The Benefits of IT Security Certifications
Employers are inundated with resumes for IT positions—even in newer areas such as information security. Employers filter these resumes based on experience, salary requirements and familiarity with similar IT infrastructures. But they also filter resumes based on the certifications earned by job candidates.
So how do you decide which information security certifications are most important for you?
With all the information security certifications out there now, it is difficult to decide which ones matter, which don’t and which are appropriate for your specific situation. This rather complicated set of questions may very well have simple answers. While information security certifications can be used in a variety of different situations, the most prevalent are the following:
- Job Hunting: As described, certification may be used as a qualifying factor or screening device in the most sought-after positions. Lacking the proper credentials will ensure that your resume does not pass human resources.
- Promotion: The increasing visibility of the role information security plays in an organization is leading to a vast expansion (or creation) of these departments. When managers are looking for leaders in this field, it certainly pays to have a few choice information security certifications under your belt. Failure to acquire credentials that are recognized by these decision-makers can close the door of opportunity.
- Consulting: There may be no other situation in which an information security credential is more worthwhile. As a consultant you are constantly selling your expertise and advice to others you are meeting for the first time. In many cases there is not even a chance to dazzle them with your expertise until the contract is won. Well-recognized and well-respected information security certifications instantly convey a sense of expertise, professionalism and ethics. With a communication mechanism as small as a business card, you can gain instant credibility if you have the right qualifications.
Given these situations, which information security credential is the right one for you? Several factors will influence your answer.
Which situation applies to you? For job hunting it can be rather easy to identify the necessary credentials. Just search for the jobs you want and survey the credentials that are required. For the most part, this will be the Certified Information Systems Security Professional (CISSP) and the Certified Information Systems Auditor (CISA). For specific technical jobs, vendor-specific credentials will apply as well.
Does the situation require a more technical or a more high-level (managerial/business decision) point of view? The configuration of a firewall or hardening guidelines for a specific operating system requires a more specialized security credential. Engineers may be certified on certain types of firewalls, for instance. More general technical knowledge can be assumed from the GIAC Security Essentials Certification (GSEC) credential. For a more high-level point of view, look to the CISSP, as this certification requires a broad knowledge base across all disciplines of security.
Does the situation require you to act in a “build it” or “check it” mode? “Build it” mode refers to situations in which you may be called to design, configure, code, integrate or operate a security architecture or security mechanism. “Check it” mode refers to situations in which you may be called to evaluate, assess, test or approve a security implementation. All technical security certifications, as well as the CISSP, speak to the ability to operate competently on the “build it” side. The CISSP and the CISA speak to the ability of the person to operate on the “check it” side of security engineering.
It is important to consider one final thing about information security credentials. Your certification is not the only way to determine whether you are well suited to a position. Few people believe that all individuals with a specific certification have the same skill level, experience and ethics. Still, if you have the right certification, it shows that you meet a minimum standard of ethics, knowledge and, in some cases, years of experience. The fact that you have pursued, studied for and obtained these certifications shows that you see yourself as a professional in the field.
For more information on security certifications, see www.veridyn.com.
Doug Landoll is president of Veridyn Inc., a top-tier information security consulting firm specializing in regulated industries. Landoll currently holds both the CISSP and the CISA certifications and is pursuing the GSEC. He is also the course developer and lead instructor for publicly offered CISSP preparation courses for Global Knowledge and St. Edward’s University Professional Education Center in Austin, Texas, and privately offered CISSP preparation courses through Veridyn.