When an organisation uses an information security professional to secure information systems or to investigate breaches in their systems; the company has to place its critical resources in the hands of that professional. This requires a substantial level of trust. However, determining whether that professional is trustworthy is often not an easy task. One method that helps prove a person's track record is professional certification.
Information security has become a very specialised discipline. Combined with the fact that the marketplace for information security professionals is becoming increasingly competitive, many organisations have begun promoting their specialised security certifications. With the wide range of security certifications available, does more letters after the IT professional's name really equal value, from the perspective of both the employee and the employer?
There are many information security certifications available today. Many of these certification programs have been developed over recent years to test both the skills and knowledge of applicants, and also to help define the practice more clearly. Generally, information security certification streams can be divided into three core areas:
- Generalist certifications: these streams test a candidate's knowledge against the wide variety of security domains. These broad certification schemes are numerous but probably the most well regarded is the Certified Information Systems Security Professional (www.isc2.org); - Specialist certifications: these streams have risen in prevalence of the past 18 months. They test a candidate's knowledge against specific knowledge areas. The SANS (System Administration, Networking, and Security) Institute GIAC certifications (www.giac.org) are a good example. Example certifications available in this scheme are the GIAC Certified Firewall Engineer and the GIAC Certified Intrusion Analyst; and; - Vendor certifications: these certifications test a candidate's knowledge of particular vendor systems or products. Many security products have their own certification paths (such as Checkpoint Certified Security Engineer), while many vendors have certifications, that although not security specific, may have relevance to the security professional (like Microsoft Certified Systems Engineer).
As an employee, when deciding whether to pursue a certification, the benefits and the costs need to be considered. The benefits of certification are numerous. In general, certification serves to assure a person's reputation as a qualified professional and often will lead to improved market worth and therefore, the all-important salary increase.
Importantly, certification can also be a differentiating factor when applying for a job. In fact, some organisations will often require certification or consider it an important selection criterion when recruiting.
However, the process of attaining certification does have a down side. A look at many certification Web sites (for example, http://www.gocertify.com/security/), demonstrates the very large number of relevant security certifications that exist. Determining which is the most appropriate for an individual and which is the best regarded, is often a difficult task. In addition, the cost of gaining a certification can certainly be prohibitive when taking into account the numerous costs, including training costs, study aid costs, exam or certification costs, and ongoing maintenance costs.
The critical question to ask is does the potential value of the certification outweigh the costs?
In general, most employers value security certifications highly. As mentioned earlier, information security is a highly specialised field. The main benefit to the employer is that it minimises the risk associated with the employment by providing a level of assurance that the staff being used to secure critical information systems have the appropriate skills and knowledge. With security threats and solutions growing more complex, employers are seeing specialised certifications as an essential part of the training program.
In a highly competitive recruitment area, the certification can often act as a differentiating factor between similarly skilled individuals, helping employers make the final recruitment choice. Many employers also hold the perspective that clients look favourably on service providers using the most qualified individuals to perform work.
Security certifications are quickly establishing themselves as a mark of a bona fide security expert. With information security professionals now being required to hold a daunting array of skills; certification shows companies that a person has expertise in a variety of security and business areas.
Pete Merrick is the director of security services for TurnAround Solutions. He is based in Canberra and can be contacted at firstname.lastname@example.org