Security Certifications? You’re Certifiable

The security profession has a secret language. Blunt and circumspect, it has nothing to do with IP addresses or code names for hack attacks. If you speak it, employers’ doors swing wide for you. If not, you’re out in the cold, even if you’ve walked the walk for 20 years. It’s the language of certification, and it looks like this:

CISSP, CBCP, CPP, CFE, CISA, GIAC, ISSA, ISACA, ISC2, SANS, CCSE, MCSE, TICSA, VCPE, RSA/CSE, CCNA, CNE, CIW, FCSS, EWSCP.

Easy to decipher? No. But in the world of security certification, such acronyms can carry the same cachet as an Ivy League education or a PhD. And, often, salary is directly proportional to the number of letters you can attach to your name or resume.

Security is hot these days, and everyone seems to want in. Unfortunately, there are very few qualified security workers who have a lot of experience under their belt, which leaves managers scrambling to fill vacancies.

In response to all that pent-up demand for trained staff, the certification industrythose companies that administer or provide training for examshas created a bevy of new certifications. There’s so much money to be made from those seeking certification that everyone wants a piece of the action. The good news: There’s a lot to choose from. The bad news: It’s that much more difficult to differentiate between meaningful certifications and expensive diploma mills.

wo or three years ago, there were so few certifications that everyone knew what acronyms like mcse and ccse stood for, and what the exams entailed in terms of experience and knowledge. earning a certifi-

cation such as the CISSP, which was widely viewed as the most valuable and upstanding information security certification available, was seen as a measure of one’s knowledge, and a validation and recognition of accomplishment in the security field. Today’s proliferation of certifications, however, is less meaningful.

And navigating the certification battlefield is difficult and messy. “Some certifying bodies use the current focus on security as a way to make money,” says Lew Wagner, CISSP, CPP and CISO of the University of Texas MD Anderson Cancer Center. Driving the need for certification is in the interest of those offering training and certifications.

New certifications are coming fast and furious. CompTIA recently launched the beta of Security+, a certification for entry-level security workers. In addition to offering the well-respected CPP, the American Society for Industrial Security will begin offering two new certifications in physical security and investigations next fall. And the Field Certified Professional Association is about to launch an advanced Field Certified Security Specialist certification that will debut later this year.

But no one group or individual has stepped forward to guide the security field toward a gold standard of training and education. “It’s getting a little crazy right now,” says David Cullinane, CPP, CISSP and president of the Information Systems Security Association (ISSA). “There are too many certifications with no distinction between them.”

The proliferation of security certifications is especially confusing for CSOs, since there’s no governing body to vet the certification process. “There are so many certifications coming down the pike that no one can keep track of what’s real and what’s not,” says Cullinane, who’s Washington Mutual’s CISO.

Are You Experienced?

Certification certainly isn’t a substitute for experience, but for security newbies, it’s a way to get interviews and differentiate themselves from other job candidates. Today’s reality, however, is fairly cut-and-dried: Typically, the more letters after your name, the more money you make.

“No one wants to pay for skills unless there’s some proof of proficiency,” says David Foote, cofounder, president and chief research officer of Foote Partners, a management consultancy. According to the company’s survey data, security workers with certifications such as the CISSP and GIAC series (see “Now I Know My ABCs,” this page) are paid anywhere from 6 percent to 12 percent more in bonus pay than those without certifications. The Foote survey also found that 50 percent of companies are covering the cost of certifying employees.

Consequently, security employees are seeing the incentive for taking the certification tests. “If you have a couple of years of experience, there’s a pot of gold waiting for you if you get certified,” Foote says.

No surprise, then, that technical certifications such as the SANS Institute’s GIAC serieswhich offers training and certification in areas such as intrusion detection, incident handling and firewall administrationare experiencing a boom in popularity. Attendance at SANS training sessions is up 33 percent, according to Alan Paller, director of research at the SANS Institute. Right now, the GIAC is the most attractive certification series, according to Foote, because companies are looking for ways to train existing employees in the details of security rather than hiring more experienced security experts who can command even higher salaries. The GIAC is extremely thorough and highly technical, which makes it very attractive for companies that want to get the most out of the money they spend on certifying employees.

Some certifying bodieslike ISC2 and SANSrequire a few years’ previous experience before you can take the exams. Such requirements are meant in part to prevent someone from walking into the security field without any background in the field, Paller says. In January 2003, ISC2 will bump the amount of required experience to take the CISSP test to four years, and it will go to five years in 2004, says James Wade, chairman and president of ISC2.

Street Smarts

Though CSOs stress the need for certification, no one has devised a method to weigh certification versus experience. Obviously, certification doesn’t guarantee that the holder can handle a DNS attack like a veteran. It simply means you’ve passed a test (see “Ready, Set…Certify!” Page 42). “The fact that you are certified opens a lot of doors that otherwise would remain closed,” says Ron Baklarz, CISSP, GSEC and CISO of the American Red Cross. “But nothing compares with real experience under fire.”

Few CSOs will admit outright that they won’t hire someone without certification, but for Bob Cordier, vice president of security and safety for MetLife, certification is a necessity for prospective employees. “I look for certification when hiring,” Cordier says. “It can make the difference if all other qualifications are equal.”

CSOs who have spent years working their way up the ranks without feeling the need to be certified are now facing a prime opportunity to become even more marketable, a fact that’s not lost on Bob Fox, vice president and CSO of Sprint. “I don’t have a CISSP, but I’m seriously considering it,” he says. “It’s that important. Having a CISSP means you can grasp both the technology and the management part of security administration, and having that expertise gives customers and employees a level of comfort when dealing with a company.”

Fox sees certification as a useful tool in judging how up-to-date a job candidate’s knowledge is. Most certifications have to be renewed every two to five years. If someone with 20 years’ experience claimed he was familiar with the most current technology skills, Fox says, he’d have serious doubts about the veracity of the claim if he wasn’t certified. “Knowing someone has updated their knowledge on a regular basis is huge,” he says. “That’s why I’d hire someone with less experience but certified over someone with more experience and no certification.”

But there’s no good system to help distinguish between someone with five years of experience but who holds a CISSP and a GSEC, and someone who is not certified but has 15 years of experience in multiple jobs. Until security executives can draw that line, certification will continue to obscure the hiring process, says Ainsley Rattray, CISSP and chief security strategist at LabMorgan, a division of J.P. Morgan Chase.

In addition, not every person is a good test-taker. And the good test-takers don’t always have the smarts to back up their good test scores. “I’ve seen good test-takers pass the CISSP who weren’t fit to be a CSO,” Wagner says. “And I’ve seen really good people who have to take it again because they weren’t good test-takers.”

Certification shouldn’t be the sole determinant of skill, and it can’t be taken in isolation from experience, Rattray insists. “Certification represents achievement, not mastery. There’s no substitute for experience.”

Such a conclusion has yet to trickle down the ranks, however. Many are open in their condemnation of those who put too much emphasis on certification. Yet those same people are certified: They don’t want to fall behind their peers or lose job opportunities just because of an acronym (or the lack thereof).

Equitable and Reputable

All the hype about certification certainly isn’t hurting organizations like SANS and ISC2 or training companies like Learning Tree International, which make most of their money from certification preparation courses. The exams usually cost $200 or less, while training classes to prepare for the exams tend to be around $3,000 (see “Now I Know My ABCs,” Page 40).

Controversial “boot camps” are emerging to offer CISSP candidates a cheaper way to prepare for the exams, and ISC2, for one, isn’t happy. The camps allegedly use actual material from the test and encourage participants to lie about their work experience on their exam application, according to Marc Thompson, vice president of ISC2. Both practices threaten the integrity of the certification itself, he says.

To prevent such finagling around the rules, ISC2, SANS and other certifying bodies such as the Association of Certified Fraud Examiners are making it harder for prospective certification candidates to qualify for the exams. Most tests now require a minimum of three years’ experience and the test-taker must sign a code of ethics, which is like a security version of the Hippocratic oath. ISC2 now requires candidates to be endorsed by another CISSP so that they can check references, and it enforces random audits of applications.

Still, not all certifications are worth the paper they’re printed on. Few CSOs are willing to peg the flimsy certifications by name, but they do admit to their existence. “There are definitely certs where you just mail it in,” Wagner says.

The chaotic state of certification has spurred some to action. Frank Reeder, chairman of the Center for Internet Security, is working with the heads of SANS, ISC2, ISACA and others to discuss the formation of a governing body akin to the American Bar Association that would establish benchmarks in security education and certification. The idea is still in the embryonic stages, Reeder says, but he wants an organization that can accredit certifications and set technical specifications for education. “You can become certified by passing an exam and writing about your experience. That’s just not sufficient to prove that you’re qualified,” he says. “We want to elevate the standards and give people with certifications a better tool in the marketplace.”

Reeder wants to set basic criteria for certification that includes training independent from the agency offering certification; the testing itself; substantial practical experience along the lines of required flying hours for pilots; required continued education; and independently monitored standards for ethical behavior. Currently, certifying organizations are usually the only venue through which candidates can train for exams, which opens up some questions of integrity.

“If they offer training and certification, then it becomes a marketing device, not an independent process,” Reeder says. For example, if you pay to train for the CFE and you don’t pass the test, the ACFE will either refund your money or allow you to take the test again.

Reeder’s efforts have already reaped results. SANS and ISC2 recently announced a training program in which SANS will teach ISC2’s Common Body of Knowledge as well as essential technical security skills during training for the GSEC certification. Students can then take either the GSEC or the CISSP. The move is the industry’s first step toward making certification more equitable and reputable.

Until the hype surrounding certification subsides, CSOs need to decide where to draw the line when it comes to balancing experience and certification. That call will be easier to make in a year or two when the big-name certifications start requiring candidates to have four and five years of experience prior to taking exams. But even then you’ll need to make thoughtful, informed hiring decisions that don’t exclude security veterans who aren’t certified. If you take the time to learn what each certification entails, you can avoid spending training dollars on useless certifications, and you won’t be overwhelmed by the lineup of acronyms on anyone’s résumé.