I am going to be as objective as possible in this post. People who know me know that I have a distaste for some of these certification vendors due to their deception and motives. I hold quite a few certifications myself going back to the 1990′s and have dealt with many of these organizations first hand. I have had plenty of time to hone my opinions and in the end that is all they are, my opinions. Feel free to agree or disagree.

What is Certification Supposed to be About?

The world of information security tends to be quite a bit different than other professions. Other disciplines may live and die by certifications and licensure. For example, in the medical field you want licensed physicians who are possibly board certified for their specialties. Additionally stenographers, interpreters, and many other professions have national certifications that open up great opportunities for their individuals following certification. The bodies that handle these certs in other disciplines are much different than those in the information security world. Other disciplines typically have certifications issued by national associations or other recognized industry body. In the information security world it is typically done by private business and masked bodies. I will get in to this more later.

Certification is supposed to be about demonstrating a baseline level of knowledge for a particular area. Licensure, as I see it, granting of a license based on a certain set of baseline qualifications. The way you go about demonstrating competency can range from certification to certification.

What You Look for in Security People

What do you look for in security personnel? Most likely there are no objectives of a certification that cover that. Often the number one thing people look for is experience. Nothing trumps experience even certification vendors know that. Along with experience is depth of knowledge. If someone doesn’t have experience you at least want people who can find answers, who have a genuine interest in the security field, and who can think critically. I haven’t seen a Certified Information Security Googling Professional certification yet What about soft skills? Writing skills? There are many factors about the people you wish to hire that are well beyond the scope of a security certification.

Three general areas that people look in to when hiring information technology people are experience, education, and certification. They may throw these areas around and substitute them, but the requirements are going to be there. Once the gatekeepers are passed it is up to the interviewee and the impression they make to land the job.

All About the Benjamins

Certification in the infosec world is typically handled by private companies and are either vendor specific or vendor neutral. Sometimes these companies will masquerade as an org, but when you pay them for training or certification watch where your money goes. It’s not the org front It’s in the best interest of these companies to draw blurry lines between their different parts. You may hear things like, “No this company provides the training, the certification is from this other organization”. Who do they think they are fooling? It is the same people working at both organizations and proctoring the tests.

More benjamins equals more win for the companies providing the security certifications, training, or CPE style credits. Or maybe you can just take the road that SANS does and just charge and outrageous price for your certification challenges right off the bat. Yes, Yes, I know. I called GIAC SANS. Same thing They are counting on people with security training budgets and certification reimbursement and saying “screw you” to the little guy. Certification vs value, make the decision for yourself. I personally think they are pricing themselves out of the running to do any competition with the big dogs ISC2 and ISACA but, oh well. I am entitled to my opinion. Not saying they are trying to do direct competition with them, but there are more people looking for CISSPs than there are GIAC certified individuals.

Why Security Certification is hard to make

There are certain roadblocks to certs in the information security space. This is because everyone from the person that deploys anti-virus software to the individual reverse engineering software is considered a “security person”. These are wide and varied disciplines that take a greatly differing skills to perform. So from a certification perspective you either have to specialize or generalize. When generalizing you have to be very broad and lose depth. When you specialize you lose overall market appeal. It’s hard to draw that line. This may be important when you are considering certification. If you are a specialist and there is a certification that fits your particular specialty, then there may be some additional appeal.

Perception is Everything

Certification value is pretty much all about market perception, regardless of the actual value of the certification to you personally or your peers. The greatest, most perfect security certification in the world can come along, but if it has no market value then there is pretty much no value in getting it. One way to gauge how well perceived the certification may be is by going to job search sites and looking for job positions in which you are interested. You will see how many mention the certification you are considering. The business side of security likes the thought of certification. It gives them a nice warm feeling inside. Hiring people in any profession is a gamble. You never really know if someone is going to work out or not. The thought of having an additional assurance that they are getting a decent individual is very appealing to them, regardless of how valid the certification is.

There seems to be a perception of certifications such as the CISSP, CISA, etc as being technical. This perception is incorrect. I split security certifications in to two different categories: Functional and Awareness. I consider certifications such as CISSP, CISA, Security +, etc as awareness based certifications. These certifications do not go particularly deep in to each of their domains but provide awareness in all of their domains. Functional certifications are ones that are more vendor specific and / or cover the functional aspects of particular items or domains.

Certification (may) = Win

Let’s take a look at some of the advantages of certification in the information security field. Certifications in the security field are all about your professional life. They are about your job and your future job prospects. Certifications aren’t good for much else unless you just like framing them and putting them on your wall Keep in mind all of these potential win situations for certifications are all based on someone else’s perceptions at a given time.

The biggest advantage of a certification is that it allows you to display the designation. This means you can say you are certified, display it on your resume, put it in your email signature, etc. Certifications are sometimes used as filtering mechanisms to weed through potential candidates. The person in recruiting or HR may not even forward your resume on to a decision maker because they do not see the certification. The whole goal of submitting a resume is to get your foot in the door for an interview. If you can’t make it that far then it is a fail situation. Displaying the designation allows you to meet the perceived expectations of someone looking for that particular designation.

Along with the previously mentioned, certifications give you some “flare” for your resume. It allows you to add a section to your resume called “Professional Certifications”. Now, you may have more than enough content for your resume due to your experience, but for people with less experience it helps fill out a resume.

During the study process for a certification there is the possibility of learning something. Now this probably isn’t going to be some earth shattering revelation, but the more you know the better off you are. It may force you to look at concepts that you haven’t taken the time to look at previously. So there is the potential that horizons may be broadened.

Vendor specific certifications demonstrate that you are at least familiar with the interface to a particular product. The world is much better off now that you know where that check box is It may give people a sense that you have actually seen the interface before.

Certifications can prove that you have the ability to start something and see it through. Much like education, some certifications take some effort to study for and complete. It can display a certain amount of determination on the part of a potential candidate. It shows that you have not remained stagnant in your career. I know the actuality is stupid, but remember we are talking about perceptions.

Certifications are rarely something that you get looked down upon for. If you are applying for a job or have a job interview I have never heard of a case where someone didn’t get a job because of a certification they held. I file this under the “it couldn’t hurt” column.

Certification (may) = Fail

Security certifications won’t help you do your job better, lift a car, or save a baby from a burning building. Security certifications in their current iteration seem to be very poor at proving people have baseline competencies, which is what certification is all about. This is something that the business side has not really caught on to yet and probably won’t.

Certification can be a pain to get. Some certifications require a healthy dose of time dedicated to studying, practice exams, and whatever other resources are required to pass the exam. Even if you are already familiar with the material, it takes time to learn how to answer the questions the way the certification vendor wants them answered.

Certifications can be a pain to maintain. Some security certifications require maintenance. This maintenance includes either re-certifying periodically or the submitting of credits. The credit based systems require that you get so many credits per year and per certification cycle. For the ISC2 certifications these are called CPEs (continuing professional education).

The benjamins are here to stay, certification costs money up front. This is your initial buy-in to the certification. Certification costs typically range anywhere from 150 dollars to as much as a few thousand depending on what the certification is and what is required.

Oh no, the benjamins are back! Of course everything from re-certification to annual maintenance requires money. Fees, fees, and more fees. Needless to say unless it is a perpetual certification you are no doubt going to have to pay money to the vendor periodically.

You really don’t get anything from certification vendors in return for your time, effort, and money. I think this is the part about certification that irritates me the most. After you have spent the time and effort to get a certification, you really receive nothing useful from them. You may receive notifications about items from the vendor, but it is typically “who cares” communication.

You may have ethical issues with certification vendors in which you don’t want to give them your money. In this case I am right there with you. This could actually be a big turn off in your decision making process.

The Certified Conclusion

There are probably valid points that I left out, sorry, but the post is getting long I don’t know if anyone will read it anyway. I am sorry if there is anything that I have left out. I also really didn’t want to talk about particular certifications, so I didn’t really list any. They are easy enough to find though.

There is really no right or wrong answer about whether to obtain a security certification. All you can do is take the data you have and make a decision for yourself. Visit job search sites and search for jobs with that particular certification. Weigh the time, effort, and expense that you will have to endure to get and maintain the certification. See what other people are saying about the certification. If it makes sense and you think that it will help, then go for it. If it doesn’t seem worth it, then don’t. It’s really hard to judge the future and where security certification vendors are going, so all you can do is make the best decision for yourself in the present.

I am just finishing up a post on certification, but I thought this needs it’s own post… and well… I am taking too long. Seth Hardy has requested to be put on the ballot of the ISC2 Board. He needs 591 signatures on his petition in order to be put on the ballot. From his site:

Send an email to me: shardy@aculei.net using your email address on record with (ISC)2, including your member number, stating that you are signing my petition!

Signing the petition doesn’t mean you’re voting for me; it just means that you’re supporting my inclusion on the ballot. I’ll be hitting you up for votes later.

Rather than just complain about issues Seth wants to do something about them. That is something I totally support. If you have an ISC2 certification please visit his site and sign his petition. www.sethforisc2board.org

More to come on the value / lack of value in security certification. I promise I will finish it soon.

How should this be done?

I am not an expert in all things certification but I would think you would have to start with the WASC taking complete ownership of this. Community experts should be queried for what they believe are the most important aspects of the field. You may even want to take a proven methodology based on OWASP as a framework for this as well. After that the exam objectives are defined. There may also be an experience requirement as well. So maybe people have to prove working in the field for 2 years or something such as that. Based on the exam objectives and the comprehensive nature of the exam, you have a panel of experts draft the questions for the exam. The exam delivery method should be one that doesn’t restrict people based on geographic limitations. This delivery method could be web based, Prometric, etc.

Structuring the exam in this manner would allow other organizations to provide training as well and not just lock in one vendor. This spreads the wealth a bit through the technology community. Also it would allow for a reasonably priced challenge for any professionals who are already proficient in this area.