When it comes to education, most people agree, more is better. No one embodies that principle — at least in regard to IT certifications — better than Jerry Irvine. CIO of IT consulting firm Prescient Solutions and member of the National Cyber Security Task Force, Irvine holds more than 20 IT certifications, of which at least six are specifically information security-oriented.
"I'll stop getting certifications when I'm dead," says Irvine, though one wonders if even that will dissuade him. Irvine is a strong believer in the notion that the value of certifications in general and security certifications in particular shows up in your wallet.
"My opinion is the more certified you are, the more marketable you are. You can prove you know more because you have those certifications," says Irvine. "People look at you and say, 'This guy really does know his stuff.' That gives you the opportunity to make more money."
Anyone who puts in the time and spends the money to get certified is showing they care about staying current with security trends and techniques. That quality makes someone more desirable to an employer, he adds.
As a practical matter, many of today's information security certifications require much hands-on application of skills, such as CompTIA's CASP (Certified Advanced Security Professional), which requires candidates to configure firewalls and routers and perform other security-related tasks as part of the test. Being able to pass proves to a potential employer that you can do certain things, potentially giving you an edge over those who do not hold the certification.
For some jobs, obtaining a particular security certification — whether for information security or physical security — is a requisite for even being considered. In that case, you will surely know if there is a certification you need to obtain. Beyond that, however, attaining certifications is generally a matter of personal and/or employer choice. Some certifications require a great deal of work both in and out of the classroom, as well as sitting for the test. The question: Do they generate return on your investment?
Certifications should not be the end goal so much as a tool you can use in furthering your career, cautions Chris Brenton, an instructor at the SANS Institute and director of information security for CloudPassage, a cloud security provider. Brenton has been delivering certification training for quite a few years but — perhaps surprisingly — does not hold any himself.
Certifications are one way to prove what you know, says Brenton, but there are other ways, especially if you're a good communicator.
"It's how much do you know and how good are you at conveying what you know?" he says.
As someone who oversees hiring security professionals for his company, Brenton looks for experience beyond certification that show the job candidate has practical skills. For example, if the candidate created a piece of open-source software relating to security (such as for vulnerability scanning or implementing host-level security), that indicates real-world knowledge, he says.
[Check out CSO's security certifications directory]
"If the candidate has an active blog or has written a book about security, that tells me more about their expertise than just looking at their resume with certifications," he says. In that case, holding a certification would probably not result in the candidate getting a higher salary offer. Certifications do give an edge to someone when weighed against another candidate without any demonstrated expertise, he adds.
And taking a class or obtaining a certification can be a handy way to fill a gap in your expertise, says Brenton.
"Let's say they understand most aspects of network security but there are still some black-box areas where they need more training."
His students often come for certification when they want to switch jobs or even careers.
The world of threats — both physical and information-based — moves so quickly that certification is a way to show you have training and understand the issues. That said, the certification can quickly be out of date as technologies and threats morph and change. A certification that emphasizes perimeter security skills, for example, might well be perceived as less valuable now than one that focuses on vulnerability assessment and mitigation. And there is sure to be a hot new certification in 18 months to two years, if that long.
Those who obtain one security certification may feel the need to keep going as certifications change with the times. That could translate to more money in the certification provider's wallet than yours. This is less true when it comes to physical security certifications, as physical security threats at least arguably do not change as quickly as information security threats.
Whether or not security certification will earn you more, now or in the future, depends a lot on the organization, the job and the industry. If your company values continuing education (and will help foot some of the bill for the training), that is a good indication that certification will elevate your status. If not, you may still want to pursue certification if you are a person like Jerry Irvine, for whom education is its own reward, or you need to build up your resume in anticipation of a making a move.
Irvine stands by his record.
"I hire security people. I look for certifications. Getting certified really does show something about a person," he says. "We hire people with certifications."