Getting the right certifications: Advice from Indian CSOs

When hiring or auditing a team’s existing skills, a cybersecurity certification diploma such as CISA, CISM or CISSP is often taken as proof of an employee’s fitness for purpose—but it may not tell the whole story. And although those international qualifications dominate the market, certification from local bodies such as the Data Security Council of India may be more relevant in fields such as data privacy, where regulations vary between countries.

That’s why it’s important for CSOs to ensure that their team members have the right certifications for the job, and not waste time and money on irrelevant qualifications.

Pursue the right certification

Aiming to acquire a full deck of qualifications—CISA, CISM, and CISSP—is not the end goal: the key is to identify those most relevant to the job.

Ratan Jyoti, CISO at Ujjivan Finance, explains that certifications like Certified Information Security Auditor (CISA), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP)are useful to staff working in different areas.

“If you wish to work on the operational side of cybersecurity, you should aim for the CISSP and accumulate relevant experience pertaining to that. But if you’re aiming at the strategic or business aspects of cybersecurity, you can go for the CISM certification,” he says.

IDG India

The CISA qualification, meanwhile, is more helpful in learning how to manage cybersecurity auditing and the information framework, says Vinay Wandrekar, who manages business information security at Novartis Healthcare.

“If there’s a security audit, you’ll be in a position to predict what the auditor is looking for. It helps you understand what’s expected in terms of the security framework and the way to implement the right security measures,” he says.

It’s also important for cybersecurity professionals to be on top of what’s happening in the security space, not just from a technology point of view, but from a legal and regulatory standpoint as well.

In that respect, the Data Security Council of India’s Certified Privacy Professional (DCPP) certification will help staff keep track as India’s data protection legislation evolves. Jyoti was one of the first in the country to earn that certification.

In addition to offering its own, India-specific qualifications, DSCI has also published a useful cybersecurity career map to help IT staff identify their career goals and the skills they will need to gain on the way.

Vendor certifications can also prove useful for cybersecurity teams. Such qualifications are obviously useful to ensure that an organization is using equipment or services in a secure way—but can also have more general educational value.

For example, Rahul Chandak, CISO at Birla Carbon, says the Cisco Certified Network Associate (CCNA) routing and switching certification helped him gain a thorough understanding of network topologies and device types that proved to be a bedrock for the security and standards certifications he acquired later, including Certified Ethical Hacker (CEH) and ISO27001.

IDG India

A big challenge with some vendor-specific certification is that when a new version of the product is launched, certification on the older version loses its value, says Lopa Mudraa Basuu, formerly global head of cybersecurity risk governance and compliance at Nissan Motor Corp.

That’s less of a problem with cloud, where the big three vendors share a similar skeletal structure. “This makes it easier for individuals to grasp and pick up new technologies or solutions,” she says.

There are also independent bodies such as the Cloud Security Alliance (CSA) that offer vendor-agnostic courses. The Certificate of Cloud Security Knowledge (CCSK) is one of the more sought-after ones from CSA. The Computing Technology Industry Association’s CompTIA Security+ certification is another example.

Time is money: the cost of certification

Ensuring that team members focus on the right certifications for their role is also a way to manage costs. The CISSP exam, for instance, costs $699 (approximately ₹51,000).

“An important question one must ask is: how can I maintain so many certifications? There’s also a cost factor involved,” says Basuu.

Even if an employee doesn’t renew a certification after obtaining it, Basuu sees benefits in having gained some learning about the technology.

Jyoti agrees that renewing vendor certifications can prove a costly affair, especially for professionals investing their own money, but believes that if a person wants to continue working with a particular technology or infrastructure, it is worth pursuing as these credentials are in great demand.

He notes that AWS security certifications can be expensive as they are charged in US dollars, while Azure security certifications are comparatively less costly and can be paid for in Indian rupees.

There’s more than just the direct financial cost of the certification: The exams are hard and require many hours of study.

Vinay Wandrekar

Wandrekar advises sticking to the syllabus. To prepare for the CISA certification exam, he says he studied from ISACA’s CISA review manual and undertook their mock exams.

For highly specialized and advanced security certifications like the Computer Hacking Forensic Investigator (CHFI), he says the preparation time can range from one month for an experienced professional with a Certified Ethical Hacking (CEH) qualification up to six months for a person with little experience.

The CISSP certification is notoriously difficult.

“I’ve seen a lot of people not being able to clear the certification course in their first or second attempt. A common reason for this is because they had been preparing for the certification from different course materials,” says Basuu. She too recommends following the certification body’s own manual.

Atul Prakash, cyber defence architect and security operations leader at Hewlett Packard Enterprise (HPE) concurs: “I’ve known people who have cleared CISA and CISM certifications but have failed CISSP certification twice or thrice,” he says, adding that he had to lock himself up in a room in his house, isolated from his family, just to be able to focus on preparing for the CISSP exam.

The role of experience

Obtaining and maintaining the certifications often also requires that candidates accumulate hours of continuing professional education (CPE), or have a certain level of professional experience either before or in the years immediately following certification.

The Information Systems Audit and Control Association (ISACA), for instance, mandates that to obtain or maintain CISA certification, in addition to passing the CISA exam in the last five years, a candidate must have relevant full-time work experience in not just a security role, but in five specific CISA job practice areas.

In Jyoti’s opinion, it’s best if people gather the experience and then apply for the certification. “The biggest challenge I’ve seen is when people take up a certification without having the requisite hands-on experience,” he says.

Aiyappan Pillai, a senior member of the Institute of Electrical and Electronics Engineers (IEEE), reiterates the point: “Whatever route an aspirant for the cybersecurity profession chooses, it is important that they have practical exposure and get into a continuous learning-and-upgrade mode,” he says.

Not all experience is equal. Prakash of HPE is skeptical of requirements based solely on the duration of professional experience, which is insufficient to maintain standards of domain knowledge. “You could be doing five years of vulnerability assessment—a job that doesn’t require you to possess great technical knowledge—and still be eligible to hold a CISA or CISM certificate. But that’s not the case for CISSP,” he says.

And not all experience is helpful, either: From her experience with mentoring cybersecurity professionals, Basuu observed that employees who have served long stints may find it harder to clear a certification exam than ones with less experience. The reason, she believes, is that they must have followed certain practices at their organisations and this was hardwired into their minds. However, these practices may not align with what the certification module prescribes.

Hire the right qualifications

Developing the experience and qualifications of new hires or existing staff is important, but another way to bring up the level of your team is by hiring more-skilled candidates.

For Jyoti, certifications can be a deciding factor in the hiring process: “If I’m recruiting a security professional for my team and shortlist two candidates who are equally good, and one’s certified and the other one isn’t, I’ll pick the one with the certification.”

It’s important, though, to ensure that applicants are really entitled to the certifications they claim.

As Basuu warns, “When I was recruiting security professionals for my organization, I interviewed people who stated they were CISA or CISM-certified, but when we asked them to provide the certificate, we observed that in most cases, the certificate had either expired or that they had cleared the exam but had not received the certification.”

Having obtained a CISA certificate, for example, to retain it professionals must earn and report at least 120 continuing professional education (CPE) credits in the following three years, with a minimum of 20 CPE credits each year.

“If a certification body refuses to issue a certificate, it’s illegal for a person to claim they’re certified,” Basuu adds. In fact, if a certificate is revoked by ISACA, the body mandates that it must be destroyed immediately.

Prakash has also observed that some security professionals who list CISA or CISSP certifications in their LinkedIn profiles are not legitimate certificate-holders. “There exists a loophole in the system – companies often do not carry out a background check when it comes to certifications – it’s mostly restricted to verifying previous job experience and educational qualifications,” he says.

Certification, then, is important to maintaining a team’s abilities, but a CSO should never let it become the sole measure.