How valuable are security certifications today?

When it comes to education, most people agree, more is better. No one embodies that principle at least in regard to IT certifications better than Jerry Irvine. CIO of IT consulting firm Prescient Solutions and member of the National Cyber Security Task Force, Irvine holds more than 20 IT certifications, of which at least six are specifically information security-oriented.

"I'll stop getting certifications when I'm dead," says Irvine, though one wonders if even that will dissuade him. Irvine is a strong believer in the notion that the value of certifications in general and security certifications in particular shows up in your wallet.

[Is there a disconnect between security jobs and certifications?]

"My opinion is the more certified you are, the more marketable you are. You can prove you know more because you have those certifications," says Irvine. "People look at you and say, 'This guy really does know his stuff.' That gives you the opportunity to make more money."

Anyone who puts in the time and spends the money to get certified is showing they care about staying current with security trends and techniques. That quality makes someone more desirable to an employer, he adds.

As a practical matter, many of today's information security certifications require much hands-on application of skills, such as CompTIA's CASP (Certified Advanced Security Professional), which requires candidates to configure firewalls and routers and perform other security-related tasks as part of the test. Being able to pass proves to a potential employer that you can do certain things, potentially giving you an edge over those who do not hold the certification.

For some jobs, obtaining a particular security certification whether for information security or physical security is a requisite for even being considered. In that case, you will surely know if there is a certification you need to obtain. Beyond that, however, attaining certifications is generally a matter of personal and/or employer choice. Some certifications require a great deal of work both in and out of the classroom, as well as sitting for the test. The question: Do they generate return on your investment?

Certifications should not be the end goal so much as a tool you can use in furthering your career, cautions Chris Brenton, an instructor at the SANS Institute and director of information security for CloudPassage, a cloud security provider. Brenton has been delivering certification training for quite a few years but perhaps surprisingly does not hold any himself.

Certifications are one way to prove what you know, says Brenton, but there are other ways, especially if you're a good communicator.

"It's how much do you know and how good are you at conveying what you know?" he says.

As someone who oversees hiring security professionals for his company, Brenton looks for experience beyond certification that show the job candidate has practical skills. For example, if the candidate created a piece of open-source software relating to security (such as for vulnerability scanning or implementing host-level security), that indicates real-world knowledge, he says.

[Check out CSO's security certifications directory]

"If the candidate has an active blog or has written a book about security, that tells me more about their expertise than just looking at their resume with certifications," he says. In that case, holding a certification would probably not result in the candidate getting a higher salary offer. Certifications do give an edge to someone when weighed against another candidate without any demonstrated expertise, he adds.

And taking a class or obtaining a certification can be a handy way to fill a gap in your expertise, says Brenton.

"Let's say they understand most aspects of network security but there are still some black-box areas where they need more training."

His students often come for certification when they want to switch jobs or even careers.

The world of threats both physical and information-based moves so quickly that certification is a way to show you have training and understand the issues. That said, the certification can quickly be out of date as technologies and threats morph and change. A certification that emphasizes perimeter security skills, for example, might well be perceived as less valuable now than one that focuses on vulnerability assessment and mitigation. And there is sure to be a hot new certification in 18 months to two years, if that long.

Those who obtain one security certification may feel the need to keep going as certifications change with the times. That could translate to more money in the certification provider's wallet than yours. This is less true when it comes to physical security certifications, as physical security threats at least arguably do not change as quickly as information security threats.

Whether or not security certification will earn you more, now or in the future, depends a lot on the organization, the job and the industry. If your company values continuing education (and will help foot some of the bill for the training), that is a good indication that certification will elevate your status. If not, you may still want to pursue certification if you are a person like Jerry Irvine, for whom education is its own reward, or you need to build up your resume in anticipation of a making a move.

Irvine stands by his record.

"I hire security people. I look for certifications. Getting certified really does show something about a person," he says. "We hire people with certifications."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CompTIACSOSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lauren Gibbons Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place