How valuable are security certifications today?
Will investing your time in earning security-industry certifications ultimately mean more money in your paycheck? Which certifications are vital in today's job market?
By Lauren Gibbons Paul
Certifications are one way to prove what you know, says Brenton, but there are other ways, especially if you're a good communicator.
"It's how much do you know and how good are you at conveying what you know?" he says.
As someone who oversees hiring security professionals for his company, Brenton looks for experience beyond certification that show the job candidate has practical skills. For example, if the candidate created a piece of open-source software relating to security (such as for vulnerability scanning or implementing host-level security), that indicates real-world knowledge, he says.
[Check out CSO's security certifications directory]
"If the candidate has an active blog or has written a book about security, that tells me more about their expertise than just looking at their resume with certifications," he says. In that case, holding a certification would probably not result in the candidate getting a higher salary offer. Certifications do give an edge to someone when weighed against another candidate without any demonstrated expertise, he adds.
And taking a class or obtaining a certification can be a handy way to fill a gap in your expertise, says Brenton.
"Let's say they understand most aspects of network security but there are still some black-box areas where they need more training."
His students often come for certification when they want to switch jobs or even careers.
The world of threats — both physical and information-based — moves so quickly that certification is a way to show you have training and understand the issues. That said, the certification can quickly be out of date as technologies and threats morph and change. A certification that emphasizes perimeter security skills, for example, might well be perceived as less valuable now than one that focuses on vulnerability assessment and mitigation. And there is sure to be a hot new certification in 18 months to two years, if that long.
Those who obtain one security certification may feel the need to keep going as certifications change with the times. That could translate to more money in the certification provider's wallet than yours. This is less true when it comes to physical security certifications, as physical security threats at least arguably do not change as quickly as information security threats.
Whether or not security certification will earn you more, now or in the future, depends a lot on the organization, the job and the industry. If your company values continuing education (and will help foot some of the bill for the training), that is a good indication that certification will elevate your status. If not, you may still want to pursue certification if you are a person like Jerry Irvine, for whom education is its own reward, or you need to build up your resume in anticipation of a making a move.
Irvine stands by his record."I hire security people. I look for certifications. Getting certified really does show something about a person," he says. "We hire people with certifications."
Read more about security leadership in CSOonline's Security Leadership section.