Main image of article Security Certifications: Are They Worth Earning?
With an estimated 3 million un-filled cyber security jobs around the world, and more expected to open as enterprises invest more in increasing their defenses, security professionals looking for work or a promotion have their pick. However, this open market begs some questions: Who has an edge when it comes to getting those jobs? Will a certain cyber security certification help when it comes to edging out the competition? The (perhaps unsurprising) answer: It depends. The International Information System Security Certification Consortium, (ISC)², notes that these types of accreditations are a key to getting a better cyber security job within an enterprise, or breaking into the field in the first place. In a recent report based on responses from over 1,400 participants, (ISC)² noted that nearly 50 percent of respondents reported that relevant cyber security experience was the most important factor in hiring. A little further down the list, another 37 percent of respondents noted that a degree and certifications are a major factor when hiring. (It should be noted that (ISC)², a non-profit, offers a number of certifications for its membership, including Certified Information Systems Security Professional (CISSP), Information Systems Security Architecture Professional (CISSP-ISSAP), Information Systems Security Engineering Professional (CISSP-ISSEP), Information Systems Security Management Professional (CISSP-ISSMP) and others.) The importance of certifications remain in the eye of the beholder. "Cyber security certifications are essential to showing the level of knowledge of a cyber security professional. However, they should never alone be the only reference," Joseph Carson, the chief security scientist at security vendor Thycotic, told Dice in an email. "There are many cyber security certifications available, but it really comes down to what skillset or direction the individual wants to go," Carson added. "Certifications range from penetration testers, government/industry regulatory compliance, ethical hacking to industry knowledge. Some certifications are entry-level and others require several years of experiences with peer references before getting certified." Carson noted that the CISSP certification holds a good deal of respect among professionals. He also noted several other accreditations, including:
  • CEH (Certified Ethical Hacker)
  • OSCP (Offensive Security Certified Professional)
  • CISA (Certified Information Security Auditor)
  • GCIH (GIAC Certified Incident Handler)
While these types of certifications are good to have and show employers that the candidate is interested in continuing education, "certifications should be combined with solid industry experience to get the right level of skillset required," Carson added. Another cyber security expert, Chris Morales, head of security analytics at Vectra (which uses A.I. to detect and hunt for cyberattacks), suggests that nothing beats real-world experience. "I wouldn’t call any certification a ‘need to have,’" Morales wrote in an email. "I consider all of them ‘nice to have.’ Personally, I like the hands-on qualifications like those provided by SANS that show practical skills. They offer classes, such as ethical hacking, which I think would help any security practitioner understand how attacks really work." Nathan Wenzler, the senior director of Cyber Security at Moss Adams, a Seattle-based accounting, consulting and wealth management firm, believes that different jobs within an enterprise's security apparatus can benefit from different certificates. "Today’s information security teams have to be able to address a wide variety of problems and situations from countering and defending against cyberattacks to participating in the risk management planning efforts of their organization’s business teams," Wenzler wrote in an email to Dice. "This means finding well-trained staff across many different disciplines to be part of a complete security program effort. Fortunately, there are just as many varied training and certification programs to help build expertise in whatever area of security you need to address." For example, for entry-level staffers, Wenzler might recommend CompTIA’s Security+ or the Global Information Assurance Certification (GIAC) Information Security Fundamentals (GISF) as places to start. Higher up the seniority scale, Wenzler points to the CISSP certificate, as well as the Information Systems Audit and Control Association (ISACA) Certified Information Security Manager (CISM) certification. Getting into the technical weeds of cyber security, Wenzler points to some of the same ones as Carson mentioned, including CEH and OSCP, as well as the GIAC Certified Penetration Tester (GPEN) and the GIAC Certified Intrusion Analyst (GCIA). Companies such as Microsoft, Red Hat, Oracle, Cisco and others all offer their own certifications for their various specific platforms and applications. In any case, since cyber security varies so much from business-to-business, and even department-to-department, it is impossible that one set of certificates could cover everything an enterprise and its CISOs need. "Ultimately, there’s no single security certification that would cover every type of security professional needed for a modern information security team," Wenzler added. "Hiring managers should look for the certifications that are relevant and focused on the skillset needed for a particular role. Fortunately, there are plenty of certifications to choose from that are reputable and legitimately represent the certification holder’s level of expertise in whatever type and level of job is needed."