In Depth

Security Certifications? You're Certifiable

Are security certifications all they're cracked up to be? Here's your guide through the jungle of acronyms.

By Simone Kaplan

Page 5

Reeder wants to set basic criteria for certification that includes training independent from the agency offering certification; the testing itself; substantial practical experience along the lines of required flying hours for pilots; required continued education; and independently monitored standards for ethical behavior. Currently, certifying organizations are usually the only venue through which candidates can train for exams, which opens up some questions of integrity.

"If they offer training and certification, then it becomes a marketing device, not an independent process," Reeder says. For example, if you pay to train for the CFE and you don't pass the test, the ACFE will either refund your money or allow you to take the test again.

Reeder's efforts have already reaped results. SANS and ISC2 recently announced a training program in which SANS will teach ISC2's Common Body of Knowledge as well as essential technical security skills during training for the GSEC certification. Students can then take either the GSEC or the CISSP. The move is the industry's first step toward making certification more equitable and reputable.

Until the hype surrounding certification subsides, CSOs need to decide where to draw the line when it comes to balancing experience and certification. That call will be easier to make in a year or two when the big-name certifications start requiring candidates to have four and five years of experience prior to taking exams. But even then you'll need to make thoughtful, informed hiring decisions that don't exclude security veterans who aren't certified. If you take the time to learn what each certification entails, you can avoid spending training dollars on useless certifications, and you won't be overwhelmed by the lineup of acronyms on anyone's résumé.