Wednesday, May 22, 2024

Do Certifications Separate Wheat from Chaff?

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The emphasis on security in the enterprise has companies scrambling to

beef up their teams or turn to outsourcers. But with so many newcomers

claiming to be security experts, IT managers are looking to security

certifications as proof-positive of a person’s skills.

”When these people are going to be put in charge of auditing or

compliance for an organization, you need some measurement of their

skills,” says Joanne Kossuth, CIO at Olin College, a small university in

Needham, Mass.

Constrained by tight budgets and limited human resources, Kossuth is

looking to outsource her expanding security needs. ”Small to mid-size

organizations are having a rough time having security professionals

on-site and on staff,” she says. ”But you have to know that what you’re

getting is better than what you have.”

Whatever outsourcer she contracts with, Kossuth says she’ll be looking

for certifications, including the industry’s three main vendor-neutral

offerings: the SANS Institute’s Global Information Assurance

Certification (GIAC), the ISC2’s Certified Information Systems Security

Professional (CISSP), and Comptia’s Security+. Kossuth holds the GIAC

certification herself.

Tara Manzow, product manager for the skills development department at

Comptia, says Kossuth is not alone in relying on certifications to seek

out security professionals. In fact, she says the increase in

regulations, such as the Health Insurance Portability and Accountability

Act and Sarbanes-Oxley, are forcing companies to rethink the capabilities

of their security teams.

Manzow points out that the top security problems are a result of human

error. ”The number one mistake companies make is not having their staff

certified,” she says.

According to Manzow, more than 17,000 people will gain the Security+

certification this year. She calls Security+ a foundation for

technician-level jobs. IT personnel that get the certification are

certified for life.

Tom Gonzales, senior network administrator at the Colorado State

Employees Credit Union in Denver, puts stock in the SANS GIAC, which he

says is great for IT managers focused on strategy because it offers a

broad knowledge of the industry. He is a big fan of the practical

assignments that GIAC holders had to complete. However, the SANS

Institute this week announced those practicals are no longer necessary

for certification.

But Gonzales is skeptical of broad-based certifications overall,

including the CISSP, which he holds.

”Certifications aren’t as special as they once were. I would take the

guy who has the knowledge to manage security networks over someone who

has the certification,” he says.

Joel Snyder, a security expert and senior partner at Opus One, a

consultancy in Tucson, Ariz., shares Gonzales’ wariness of


”It’s not the way to delineate your security expertise,” says Snyder.

”Hands-on experience is so much more important and so critical.”

For instance, Snyder says being able to ”parrot” a security model

learned academically is no match for someone who has written a security

policy and has had to argue for it within a corporation.

Critics of vendor-neutral exams say the information presented can appear

out of date. ”Just like a standards body, certification organizations

are too slow to change,” says Andreas Antonopoulos, senior vice

president and partner of Nemertes Research in New York.

He says people are tested on things such as mainframes. ”They have a

fuddy-duddy flavor to them and the information may not apply to the

growing enterprises of today,” Antonopoulos says.

However, he admits that they do provide a common language for security

experts. ”It’s a matter of standardization and showing that you use the

same terminology I do. But I would not assume it to mean that you know

how to deal with today’s technologies.”

Gonzales predicts the certification organizations will begin to go more

in-depth with their programs, homing in on newer technologies, such as

intrusion prevention and detection, with a wider variety of tests.

Experts say these tests already exist from vendors such as Cisco and

Checkpoint Software, but have the stigma of being associated with

specific products rather than neutral learning outlets.

Barbara Vibbert, manager of training and certification at Checkpoint,

says if companies want their employees to have access to the latest

technology education, vendors have the resources to constantly update

their testing programs.

Checkpoint offers several security certifications for various job levels,

including the Checkpoint Certified Security Administrator, the Checkpoint

Certified Security Expert and the Checkpoint Certified Security Expert

Plus. She says these programs range from administration to implementation

to troubleshooting.

”Vendors have a vested interest in keeping their certificants on the

cutting edge,” says Vibbert.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles