The security certification debate continues

Last month, I wrote a Leading Edge blog post regarding security certifications and their value. The post, titled Is there a disconnect between demand for security jobs and certifications? has sparked a lot of conversation from folks on both sides of the issue of certification value these days.

From the comments section, it’s clear many people think certifications hold a lot of weight and value in the job search. Still, others argue certs are meaningless, especially after obtaining a certain level of actual on-the-job experience.  In fact, one commenter noted “I’ll take someone who has “down-in-the-trenches” experience over someone with just a few certs any day!”

In one of our feature stories on CSOonline this month, contributor Lauren Gibbons Paul poses the question: How valuable are security certifications today?

In the piece, we hear from Jerry Irvine, CIO of IT consulting firm Prescient Solutions and member of the National Cyber Security Task Force.  Irvine holds more than 20 IT certifications, of which at least six are specifically information security-oriented and is is a strong believer in the notion that the value of certifications in general and security certifications in particular shows up in your wallet.

On the other hand, we also hear from Chris Brenton, an instructor at the SANS Institute and director of information security for CloudPassage, a cloud security provider. Brenton has been delivering certification training for quite a few years but does not hold any certs himself. As someone who oversees hiring security professionals for his company, Brenton looks for experience beyond certification that show the job candidate has practical skills.

“If the candidate has an active blog or has written a book about security, that tells me more about their expertise than just looking at their resume with certifications,” he says.

Today I received a email from Paul Hugenberg, CISO with First Place Bank based in Warren, OH, continuing the conversation on this issue.

Hugenberg wrote:

“While you don’t see it on my signature, I am a CPA, CITP, CISA, CISSP and CRISC, and each for various reasons. I would make the argument that your career is best served by your ability to not only take advantage of opportunities but to also give yourself the opportunity in the first place.  To state that certifications are no longer worthy is like stating a bachelors degree or post graduate degree is no longer worthy because “experience” trumps the rest.  Unfortunately, that certification [and that diploma] provide for opportunities that would not be available otherwise.  I often hear of the value or the non-value based on whether the commentator has a cert (actually sat for it rather than grandfathered for it). Those who don’t or just filled out a sheet of paper for grandfathering, certainly have less appreciation for its value than those that studied and sat through a test.

The bad thing about certifications is that they themselves become outdated.  Do you find it at all ironic that in an industry whose primary KPI ‘s include legacy systems and refresh rates, will allow a 2012 CISSP and a legacy 2007 CISSP to be comparable candidates?

Paul makes excellent points and calls out another issue in this discussion that other commenters have also noted. What about the certification system itself? Is it outdated? Do the tests still reflect a real-world level of knowledge for security professionals? I’ve heard from many who claim they do not.  However, as soon as I post this, I predict I will quickly hear from those in charge of administering the tests for the various certifications available who will be more than happy to make the case that they are still relevant. I, of course, welcome their thoughts.