Security certifications are expected in the workplace, but they are no guarantee of competence, reports Stephen Lawton.
Certifications in security specialties have become the price of admission for IT job applicants seeking positions in data and network security, auditing and related areas of expertise. While a certification does not guarantee that an applicant is proficient in a given technology, many hiring managers today say that the certification does indicate that the applicant at least has some practical knowledge in their given field.
As hiring processes change and more candidates are found via internet postings of résumés, some sort of mechanism is required to do the initial screening on the candidates for a given position. Often, the human resource personnel tasked with making the initial cuts of prospects are not technologists themselves, so they need some sort of filtering process to get through the résumés. A popular filter today is certifications.
Certifications are conferred by a variety of vendor-neutral industry organizations and by vendors themselves. While the jury is still out on which certification tests are most valuable and revealing about a candidate's talent, many hiring managers today say that for mid-level engineers and below, certifications are expected to demonstrate sufficient proficiency.“The more experienced an uncertified candidate is, the more doubt I have about their claimed abilities,” says Bradley Schaufenbuel, senior vice president and chief information security and privacy officer at Midwest Banc Holdings, of Melrose Park, Ill. “After all, if you are a security guru, have years of experience under your belt, and eat, breath and sleep security, then passing a security certification exam should be a piece of cake. Professional certifications, such as the CISSP (Certified Information Systems Security Professional) and the CISA (Certified Information Systems Auditor), have been listed as requirements or strong preferences on security job descriptions for well over a decade now, so there is no excuse for not making the effort if you are serious about this profession.”
Chandler Howell, security leader for a Midwest-based manufacturer of electronic gaming equipment, agrees. “The certification is really a signaling mechanism more than a guarantee of ability. If someone has gone through the cost and effort to obtain and maintain a certification, that implies a degree of long-term interest and commitment to the field,” he says.
“If the candidate lacks a certificate, I expect to see a rationale for why they don't hold one — and I know many extremely talented people who choose not to certify — or an intention to obtain one, depending on the level of the position,” he adds. “An uncertified candidate who has neither of these is probably not going to be a fit for my team.”
Despite the need for job prospects to show proficiency in the security field, test-taking and certifications are not enough. “Experience is clearly more important [than a certification] to do the job,” says Jonathan Gossels, president of SystemExperts Corp. in Sudbury, Mass., “but the person will not get the opportunity to interview if they don't have certification.”
Gossels, whose firm does security testing, compliance and assessments, adds that while having multiple certifications alone might be useful, a hiring manager should look more closely at the level of the certificate — is it normally one earned by an entry-level technician, mid-level engineer or an expert in the field — and when the certificates were earned. Candidates with high-level certificates that were earned years ago generally have more experience since they also have had to keep up with continuing education in their specialty, he notes. A candidate with many recent, low-level certificates might be tying to appear more experienced than they are.
At the management level and above, technical certifications often give way in importance to graduate degrees, business acumen and non-technical issues, notes Joyce Brocaglia, CEO of Flemington, N.J.-based executive recruiting firm Alta Associates. In the IT security industry, the firm specializes in placing personnel in manager or above positions, so having a plethora of certifications is generally not a requirement, she said. Conversely, for candidates without any certifications, particularly CISSP for security experts or Certified Information Systems Auditor (CISA) for auditing positions, the certificates are conspicuous by their absence. These, she says, generally show the greatest competency in their respective fields. CISA, in fact, is becoming almost as important as a CPA (Certified Public Accountant) for auditing positions.Although the certification process is a veritable alphabet soup of acronyms and nearly become a language unto itself, Gossels says it is time to sort out the scores of certifications into some kind of understandable progression. One approach he suggests is to organize titles based on the experience level required to obtain the credential.
For example, Gossels puts such certificates as Security+, TruSecure ICSA Computer Security Associate and GIAC (Global Information Assurance Certification) Certified ISO-17799 Specialist as entry-level credentials, while CISA, CISSP, GIAC Systems and Network Auditor and Cisco Certified Security Professional would fall in the intermediate category. Advanced credentials include GIAC Security Expert, NSA (National Security Agency) INFOSEC Assessment Methodology, and Certified Protection Professional from the American Society for Industrial Security.
A different approach would be to identify credentials that describe a highly skilled security team. Such credentials would be broken out by expertise in areas such as operating systems, networking, middleware and infrastructure, applications-level, and specialized disciplines such as forensics, risk assessment, incident response or data classification.
“Certifications are indicators only, they don't mean anything about real-world experience,” says Steve Orrin, director of security solutions for Intel Corp. in Santa Clara, Calif. The value, however, is that someone with a given certification generally can speak the language and use the same definitions and acronyms of that given specialty. For example, companies hire management personnel with an MBA degree because these candidates can talk about business development and other business issues in terms management personnel understand. While an MBA might be useful for a CISO, it would not necessarily be useful for a technician. Likewise, Cisco certification doesn't necessarily help the CISO.
One organization that has standardized on certification is the U.S. Department of Defense (DoD). DoD Directive 8570.1 requires that every full- and part-time military service member, defense contractor, civilian and foreign employee with access to DoD systems have at least one of several certifications that have been accredited by ANSI or an equivalent authorized organization.
The cost of earning a certification can be significant, and not all employers pay for their employees to take the tests. SystemExperts' Gossels notes that many companies do not appreciate the long-term cost of maintaining staff with credentials. Aside from the expense of paying for the tests themselves, the cost of certification includes employees missing work to attend continuing education classes, seminars, out-of-town conferences and, often, studying for the tests. That said, he underscored the value of having the appropriate certification for a given position.
Even if an employer does not pick up the fees for top-rated certification exams, experts tend to require that lower- to mid-level technicians obtain certification, regardless of the expense.“Pay the cost, but be a careful consumer,” Gossels says.” Stick with the premium brands, the credentials that command respect and whose value stays over time.”
Stephen Lawton has been a technology and business journalist for more than 25 years. He can be reached at [email protected]
Basic training: DoD specsThe U.S. Department of Defense requires that uncertified government and contractor technicians must have their certification by Sept. 30, 2010 in order to continue working on past that date. Should a technician not have the required certification, the person must be reassigned off the government program. The rules to require certification went into effect in 2005. Management objects for certification of DoD employees and contractors include:
workforce with a common understanding of the concepts, principles and applications for each category, specialty, level and function; establish baseline technical and management skills for personnel performing information assurance (IA) functions; implement a formal workforce skill development and sustainment process comprised of education, training and certification/recertification; and verify IA workforce knowledge and skills through standard certification testing.