Certifications have long validated security skills, says W. Hord Tipton of (ISC)2. But do they remain relevant? Dan Kaplan finds out.
As its executive director, W. Hord Tipton may run the show at nonprofit (ISC)2, which manages the security industry's flagship certification – the CISSP – but he knows no credential can serve as a silver bullet.“I once had a CIO at a major [federal government] department ask me how many CISSPs does he need to have to guarantee perfect security,” recalls Tipton, 68, the former CIO of the U.S. Department of Interior. “The answer, of course, is, ‘It's not possible.' Even if you have the perfect person in place, and they write you the perfect policy and configure your systems perfectly, but you don't have compliance with those policies, there isn't a single thing your security person can do.”
Human error remains the Achilles' heel of most security operations. An organization can have all of its ducks in a row, but if an employee decides to click on an email attachment claiming to be a work-related document, but which actually turns out to be a trojan for which there is no detection, the most knowledgeable security pro in the world may not be able to save its network from compromise.
Still, education is a necessity, Tipton insists. And while the computer science curricula offered by colleges and universities continues to expand, certifications remain the defining way for security pros to learn the trade (through training for the exam) and for potential employers to assess their abilities. This is particularly important in a market where the cyber security workforce is in far greater demand than there is supply, a disproportion that is accentuated as data protection becomes more critical in light of emerging technologies, such as cloud, and an increasing number of devices becoming network-connected.
The Certified Information Systems Security Professional (CISSP) credential, which received the coveted American National Standards Institute (ANSI) accreditation in 2004, covers a total of 10 domains spanning the core principles required of the information assurance professional. By holding this certification, available once individuals have achieved five years of full-time security work experience, they can demonstrate they have a broad-based understanding of the discipline and are willing to become – and stay – qualified.
“College graduates are not coming out with the [adequate] skills and knowledge,” Tipton says. “I know one of the selling features of the CISSP is it not only validates they have some knowledge of security today, it will keep them tied to the changing nature of that.” (Holders of the credential must undergo 120 continuing professional education (CPE) credits every three years – or they lose it.)
But Tipton admits perplexity sometimes reigns in an industry where there are scores of security certifications, being offered by vendor-agnostic entities like Florida-based (ISC)2, as well as security solutions providers, such as Cisco.
“We are working with other organizations to try to be explanatory and be simpler in what our credentials mean,” he says. “What is the value from certifications? It's a confusing world where you've got at least 250 acronyms out there.”