should assume they have – or are going to be – hit by adversaries. That's why he says they need to have security employees who are well versed in the admittedly less glamorous position of defense.
“We're good at deconstructing things,” says Piscitello. “We're not quite as good at constructing things that don't break. So it might be nice if we concentrated on that aspect when teaching people.”
Part of that includes building a network and communications channel that enables trustworthy incident response, he says, adding that he could never envision hiring a convicted hacker. “Part of the fundamental problem here with the way we're approaching this is we're starting with the basis that we want people to be creative and explore, but we don't give them boundaries.”
(ISC)2's Tipton says he believes certifications provide the best way to validate one's skill set. In fact, when he began in 2002 at the Department of the Interior, Tipton remembers entering a culture where there was little, if any, concern paid to an adversary who may want to steal data. But eventually, the mindset changed, and certifications were a big part of driving that shift.
Tipton remembers his boss determining that the best way to vet the security abilities of its staff was to have members take the CISSP. The agency gave them a year to prepare, and despite “a lot of screaming and hollering” by workers, it turned out to be the best decision.
“I wound up being the first CIO in a Cabinet-level job to get it,” says Tipton, who is not related to the recently deceased Harold “Hal” Tipton, who co-founded (ISC)2 in 1989. (The organization also lost another long-time staffer in March when Judy Livers, senior market development manager, passed away.)
Still, he admits that while taking certification exams requires training and meets educational needs that many colleges and universities currently can't provide, it is no substitute for more formalized learning.
That's why (ISC)2's charitable arm, the (ISC)2 Foundation, is trying to reach students before they arrive at college, with efforts such as its Safe and Secure Online program, which encourages professionals to visit 7- to 14-year-olds at school and get them interested in the field. The program also offers scholarships to high school students who excel in capture-the-flag competitions, such as the U.S. Cyber Challenge.
“Education across the board is desperately needed,” Tipton says. “Our quest is to get this to high school, where people can be trained on this on the ground up and don't have to be converts from other areas. Our academic systems are not designed to develop people like this as they might be for hard sciences.”