The emphasis on security in the enterprise has companies scrambling to
beef up their teams or turn to outsourcers. But with so many newcomers
claiming to be security experts, IT managers are looking to security
certifications as proof-positive of a person’s skills.
”When these people are going to be put in charge of auditing or
compliance for an organization, you need some measurement of their
skills,” says Joanne Kossuth, CIO at Olin College, a small university in
Constrained by tight budgets and limited human resources, Kossuth is
looking to outsource her expanding security needs. ”Small to mid-size
organizations are having a rough time having security professionals
on-site and on staff,” she says. ”But you have to know that what you’re
getting is better than what you have.”
Whatever outsourcer she contracts with, Kossuth says she’ll be looking
for certifications, including the industry’s three main vendor-neutral
offerings: the SANS Institute’s Global Information Assurance
Certification (GIAC), the ISC2’s Certified Information Systems Security
Professional (CISSP), and Comptia’s Security+. Kossuth holds the GIAC
Tara Manzow, product manager for the skills development department at
Comptia, says Kossuth is not alone in relying on certifications to seek
out security professionals. In fact, she says the increase in
regulations, such as the Health Insurance Portability and Accountability
Act and Sarbanes-Oxley, are forcing companies to rethink the capabilities
of their security teams.
Manzow points out that the top security problems are a result of human
error. ”The number one mistake companies make is not having their staff
certified,” she says.
According to Manzow, more than 17,000 people will gain the Security+
certification this year. She calls Security+ a foundation for
technician-level jobs. IT personnel that get the certification are
certified for life.
Tom Gonzales, senior network administrator at the Colorado State
Employees Credit Union in Denver, puts stock in the SANS GIAC, which he
says is great for IT managers focused on strategy because it offers a
broad knowledge of the industry. He is a big fan of the practical
assignments that GIAC holders had to complete. However, the SANS
Institute this week announced those practicals are no longer necessary
But Gonzales is skeptical of broad-based certifications overall,
including the CISSP, which he holds.
”Certifications aren’t as special as they once were. I would take the
guy who has the knowledge to manage security networks over someone who
has the certification,” he says.
Joel Snyder, a security expert and senior partner at Opus One, a
consultancy in Tucson, Ariz., shares Gonzales’ wariness of
”It’s not the way to delineate your security expertise,” says Snyder.
”Hands-on experience is so much more important and so critical.”
For instance, Snyder says being able to ”parrot” a security model
learned academically is no match for someone who has written a security
policy and has had to argue for it within a corporation.
Critics of vendor-neutral exams say the information presented can appear
out of date. ”Just like a standards body, certification organizations
are too slow to change,” says Andreas Antonopoulos, senior vice
president and partner of Nemertes Research in New York.
He says people are tested on things such as mainframes. ”They have a
fuddy-duddy flavor to them and the information may not apply to the
growing enterprises of today,” Antonopoulos says.
However, he admits that they do provide a common language for security
experts. ”It’s a matter of standardization and showing that you use the
same terminology I do. But I would not assume it to mean that you know
how to deal with today’s technologies.”
Gonzales predicts the certification organizations will begin to go more
in-depth with their programs, homing in on newer technologies, such as
intrusion prevention and detection, with a wider variety of tests.
Experts say these tests already exist from vendors such as Cisco and
Checkpoint Software, but have the stigma of being associated with
specific products rather than neutral learning outlets.
Barbara Vibbert, manager of training and certification at Checkpoint,
says if companies want their employees to have access to the latest
technology education, vendors have the resources to constantly update
their testing programs.
Checkpoint offers several security certifications for various job levels,
including the Checkpoint Certified Security Administrator, the Checkpoint
Certified Security Expert and the Checkpoint Certified Security Expert
Plus. She says these programs range from administration to implementation
”Vendors have a vested interest in keeping their certificants on the
cutting edge,” says Vibbert.