Within the information security community one of the most debated topics is that of security certifications. I previously blogged about certifications and gave my own views. The mailing list of the Irish OWASP Chapter also had a recent discussion centred around the topic. Many asked the question what value is a certification and which ones should I get? What about CPEs and do they really add any value?
Richard Nealon, a well respected member of the Irish infosec community who has been involved as a volunteer with (ISC)2 in various roles over the past 10 years and was to be honoured with the COSAC award in 2003, gave one of the most insightful contributions to this debate that I have read in a long time. I talked to Richard and he has agreed to allow me to publish his thoughts here,
As a former member of (ISC)2 Board of Directors, and active volunteer, you’ll not be surprised to find that I have stong opinions on the topic.
You might be surprised though, to find that they’re not too far from all of the points raised so far.
First point: There are three types of certification available in the market at the moment:
Technical certification – SANS, Vendor related (Microsoft, Cisco, Symantec, etc), EC Technical Hacker, etc
Generic certifications – ISC2, ISACA
Academic certifications – MSc, Dip in Forensics, etc.
Each of these have their merits & demerits, but I think that we have to look at the area of certification (and what it offers each of us) holistically rather than focusing on one particular cert.
Which one of these types is best? To use the great SOx answer – “It depends”
It depends greatly on what your chosen/planned career path is, the security of your job, your expectations for the future…..
I’d argue that any certification doesn’t prove competence in any manner. It only goes to show that an individual has been successful in achieving a certain score at a point in time.
Nevertheless, in so many cases, recruiting employers will list a specific certification (or range of certs) to set a baseline and discourage what they consider to be the timewasters (those going for the job despite having no experience). In most cases, for security management roles, CISSP or CISA (CISM is the more appropriate ISACA cert but simply isn’t as well known) are used as that baseline. That’s just the way it is – (ISC)2 has been around over 20 years with a membership of about 60k and ISACA even longer. The reason that these specific baselines are used, is only because there’s nothing better on offer that’s as well known in the marketplace.
Now – let me come back to an important point in the last paragraph. You’ll notice that I mentioned “for security management roles”. The baseline certs being looked for should be much different if the organisation is recruiting a DBA, Firewall admin, RACF support…. but unfortunately they nearly always use one-size-fits-all (primarily because they don’t really understand what “security do”).
I was speaking with a chap last week who’s a graduate of the MSs programme in Information Security from Royal Holloway. The job he was interviewing for was to independently review and report on a PKI implementation. Despite having implemented and managed a large PKI environment in the past, and having the MSc, the employer rejected his tender because he didn’t meet their certification criteria (i.e. didn’t currently hold CISSP or CISA).
If you’re looking to set your career as a security techie – go for, and maintain technical certifications If you’re looking to set your career in security management – get at least one of the generic certifications and maintain it. If you want to educate yourself – go off and get an academic certification If you’re never going to have to interview again (internally or externally) – save your money and let your certifications lapse
Them’s the options! Take your pick.
CPEs first – Many of my CPEs are maintained by attending the monthly e-symposia from (ISC)2 and ISACA. I normally access them via the archive after a couple of months and get them done in one large traunch. Between the two, I can claim about 60 CPE hours a year if I’m bothered (3 CPEs per symposia, by about 10 instances from each organisation per year). Past that – every hour that you receive a vendor presentation or demo; every exam question that you write and submit; every time you read the newsletter and answer the Quiz; every hour that you volunteer your services on a committee or board; …. There are so many ways to earn CPEs free of charge, that only require the time and effort from each of us. First port of call for quick & easy (and free) CPEs https://www.isc2.org/e-symposium/default.aspx
AMFs – so what do we get for our $65? We get free seminars, we get reductions on a huge amount of vendor training, we get free e-symosia monthly, we get a quarterly newsletter, we get deliverables (e.g. recent awareness material submitted by members), discounts off the academic journal, online fora, and a host of other “stuff”. Have a look at https://www.isc2.org/member-benefits.aspx . Most of all, we get the advantage of putting CISSP after our name. This identifies us as professionals (this is what we do for a living), as distinct from amateurs. It doesn’t necessarily make us good professionals – as MD doesn’t necessarily guarantee good doctors, but would you want an amateur treating you for a medical complaint?
In terms of competing certification bodies, some organisations certainly do provide more content than (ISC)2 – but they also charge significantly higher AMFs!
Pertinent question being: What offers best value for money?
On a personal note – I’m happy to pass back any constructive suggestions from the group to their exec management as to what (ISC)2 should be doing to make their offering more valuable to their members. Please don’t just tell me that they don’t offer enough content, opportunity, support…
Rather, outline exactly what you think that they’re currently missing e.g. local chapters, free seminars, technical guidelines, areas of the CBK that should be covered, new certs
I think you will agree Richard has made some vary good points. So if you have any contructive suggestions for Richard please put them in the comments below and I will pass them on.
If you are looking for more information on what certification programmes are available then here is a list I compiled previously. Finally it is interesting to note in today’s SANs NewsBites a survey conducted by the Foote Partners highlights there is a high demand for certified security professionals. Interestingly enough it is the technical courses provided by SANS that are most in demand with the GIAC Certified Incident Handler being the most sought after.