Recently, I became an International Information Systems Security Certification Consortium (ISC2) Certified Information Systems Security Professional (CISSP). The pursuit was difficult, but that was to be expected, as the certification is one of the most sought-after information security credentials. Like many certifications, it can add significant bargaining weight when changing positions or jockeying for a raise.

Certifications don't necessarily make or break one's career, but can contribute to one's overall package. Whether you're satisfied in a position or looking to upgrade, it's in your best interest to stay as knowledgeable and marketable as possible. Understanding that certifications may not be a panacea but certainly have value is the first step in determining which certifications (if any) are worth pursuing based on your career goals.

The value of certifications

There has been much debate over the validity and usefulness of certifications, but one thing is clear: knowledge without the ability to apply it is functionally useless. That's one reason why some certifications require significant real-world experience as part of the certification process. IT recruiters are keenly aware of this.

"You may be a whiz at taking certification exams," says John Estes, vice president at IT staffing agency Robert Half Technology, "but if you don't have the benefit of troubleshooting [experience] in a business environment, you won't last long." Justin Keller, an infrastructure recruiter at TEKsystems Inc., agrees. "Certifications are something that will set apart qualified candidates from the rest of the field but they cannot be expected to replace real life experience," Keller says.

However, there has to be some value to a certification besides a fancy certificate for display on the wall. Overall, it's not unreasonable to expect a relevant certification to command roughly a 10% average increase in salary over those performing the same duties without the credentials, according to Brian Hunter, an executive and technical recruiter at Talent Scouts Inc. He suggests that people interested in pursuing a particular certification do a cost-benefit analysis to determine the certifications' return on investment.

Without a doubt, pursuing certifications requires tenacity and a willingness to put in long hours of preparation, not to mention the monetary costs, particularly if a "boot camp"-type preparation course is used. As Keller points out, "the financial and time commitments that are required to get many of these certifications are significant."

Basically, certifications by definition should certify that a professional possesses the qualities necessary to accomplish the duties of a particular position. In information security, that means having a very broad experience, knowledge and skills base.

My pursuit to become a CISSP

Information security is one of the fastest growing areas in IT today. Keller notes that "specialization in this area is going to be a solid differentiator in a market that is already very competitive." Certainly in the information security field, having the paperwork to back up the knowledge can be quite valuable. As my information security duties have increased dramatically over the past several years to the point where the majority of my professional activities are related to information security, I felt it was time to achieve that differentiator.

While there are other information security credentials available such as the Certified Information Security Auditor (CISA) from the Information Systems Audit and Control Association (ISACA), I chose to go after the CISSP certification because of its reputation and vendor-neutrality and because my knowledge and experience matched the CISSP requirements well. In addition, the managerial components of the CISSP credential fit with my aspirations to become a chief information security officer (CISO).

To become a CISSP, a minimum of five years' work experience in two of 10 knowledge areas, referred to as domains, is necessary. We're not talking just technical areas here, as the domains include not only nuts-and-bolts topics such as networking and cryptography but managerial and planning tools such as business continuity and disaster recovery. This is because information security is at the core a business process or, more exactly, a method to ensure that the business continuity is unimpeded.