In Depth

Security Certifications? You're Certifiable

Are security certifications all they're cracked up to be? Here's your guide through the jungle of acronyms.

By Simone Kaplan

Page 4

Certification shouldn't be the sole determinant of skill, and it can't be taken in isolation from experience, Rattray insists. "Certification represents achievement, not mastery. There's no substitute for experience."

Such a conclusion has yet to trickle down the ranks, however. Many are open in their condemnation of those who put too much emphasis on certification. Yet those same people are certified: They don't want to fall behind their peers or lose job opportunities just because of an acronym (or the lack thereof).

Equitable and Reputable

All the hype about certification certainly isn't hurting organizations like SANS and ISC2 or training companies like Learning Tree International, which make most of their money from certification preparation courses. The exams usually cost $200 or less, while training classes to prepare for the exams tend to be around $3,000 (see "Now I Know My ABCs," Page 40).

Controversial "boot camps" are emerging to offer CISSP candidates a cheaper way to prepare for the exams, and ISC2, for one, isn't happy. The camps allegedly use actual material from the test and encourage participants to lie about their work experience on their exam application, according to Marc Thompson, vice president of ISC2. Both practices threaten the integrity of the certification itself, he says.

To prevent such finagling around the rules, ISC2, SANS and other certifying bodies such as the Association of Certified Fraud Examiners are making it harder for prospective certification candidates to qualify for the exams. Most tests now require a minimum of three years' experience and the test-taker must sign a code of ethics, which is like a security version of the Hippocratic oath. ISC2 now requires candidates to be endorsed by another CISSP so that they can check references, and it enforces random audits of applications.

Still, not all certifications are worth the paper they're printed on. Few CSOs are willing to peg the flimsy certifications by name, but they do admit to their existence. "There are definitely certs where you just mail it in," Wagner says.

The chaotic state of certification has spurred some to action. Frank Reeder, chairman of the Center for Internet Security, is working with the heads of SANS, ISC2, ISACA and others to discuss the formation of a governing body akin to the American Bar Association that would establish benchmarks in security education and certification. The idea is still in the embryonic stages, Reeder says, but he wants an organization that can accredit certifications and set technical specifications for education. "You can become certified by passing an exam and writing about your experience. That's just not sufficient to prove that you're qualified," he says. "We want to elevate the standards and give people with certifications a better tool in the marketplace."