Rise of certifications bumps up salaries


Guardians of the corporation, rejoice! Rumor has it that security is paying more than other IT professions. But are you earning as much as you could? Wherever you are on the salary scale, research is showing that having a black belt in security could bring you even more money than you are earning now.

"Security salaries and certifications pay above the average in IT," says David Foote, president and chief research officer for analyst firm Foote Partners. "The reason is that protecting information is important. The internet has put a huge focus on information security."

Foote says that despite the industry's recent nosedive, overall pay for qualified IT folk is up by two percent this year. But security certified pros are having the best time of it, hovering above that figure at 2.6 percent. Over the past two years, overall IT qualification pay fell 4.2 per cent, but qualified security pay rose 3.8 percent.

The question is whether you believe certifications are worth the effort. And then, if you do decide to sign on the dotted line, which one should you choose? There is a healthy selection of security certificates on the shelf, but the main three vendor-neutral courses are run by (ISC)2, ISACA and SANS.

While SANS exams look at more technical issues – and Foote believes its GSE certification pays well above the average – ISACA and (ISC)2 tend to look at a broader range of subjects.

"If you look at what's doing well, there has been a steady rise in interest for the ISACA's CISA [Certified Information Systems Auditor]," says Foote.

Foote's research found that the number of certified CISAs was rising by 20 percent each year, but in the past two years, there has been an increase of 50 percent.

"Think of all the auditing that's going on now, such as HIPAA. That's driven up the demand for auditors. If you look at contracts for IT systems auditing, they require certification."

According to research from Certification Magazine, people who had (ISC)2's Certified Information Systems Security Professional (CISSP) certificate made, on average, $83,333 a year.

Public interest in the CISSP exam has also risen – the number of certified CISSPs has risen 18 percent since last year, and 44 percent from two years ago. Currently, there are 27,000 CISSPs in 106 countries.

To get a CISSP, you need to prove three years' security work experience – four if you don't have a university degree – and pass an exam. You can cram for the exam at a one-week boot camp or take your time and learn gradually. But if you do not have three years' experience, can you cut any corners?

"There's always a way to get around that," says Richard Starnes, who teaches the CISSP course. "You've got to rely on the professionals [to enforce standards].

"The CISSP has a very positive influence in salary. If you need to whittle 12 CVs to three, you can use it for that. The purpose of certification, like education, is to ensure a minimum standard. But does taking a certificate guarantee that someone will be fit for purpose? I think it gives baseline knowledge."

Metin Yilmaz, security recruitment consultant for U.K. firm Spring, says he is seeing a rise in demand for security professionals, but finds it easier to place candidates if they are qualified.

"Good CISSP security candidates are in great demand," he says. "Commercial experience used to be the big thing. Of course, it still is, but the qualification can give you the edge."

In the U.K. this year, British Telecom is putting 50 staff through CISSP boot camp – a week cramming for the exam.

"We looked for the most credible certificate for education," said Mike Todd, programme director of information assurance for BT. "We settled on the CISSP. We've put 19 people through, and we're training a further 26. We trust the certificate quite a bit. We have had people who've been in the business for 20 years do it, and people with just three years' experience. Compliance with this means that employees can use it to negotiate salary and benefits."

But Steve Crutchley, CSO for 4FrontSecurity, is skeptical about the CISSP qualification. He believes that security professionals need a broader understanding of the job.

"To me, vendor certifications do not mean too much," says Crutchley. "Technologies change, so the certifications do not stay consistent. The CISSP certification is very broad and shallow, for example. It is a career certification. Anyone with some experience has left this certification way behind, but I do not want to knock it because it provides a good basis to start."

"Real security guys have to be both business and security savvy," says Crutchley. "ISACA has recognized that security is playing an ever-increasing role in business. Its CISM certification must be one of the best to obtain, as you have to prove that you have been the distance and understand a wide and broad range of issues in this discipline."

Foote also thinks that the CISM is one of the better qualifications to attain. "We look at what's important to firms, and it matches [the criteria] perfectly."

More than 4,500 CISMs have been awarded since the program began in 2003. The CISM is broken into five main sections – management of information security, governance, program management, risk management and response (13 percent).

Leslie Macartney, who chairs ISACA's CISM program, insists that the CISM, CISA and CISSP certifications were written to complement each other.

"Only a small percentage of people interested in management should think about CISM," she says. "There is overlap, but that's why people can easily move from one area to another. It's good for a broad range of things."

But Macartney is unsure how useful the boot camp approach is to learning. "Many people are good at security, but not good at remembering things. Boot camps could be good for them. On the other hand, some people learn things for just long enough to pass exams."

While some firms are using certificated security staff to boost their corporate image, the legal eagles say it could become a requirement.

"There are many times when a company owes some type of duty of care to its customers," says Robert Carolina, director of specialist law firm Origin.

"If a person suffers harm as a result of a security breach at the company, then that company might face a liability to the injured person," he explains. "It will often help the company's defense if it can demonstrate that it took 'reasonable' steps to maintain security. A policy of hiring only recognized security experts for this purpose would probably aid that defense. [It could] reduce the liability exposure of the company, as well as the directors."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.