When hiring or auditing a team\u2019s existing skills, a cybersecurity certification diploma such as CISA, CISM or CISSP is often taken as proof of an employee\u2019s fitness for purpose\u2014but it may not tell the whole story. And although those international qualifications dominate the market, certification from local bodies such as the Data Security Council of India may be more relevant in fields such as data privacy, where regulations vary between countries.That\u2019s why it\u2019s important for CSOs to ensure that their team members have the right certifications for the job, and not waste time and money on irrelevant qualifications.Pursue the right certificationAiming to acquire a full deck of qualifications\u2014CISA, CISM, and CISSP\u2014is not the end goal: the key is to identify those most relevant to the job.Ratan Jyoti, CISO at Ujjivan Finance, explains that certifications like Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP)are useful to staff working in different areas.\u201cIf you wish to work on the operational side of cybersecurity, you should aim for the CISSP and accumulate relevant experience pertaining to that. But if you\u2019re aiming at the strategic or business aspects of cybersecurity, you can go for the CISM certification,\u201d he says. IDG India\u201cIf you\u2019re aiming at the strategic or business aspects of cybersecurity, you can go for the CISM certification.\u201d\u2014 Ratan Jyoti, CISO, Ujjivan FinanceThe CISA qualification, meanwhile, is more helpful in learning how to manage cybersecurity auditing and the information framework, says Vinay Wandrekar, who manages business information security at Novartis Healthcare.\u201cIf there\u2019s a security audit, you\u2019ll be in a position to predict what the auditor is looking for. It helps you understand what\u2019s expected in terms of the security framework and the way to implement the right security measures,\u201d he says.It\u2019s also important for cybersecurity professionals to be on top of what\u2019s happening in the security space, not just from a technology point of view, but from a legal and regulatory standpoint as well.In that respect, the Data Security Council of India\u2019s Certified Privacy Professional (DCPP) certification will help staff keep track as India\u2019s data protection legislation evolves. Jyoti was one of the first in the country to earn that certification.In addition to offering its own, India-specific qualifications, DSCI has also published a useful cybersecurity career map to help IT staff identify their career goals and the skills they will need to gain on the way.Vendor certifications can also prove useful for cybersecurity teams. Such qualifications are obviously useful to ensure that an organization is using equipment or services in a secure way\u2014but can also have more general educational value.For example, Rahul Chandak, CISO at Birla Carbon, says the Cisco Certified Network Associate (CCNA) routing and switching certification helped him gain a thorough understanding of network topologies and device types that proved to be a bedrock for the security and standards certifications he acquired later, including Certified Ethical Hacker (CEH) and ISO27001. IDG India\u201cWhen a new version of the product is launched, certification on the older version loses its value.\u201d\u2014 Lopa Mudraa Basuu, formerly global head of cybersecurity risk governance & compliance at Nissan Motor Corp.A big challenge with some vendor-specific certification is that when a new version of the product is launched, certification on the older version loses its value, says Lopa Mudraa Basuu, formerly global head of cybersecurity risk governance and compliance at Nissan Motor Corp.That\u2019s less of a problem with cloud, where the big three vendors share a similar skeletal structure. \u201cThis makes it easier for individuals to grasp and pick up new technologies or solutions,\u201d she says.There are also independent bodies such as the Cloud Security Alliance (CSA) that offer vendor-agnostic courses. The Certificate of Cloud Security Knowledge (CCSK) is one of the more sought-after ones from CSA. The Computing Technology Industry Association\u2019s CompTIA Security+ certification is another example.Time is money: the cost of certificationEnsuring that team members focus on the right certifications for their role is also a way to manage costs. The CISSP exam, for instance, costs $699 (approximately \u20b951,000).\u201cAn important question one must ask is: how can I maintain so many certifications? There\u2019s also a cost factor involved,\u201d says Basuu.Even if an employee doesn\u2019t renew a certification after obtaining it, Basuu sees benefits in having gained some learning about the technology.Jyoti agrees that renewing vendor certifications can prove a costly affair, especially for professionals investing their own money, but believes that if a person wants to continue working with a particular technology or infrastructure, it is worth pursuing as these credentials are in great demand.He notes that AWS security certifications can be expensive as they are charged in US dollars, while Azure security certifications are comparatively less costly and can be paid for in Indian rupees.There\u2019s more than just the direct financial cost of the certification: The exams are hard and require many hours of study. Vinay Wandrekar\u201cMy advice is, to stick to the syllabus.\u201d\u2014\u00a0Vinay Wandrekar, Business Information Security, Novartis HealthcareWandrekar advises sticking to the syllabus. To prepare for the CISA certification exam, he says he studied from ISACA\u2019s CISA review manual and undertook their mock exams.For highly specialized and advanced security certifications like the Computer Hacking Forensic Investigator (CHFI), he says the preparation time can range from one month for an experienced professional with a Certified Ethical Hacking (CEH) qualification up to six months for a person with little experience.The CISSP certification is notoriously difficult.\u201cI\u2019ve seen a lot of people not being able to clear the certification course in their first or second attempt. A common reason for this is because they had been preparing for the certification from different course materials,\u201d says Basuu. She too recommends following the certification body\u2019s own manual.Atul Prakash, cyber defence architect and security operations leader at Hewlett Packard Enterprise (HPE) concurs: \u201cI\u2019ve known people who have cleared CISA and CISM certifications but have failed CISSP certification twice or thrice,\u201d he says, adding that he had to lock himself up in a room in his house, isolated from his family, just to be able to focus on preparing for the CISSP exam.The role of experienceObtaining and maintaining the certifications often also requires that candidates accumulate hours of continuing professional education (CPE), or have a certain level of professional experience either before or in the years immediately following certification.The Information Systems Audit and Control Association (ISACA), for instance, mandates that to obtain or maintain CISA certification, in addition to passing the CISA exam in the last five years, a candidate must have relevant full-time work experience in not just a security role, but in five specific CISA job practice areas.In Jyoti\u2019s opinion, it\u2019s best if people gather the experience and then apply for the certification. \u201cThe biggest challenge I\u2019ve seen is when people take up a certification without having the requisite hands-on experience,\u201d he says.Aiyappan Pillai, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), reiterates the point: \u201cWhatever route an aspirant for the cybersecurity profession chooses, it is important that they have practical exposure and get into a continuous learning-and-upgrade mode,\u201d he says.Not all experience is equal. Prakash of HPE is skeptical of requirements based solely on the duration of professional experience, which is insufficient to maintain standards of domain knowledge. \u201cYou could be doing five years of vulnerability assessment\u2014a job that doesn\u2019t require you to possess great technical knowledge\u2014and still be eligible to hold a CISA or CISM certificate. But that\u2019s not the case for CISSP,\u201d he says.And not all experience is helpful, either: From her experience with mentoring cybersecurity professionals, Basuu observed that employees who have served long stints may find it harder to clear a certification exam than ones with less experience. The reason, she believes, is that they must have followed certain practices at their organisations and this was hardwired into their minds. However, these practices may not align with what the certification module prescribes.Hire the right qualificationsDeveloping the experience and qualifications of new hires or existing staff is important, but another way to bring up the level of your team is by hiring more-skilled candidates.For Jyoti, certifications can be a deciding factor in the hiring process: \u201cIf I\u2019m recruiting a security professional for my team and shortlist two candidates who are equally good, and one\u2019s certified and the other one isn\u2019t, I\u2019ll pick the one with the certification.\u201dIt\u2019s important, though, to ensure that applicants are really entitled to the certifications they claim.As Basuu warns, \u201cWhen I was recruiting security professionals for my organization, I interviewed people who stated they were CISA or CISM-certified, but when we asked them to provide the certificate, we observed that in most cases, the certificate had either expired or that they had cleared the exam but had not received the certification.\u201dHaving obtained a CISA certificate, for example, to retain it professionals must earn and report at least 120 continuing professional education (CPE) credits in the following three years, with a minimum of 20 CPE credits each year.\u201cIf a certification body refuses to issue a certificate, it\u2019s illegal for a person to claim they\u2019re certified,\u201d Basuu adds. In fact, if a certificate is revoked by ISACA, the body mandates that it must be destroyed immediately.Prakash has also observed that some security professionals who list CISA or CISSP certifications in their LinkedIn profiles are not legitimate certificate-holders. \u201cThere exists a loophole in the system \u2013 companies often do not carry out a background check when it comes to certifications \u2013 it\u2019s mostly restricted to verifying previous job experience and educational qualifications,\u201d he says.Certification, then, is important to maintaining a team\u2019s abilities, but a CSO should never let it become the sole measure.