Leadership

The value of information security certs

According to a just-released report from Global Information Security Workforce, there's been a 10% annual growth rate for the information security profession, despite the projected economic slowdown. Here's what the report has to say in regard to information security certifications.

It's hard to believe now, but just a few years ago, only the largest organizations were concerned with the need for network security. Now, of course, even smaller organizations are seeing the importance of security.

According to a just-released report from Global Information Security Workforce, there's been a 10% annual growth rate for the information security profession, despite the projected economic slowdown. Over the next couple of weeks, we'll be covering other notable findings/trends from the report, including hiring outlook for IT security pros and the increase in the number of security professionals reporting directly to senior management or the board of directors (almost half).

Today, I'll cover one aspect of the report: the recognition and appreciation by hiring managers of information security as a specific skill set.

Since the need for this expertise is relatively new, there weren't that many people out there with hands-on security experience until a few years ago. Hiring managers tended to depend on certifications as a criterion for hiring an employee in lieu of experience. According to the report:

Attaining a security certification made an important statement to potential employers that an individual had sought out the knowledge, skills, and abilities to defend an organization against possible breaches and build up defenses. This achievement placed candidates ahead of their peers, as additional metrics beyond certification were not available.

Although candidates are gaining hands-on experience, the importance of security certificates still ranked high among hiring managers, with 78% of them citing certs as "very important" or "somewhat important."

The current issue is that today there are more than 40 vendor-neutral certs and more than 25 vendor-specific certs available. Frost and Sullivan, a firm hired to provide detailed insight into the report, maintains that this issue may "cause a dilution effect in the marketplace, which will make it a challenge for all certifications to differentiate themselves in the future" and that the onus will fall onto the sponsors and providers of security certs.

Bottom line for IT pros

Information is a hot field right now and getting hotter, so much so that you will need to differentiate yourself from the crowd. One way is to carefully choose which security cert you attain and to get as much experience in the trenches as you can.

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

13 comments
profits
profits

From the desk of Mike Ndegwa www.mikesnotice.com/blog Many Thanks for allowing me to pass this message to all developers and internet marketers: Anti email harvester Email harvesters are crawling the Internet 24 hours a day, searching for unprotected addresses to be added to massive spam mailing lists and then sold. Help reduce the amount of spam you receive with this script. regards, Mike Ndegwa www.mikesnotice.com/blog

Neon Samurai
Neon Samurai

The next natural question is what are the better known security certs out there and what are of value? I'm currently working through this progression: Sec+ -> CEH -> CREST -> {CISSP possibly} Sec+ -> SSCP There are some other non-security CompTIA certs on my todo list also but these are the core of collecting validating documentation for the skills I?ve been learning since the Coleco Adam was new. The CEH is going to be a fun exam but requires two years documented work experience so I've until next April before "documented" makes me eligible to write. The CREST is going to be a whole lot of work but we'll see if that's next after the CEH is done with. The SSCP is what the industry recognizes and doesn't contain that word that scares so many people beyond rational though "Hacker". I do have one problem with the SSCP though. You have two answer three questions too be eligible. They verify that you are (or can answer as if) a moral and up standing professional. One of them is "I do not associate with Hackers". If I've already written the CEH, how do I not associate with myself? ;) Actually, it's more then semantics. Is information security not the exact sort of work that true Hackers (not the criminals mistaken for them) would be attracted to? Is someone inquisitive but morally upstanding with a higher technical understanding than most not the ideal candidate? I know, I know; they mean "I do not associate with criminals" but it's hard to warm up to a professional certification that makes a point of demonizing the very type of applicatant who should apply. "I do not associate with Hackers" - Bite me.. I don't associate with criminals. If I didn't associate with other Hackers, I wouldn't have a quarter of the knowledge I've sought out. I want to show up wearing one of Think Geek?s ?Hacker? work shirts when I write the exam. Sorry, off topic rant. I really would like to write the SSCP since it's most recognized by businesses (read HR clerks). The questions cause me pause; although I'm the exact type that should be in system security (strong moral and honorable ethics; the Samurai Hacker if you want a label). I don't mind passing the exam and only being an "assistant SSCP" until a current cert holder can validate my application. The question though; is my Sec+ to CEH to CREST a rational progression? Are there other certs out there that would be of far more value?

techie.brandon
techie.brandon

I'm looking to hear from people that have security related certs and work outside of strictly a advisory role, maybe in a development role and how those certs have helped you in your career path. Also, what certs do you feel are most valuable personally, maybe not the one that the industry feels is the most important but the one you feel like you get the most mileage out of day-to-day.

Neon Samurai
Neon Samurai

" Many Thanks for allowing me to pass this message to all developers and internet marketers: " That bit made it look like spam but I read what the recommended code was doing. Nice fix, I've read nearly the same approach for PHP also. Now, what do we do when harvest code figures out a way to render the page then scan the content text? (I know what I'd do but I haven't the time to visit every spammer personally ;) )

me19562
me19562

Neon, if you want to obtain of those certificates for your own personal and professional growth that will be good for you. If you are looking for recognition then you can take a little different path. Basically the Security+ and SSCP are considered to be at the same level, the entry level. So if you want to save some money just do one of them. The Security+ test is cheaper than the SSCP. Then if you decide to go after the CISSP(which I recommend) you will be require 1 year less of direct experience for the CISSP by having either the Security+ or the SSCP.

JK
JK

If you look at Tx occupancy code section 1702 under Private Security Consultant you will find that what we do as outside security consultants requires a license and insurance ($10k fine to anyone that hires an unlicensed & $10k fine plus Class A misdemeanor for the unlicensed!) I have my CISSP and PMP and am a TX licensed Private investigator and PSC. Most other states are either at this point or heading this way fast. In some states violations are felonies! That will definitely put a crimp in you career path! I currently do computer / cell phone forensics, build nasty toys, and perform security audits. All the certifications in the world won't stop them from arresting you. So check the private investigator laws/boards to make sure you are legal before you worry about what way to go. It wasn't so bad when I was in-company but now that I am out, with my own company, it is a whole new world!

ddigennaro
ddigennaro

I have had my CISSP certification since 2001. While it will open doors for you and give you a wide-berth of knowledge, you will still have to pursue the details for specific equipment-related vulnerabilities. But, then again, that is what it is designed to do. For my past 3 engagements, I have been the first one in and I had to create an information security dept. from scratch where previously there was none. Obtaining the CISSP certification gave me the knowledge of how to structure the groups that I had to create as well as the expertiese for keeping the bad people out. Well worth it.........

Neon Samurai
Neon Samurai

I've been planning to write Net+, Linux+ and maybe Server+ as add-on certs; A+, Sec+, Net+ rounds out the cert grounding nicely I think. Sec+ was a fun test to write. It was more fun reading for it (many reminders, some new things, some updated things). My biggest challenge was using the CompTIA terms instead of the normal terms I know things by. Another example was a question about finding a breached server; do you unplug it and leave it as is. This is really a question of company policy. Has the company previously chosen to leave breached servers in place to maintain evidence or has it chosen to shutdown breached servers to avoid further damages by the attacker. I chose one answer, CompTIA feels the other answer is more correct; such is life. I guess I can pass on SSCP from the sounds of it. That one was purely recognition but if it's the same as Sec+ then it's covered. The CEH is mostly for personal interest but everybody has to work too and it has the shortest wait time before I can write. I'm also hoping its more HR eye catching than Sec+ on its own. When I first heard about CEH, I nearly wet myself at the realization that pentesting certs finally existed. If I?d had even a dream of such a thing back in my highschool years, I?d have been much more strategic in my drift towards a career. I?ve the experience but not the ?documented work? to prove it so I?m collecting certs now to validate the experience from before. CISSP still leaves a bad feeling with it?s ?I do not associate with Hackers? validation question on the exam; a cert that demonizes the ideal candidate. It is the industry standard and only military recognized ISO certified qualification so it?s still on my wishlist to reconsider when I have the required years of documented experience and a cert holder to validate my application. Five years documented experience in an IT security role is a pretty stiff requirement and I?m not yet desperate enough to consider a paper cert. Really, my goal is to return to an IT shop where I can talk in plain geeklish and not get blank stairs from everyone in the room. I?ll start as low as my family budget can afford and work my way up happily. I know where my strengths are and have come to accept that they will only atrophy the longer I?m ?outside? remembering technologies as they slip into obsolescence. The ?Caveman? IT worker type from last week?s article was a little too close too home except that my dayjob isn?t tech. The more non-IT experience I rack up on my resume, the more I get to hear about how my last documented job was not in IT (and on they move to the next applicant). Info Security has been the topic I always come back too after any tangent of interest so that s the ?specialization? I?ll work towards. Besides, info security will never go away, is always evolving with each new ?feature? and touches all areas of computing so I?m still using ?general skills? to understand how all the parts work together. I?d be happy if my contract work income increased over my salary but the ideal would be working back in an IT shop with my few contracts still on the side. My benchmark is still the job previous to University. It was a small b2b value added reseller; we setup and maintained networks for local businesses and provided web hosting. I built servers and workstations, installed and configured the software, setup the networks for the client and did support calls, designed database backended websites (Coldfusion is/was great), managed registration of domains and administration of http/ftp/email on our server and made liberal use of buying parts from our vendors at whole sale cost. I continue to explore what hardware and software can do beyond manufacturer?s recommendations but it?s temporarily not my day job. While it is hard to top whole sale cost for hardware, any job that can lead towards info security and pentesting is a step up. I guess your take on my initial post is that the progression of certs listed would be worth doing for self interest but only Sec+, SSCP and CISSP are recognized by most still and SSCP is pretty much the same as Sec+. Good things too consider.

Dr Dij
Dr Dij

a developer but have interest in security. I went thru the acm's security+ courses online (and mindleader's). Then took a test prep simulated sec+ (90 questions, have to finish all in one sitting) and passed with 76 on first try. Already had a good netowrk annd ocmputer background already but did learn a few new things regarding encryption and management of keys. The topics for CISSP look very similar. I'd suggest anyone join the acm - dirt cheap and lots of good courses. they may be all you need or you might buy extra. They have security books online too. oreilly and books24x7 both.

LouCed
LouCed

Thanks for the info, who would have thought.

Eoghan
Eoghan

Golly, Missy - I hate to tell ya, but, when I got my CISSP over 10 years ago, I already had 30 years experience in information security. (My cert number is in the low 4 digits.) This is a common mistake -- Information Security is NOT Information Technology Security. IT Security is only a small piece of a true Information Security Professional's responsibilities. As for me, I was working in encryption in the late 1960s. Now tell me how that isn't InfoSec? Security engineers, security admins, yep, they're in the IT shop. When you get up to Security Manager, Information Security Officer, CISO, you'd better be placed somewhere better in the org chart.

Neon Samurai
Neon Samurai

I'm a big believer in keeping the bad guys out by making sure the good guys can't get in either; if one doesn't test there security, how do they know it's of any affect? A few questions after setting up info sec departments; How do you go about auditing? Do you setup active pen testing in house or hire out a contractor. If you use contractors, through where do you locate there services?

Editor's Picks