In Depth
Security Certifications? You're Certifiable
Are security certifications all they're cracked up to be? Here's your guide through the jungle of acronyms.
By Simone Kaplan
>
Street Smarts
Though CSOs stress the need for certification, no one has devised a method to weigh certification versus experience. Obviously, certification doesn't guarantee that the holder can handle a DNS attack like a veteran. It simply means you've passed a test (see "Ready, Set...Certify!" Page 42). "The fact that you are certified opens a lot of doors that otherwise would remain closed," says Ron Baklarz, CISSP, GSEC and CISO of the American Red Cross. "But nothing compares with real experience under fire."
Few CSOs will admit outright that they won't hire someone without certification, but for Bob Cordier, vice president of security and safety for MetLife, certification is a necessity for prospective employees. "I look for certification when hiring," Cordier says. "It can make the difference if all other qualifications are equal."
CSOs who have spent years working their way up the ranks without feeling the need to be certified are now facing a prime opportunity to become even more marketable, a fact that's not lost on Bob Fox, vice president and CSO of Sprint. "I don't have a CISSP, but I'm seriously considering it," he says. "It's that important. Having a CISSP means you can grasp both the technology and the management part of security administration, and having that expertise gives customers and employees a level of comfort when dealing with a company."
Fox sees certification as a useful tool in judging how up-to-date a job candidate's knowledge is. Most certifications have to be renewed every two to five years. If someone with 20 years' experience claimed he was familiar with the most current technology skills, Fox says, he'd have serious doubts about the veracity of the claim if he wasn't certified. "Knowing someone has updated their knowledge on a regular basis is huge," he says. "That's why I'd hire someone with less experience but certified over someone with more experience and no certification."
But there's no good system to help distinguish between someone with five years of experience but who holds a CISSP and a GSEC, and someone who is not certified but has 15 years of experience in multiple jobs. Until security executives can draw that line, certification will continue to obscure the hiring process, says Ainsley Rattray, CISSP and chief security strategist at LabMorgan, a division of J.P. Morgan Chase.
In addition, not every person is a good test-taker. And the good test-takers don't always have the smarts to back up their good test scores. "I've seen good test-takers pass the CISSP who weren't fit to be a CSO," Wagner says. "And I've seen really good people who have to take it again because they weren't good test-takers."
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- 5 Ways to Reduce IT Audit Tax
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
