Seal of approval: Security certifications
Seal of approval: Security certifications

Adjusting for the times

Clearly, demonstrating the value of certifications is a key priority for credentialing bodies. Regardless, the flagship accreditations are doing better than ever. Tipton says December was a record-breaking month, when there were some 3,700 CISSP exams taken (only about half passed).

And it's no surprise that it is one of the most sought-after certifications, considering holders make about $98,000 a year on average, up from $78,000 if they didn't have it. (ISC)2, which also offers well-known designations like the Certified Secure Software Lifecycle Professional (CSSLP) and Systems Security Certified Practitioner (SSCP), counted more than $25 million in assets in 2010.

The allure of acronymic designations extends to specific products as well, says Tony Iovinelli, president of West Chicago, Ill.-based SmartSource, an IT staffing company. His firm hires personnel for tech clients, which then outsource these workers to organizations in need of someone certified, for example, a Cisco Gold partner.

“It could be that the vendor is upselling that they have certified people, or it could be the buyers are being more demanding,” Iovinelli says. Either way, a certification embodies dedication. “It gives them comfort when hiring individuals,” he says. “If this individual went through that certification process with a vendor, the certifications kind of screen their willingness to improve their own skills and character.”

Still, the value of certifications is dropping, according to Vero Beach, Fla.-based Foote Partners, which tracks the market. In fact, their value, defined as the portion of a worker's salary tied to the individual carrying a credential, dropped nine percent over the last two years.

David Foote, the company's CEO, says 2011, in particular, was a correction year for certifications. As budgets sprung back to life following the financial collapse in 2008, organizations became more focused on investing in revenue-generating projects, something security oftentimes fails to provide.

“[Certifications] are not as important as they used to be in the overall template of what a security person is,” Foote says. “Now they're influencers, they're marketers, they're evangelists.”

The most desired security hire has become those individuals who can show off multidimensional talents, specifically their ability to connect with the business and speak the language, Foote says. As a result, employees with a narrower, technical focus – and their related certifications – get short shrift.

“When security was thought of as more of a technical issue, security certifications were much more popular,” Foote says. “People have realized you have to do security in the process of the business, so we can't be a hindrance. We have to get people here to talk and influence business people.” (It should be noted that there are a growing number of management-related certifications, such as the Certified Information Security Manager (CISM) accreditation from ISACA.)