In Depth

Security Certifications? You're Certifiable

Are security certifications all they're cracked up to be? Here's your guide through the jungle of acronyms.

By Simone Kaplan

Page 2

But no one group or individual has stepped forward to guide the security field toward a gold standard of training and education. "It's getting a little crazy right now," says David Cullinane, CPP, CISSP and president of the Information Systems Security Association (ISSA). "There are too many certifications with no distinction between them."

The proliferation of security certifications is especially confusing for CSOs, since there's no governing body to vet the certification process. "There are so many certifications coming down the pike that no one can keep track of what's real and what's not," says Cullinane, who's Washington Mutual's CISO.

Are You Experienced?

Certification certainly isn't a substitute for experience, but for security newbies, it's a way to get interviews and differentiate themselves from other job candidates. Today's reality, however, is fairly cut-and-dried: Typically, the more letters after your name, the more money you make.

"No one wants to pay for skills unless there's some proof of proficiency," says David Foote, cofounder, president and chief research officer of Foote Partners, a management consultancy. According to the company's survey data, security workers with certifications such as the CISSP and GIAC series (see "Now I Know My ABCs," this page) are paid anywhere from 6 percent to 12 percent more in bonus pay than those without certifications. The Foote survey also found that 50 percent of companies are covering the cost of certifying employees.

Consequently, security employees are seeing the incentive for taking the certification tests. "If you have a couple of years of experience, there's a pot of gold waiting for you if you get certified," Foote says.

No surprise, then, that technical certifications such as the SANS Institute's GIAC serieswhich offers training and certification in areas such as intrusion detection, incident handling and firewall administrationare experiencing a boom in popularity. Attendance at SANS training sessions is up 33 percent, according to Alan Paller, director of research at the SANS Institute. Right now, the GIAC is the most attractive certification series, according to Foote, because companies are looking for ways to train existing employees in the details of security rather than hiring more experienced security experts who can command even higher salaries. The GIAC is extremely thorough and highly technical, which makes it very attractive for companies that want to get the most out of the money they spend on certifying employees.

Some certifying bodieslike ISC2 and SANSrequire a few years' previous experience before you can take the exams. Such requirements are meant in part to prevent someone from walking into the security field without any background in the field, Paller says. In January 2003, ISC2 will bump the amount of required experience to take the CISSP test to four years, and it will go to five years in 2004, says James Wade, chairman and president of ISC2.