• United States



by Sandy Kendall

How Valuable Is Security Certification?

Sep 30, 20022 mins
CSO and CISOData and Information Security

Its not too late. If you hurry, you could still make it to the first annual International Symposium on Information Security, held this week at Londons Thistle Charing Cross Hotel. But wait. It says here in a press release that you gotta be certified. Well, not in so many words. But, This symposium is the worlds first international security forum to be developed exclusively by CISSPs for CISSPs and their associates from respected organizations. So says James E. Duffy, CISSP, managing director for (ISC)2. The event is sponsored by the MIS Training Institute and The International Information Systems Security Certification Consortium ((ISC)2), a nonprofit organization that trains and certifies IS security professionals (CISSP) and practitioners (SSCP) worldwide.

There are nearly 11,000 CISSPs working in 80 countries, with many, according to the (ISC)2 literature, in top positions in both the public and private sectors. That would be lofty company indeed at the conference. As it turns out, you dont actually have to be certified to attend, but you get a comfortable discount if you are. On first read, however, the wording implicitly suggests a certified exclusivity. And lately, many security job descriptions have that same ring. Some employers say they wouldnt hire a security worker who didnt have certification. (See Youre Certifiable in the October issue of CSO.)

But for some in the business, the increasing emphasis on certification raises questions. Is certification more important than experience? Are all certifications created equal? The proliferation of certifications (now more than 20) that you can obtain as a security worker yields a comical volume of acronyms. Besides CISSP and SSPC, you could get CISA, ISACA or TICSA certification. Or CCSE or CCNA or EWSCP. You know, just for starters. Many of these are simply the result of vendors flinging themselves onto the bandwagon and offering certification to boost their own credibility and prominence. And some, of course, are well-intended efforts to demonstrate the extent of knowledge of job applicants. They may even have real value.

Whats your opinion? Are certifications a valid mark of a persons skill and knowledge level, or are they just resumé fluff? Tell us what you think.