Employers want security certifications

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.nwfusion.com/news/2003/1105seccert.html

By Grant Gross
IDG News Service
11/05/03

Peter Stephenson, an IT security consultant, says he wouldn't bother 
getting a security certification unless it helped feed his family. In 
his case, it did. 

Some security professionals have begun to question the value of their 
most highly-valued certifications, as more and more people pass those 
tests, said Stephenson, a consultant at Eastern Michigan University's 
Center for Regional and National Security, during a presentation at 
the Computer Security Institute's (CSI) Computer Security Conference 
and Exhibition in Washington, D.C. 

Many employers, however, still look for those little certification 
letters on resumes as a way to screen applicants, he said.

Stephenson, a security manager and computer forensics investigator for 
close to 20 years, didn't pay attention to certifications until 2002, 
when he was laid off from a job. He then decided to seek 
certifications because headhunters weren't calling, even with his 
years of experience. At one point after taking the Certified 
Information Systems Security Professional (CISSP) certification in 
2002, he posted two versions of his resume on the Internet, one with 
the CISSP certification listed and one without. The CISSP resume 
generated several calls from employers, the second resume, even with 
all his experience listed, generated no calls, he said. 

Even though the certificates were helpful in his case, Stephenson 
said, professionals do have legitimate concerns about them.

"This is a veritable soup of training and certification opportunities, 
many of which are ill defined, except for the part about the price," 
Stephenson said. "The problem is the certification companies have 
turned it into such a money grab that the credibility of some of these 
certifications are starting to slip." 

A representative of CISSP vendor International Information Systems 
Security Certification Consortium  wasn't immediately available for a 
comment on Stephenson's talk, but the Computing Technology Industry 
Association (CompTIA), which offers the Security+ certification, 
defended certifications as a way for hiring managers to evaluate 
employees. CompTIA often hears stories from IT workers who say 
certification have helped advance their careers, said Gene Salois, 
vice president of certification at CompTIA. 

"Certification is the capstone for learning, since it validates that 
learning has occurred," Salois wrote in an e-mail. "The skill 
benchmark provided by certification is often used as a criterion for 
hiring." 

Stephenson's comments also generated a healthy debate among the 
security professionals attending his presentation.

"What do we get for our money here?" asked Terri Curran, director of 
sponsored research and information security officer at the 
International Institute for Digital Forensic Studies, based in 
Weymouth, Mass. 

High-level security certifications can provide value, especially for 
consultants trying to sell their services to customers, answered 
Joseph Popinski III, director of network security consulting with 
Information Engineering, based in Huntsville, Ala. 

"Walking in the door with these certifications establishes you as an 
expert in your field," said Popinski, whose resume includes the CISSP 
and the Certified Protection Professional certifications. 

But Popinski also said he was concerned that more and more security 
certifications do not require much professional experience. "I want to 
make (certification) a goal to strive for," he said. 

Stephenson agreed that many certifications are easy to obtain. One 
acquaintance of his, a former stock broker, received a network 
security certification by reading a book, and others with little 
practice experience attend intensive "boot-camp" courses, then pass 
certification tests, he said. "They join that elite bunch of security 
professionals known as CISSPs, and those of us who've been in this 
business for more years than I like to think about, we get to stand 
right next to those people in front of employers, and it becomes a 
crap shoot as to who's going to get the job," he said. 

Stephenson agreed that certifications can provide some benefits. 
Certifications that require holders to take continuing education 
classes and require real-world experience are especially valuable, he 
noted, and some companies require security professionals to get 
certifications before they can work on some types of equipment. He 
pointed to certifications from the SANS Institute as especially 
relevant for technicians and engineers. 

Stephenson listed many other benefits of certifications, mostly for 
people other than those who are already certified. Employers use them 
as filters for hiring, certification companies make money, 
professional groups such as CSI get people to come to their 
conferences for continuing education credits, and sellers of ink 
benefit as resumes get longer, he said. 

"Every one of these certifications has a potential place in your 
career path," he said. "You, who spend the money and take the course, 
might actually see some benefit." 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.