Security Certifications Spark Debate

Even if the industry as a whole has been in a slump, this may be your opportunity to find work in information security.

Even if the industry as a whole has been in a slump, this may be your opportunity to find work in information security.

U.S. citizenship can be useful right now. The federal government and the contracting companies that provide a big chunk of its technical work force are pushing hard to hire anyone with security experience.

One question to consider if you want to try for a security job is whether getting one of the several available security certifications will help you get hired. The jury is still out on the value of certification—within the security community, opinions run the full range from scathing disdain to enthusiastic promotion.

One example of the disagreement within the security community surrounds the best-known certification, the Certified Information Systems Security Professional, which is given by the International Information Systems Security Certification Consortium. The CISSP requires that the candidate have three years of experience in the field and pass an exam consisting of 250 questions drawn from 10 security domains. Longtime information security practitioners disagree as to the correctness or applicability of some of the test questions and on whether passing the test is a true measure of a persons real-world security expertise. An alternative thats more oriented to hands-on technical skills is the Global Information Assurance Certification, or GIAC, found at

One thing to keep in mind is that certifications are a cash cow. The tests themselves cost money ($450 for the CISSP), the classes and study guides cost money, and the conferences and tutorials cost money. It is in the best interest of those companies offering tests and classes to promote the value of certification to the industry as a whole and to your career in particular.

Those folks who have already invested considerable effort and money in becoming certified also have a vested interest in making sure their efforts have value.

The majority opinion among the rest of us seems to be that the value of certifications is in providing a sorting tool for nontechnical HR directors and hiring managers. Some contracting companies get higher rates for certified professionals, but thats not always the case. An alternate way to make yourself more valuable is to network with other professionals and get your name out in public by writing for journals and Web sites, speaking at conferences, and joining professional organizations such as Usenix. By adding value to the security community as a whole, you add value to your career, too.

Jody Patilla is a security consultant and can be reached at [email protected]