CSI - Security certifications: Employers want them

Value of credentials debated

WASHINGTON - Peter Stephenson, an IT security consultant, says he would not bother getting a security certification unless it helped feed his family. In his case, it did.

Some security professionals have begun to question the value of their most highly-valued certifications, as more and more people pass those tests, said Stephenson, a consultant at Eastern Michigan University's Center for Regional and National Security, during a presentation at the Computer Security Institute's (CSI) Computer Security Conference and Exhibition in Washington, D.C.

Many employers, however, still look for those little certification letters on resumes as a way to screen applicants, he said.

Stephenson, a security manager and computer forensics investigator for close to 20 years, did not pay attention to certifications until 2002, when he was laid off from a job. He then decided to seek certifications because headhunters were not calling, even with his years of experience. At one point after taking the Certified Information Systems Security Professional (CISSP) certification in 2002, he posted two versions of his resume on the Internet, one with the CISSP certification listed and one without. The CISSP resume generated several calls from employers, the second resume, even with all his experience listed, generated no calls, he said.

Even though the certificates were helpful in his case, Stephenson said, professionals do have legitimate concerns about them.

"This is a veritable soup of training and certification opportunities, many of which are ill defined, except for the part about the price," Stephenson said. "The problem is the certification companies have turned it into such a money grab that the credibility of some of these certifications are starting to slip."

A representative of CISSP vendor International Information Systems Security Certification Consortium was not immediately available for a comment on Stephenson's talk, but the Computing Technology Industry Association (CompTIA), which offers the Security+ certification, defended certifications as a way for hiring managers to evaluate employees. CompTIA often hears stories from IT workers who say certification have helped advance their careers, said Gene Salois, vice president of certification at CompTIA.

"Certification is the capstone for learning, since it validates that learning has occurred," Salois wrote in an e-mail. "The skill benchmark provided by certification is often used as a criterion for hiring."

Stephenson's comments also generated a healthy debate among the security professionals attending his presentation.

"What do we get for our money here?" asked Terri Curran, director of sponsored research and information security officer at the International Institute for Digital Forensic Studies, based in Weymouth, Massachusetts.

High-level security certifications can provide value, especially for consultants trying to sell their services to customers, answered Joseph Popinski III, director of network security consulting with Information Engineering, based in Huntsville, Alabama.

"Walking in the door with these certifications establishes you as an expert in your field," said Popinski, whose resume includes the CISSP and the Certified Protection Professional certifications.

But Popinski also said he was concerned that more and more security certifications do not require much professional experience. "I want to make (certification) a goal to strive for," he said.

Stephenson agreed that many certifications are easy to obtain. One acquaintance of his, a former stock broker, received a network security certification by reading a book, and others with little practice experience attend intensive "boot-camp" courses, then pass certification tests, he said. "They join that elite bunch of security professionals known as CISSPs, and those of us who've been in this business for more years than I like to think about, we get to stand right next to those people in front of employers, and it becomes a crap shoot as to who's going to get the job," he said.

Stephenson agreed that certifications can provide some benefits. Certifications that require holders to take continuing education classes and require real-world experience are especially valuable, he noted, and some companies require security professionals to get certifications before they can work on some types of equipment. He pointed to certifications from the SANS Institute as especially relevant for technicians and engineers.

Stephenson listed many other benefits of certifications, mostly for people other than those who are already certified. Employers use them as filters for hiring, certification companies make money, professional groups such as CSI get people to come to their conferences for continuing education credits, and sellers of ink benefit as resumes get longer, he said.

"Every one of these certifications has a potential place in your career path," he said. "You, who spend the money and take the course, might actually see some benefit."


Copyright © 2003 IDG Communications, Inc.