"I look for certified candidates specifically from (ISC)2 and ISACA because of their stringent implementation of code-of-ethics," says Abbas Kudrati, Information security manager at The National Bank of Kuwait. "At (ISC)2 or ISACA, you don't get the title by just passing an exam. Individuals are held to much higher standards and above all trained to discharge professional responsibilities with integrity," he says. "If I am giving my entire bank's network to an individual for testing I need to have some assurance that they are ethical."
"We see a continuation of trends in IT security certifications from 2011," says John Reed, executive director for Robert Half Technology, an IT staffing firm. "However, moving into 2012, I see employers seeking certified candidates more because of the value they place on ethical integrity."
The list of 2011's top five IT security certifications included the same certifications, but in a much different order. Vendor certifications topped the list for 2011, followed by CISSP, CEH, CISM and GIAC. (See Top 5 IT Security Certifications for 2011)
The main factor pushing demand for certifications a year ago was the recognized need for skilled IT security and network professionals to protect critical infrastructure, implement emerging technologies and handle the move by healthcare organizations to electronic health records.
For 2012, the rise in security incidents and mobile devices creates hot demand for certifications such as the GIAC, which are technically focused in specific areas of forensics, incident response and application security.
One consistent year-to-year trend: Companies continue to spend money on their employees pursuing certification programs. "We reimburse employees upon successful completion of their certification," says Dave McKnight, a manager in the security & privacy group of Crowe Horwath's risk consulting practice. "We pay once, but cover the full amount of test, study material and maintenance fees."
Top 5 Certifications
Based on a review of job boards and interviews with IT security recruiters and employers, here is our list of the top five security certifications for 2012:
The Certified Information Systems Security Professional continues to be the gold standard in certifications. At Crowe Horwath, CISSP is mandatory for all managers because of the common body of knowledge and baseline foundation on security this certification covers. "As we interact with clients, the CISSP is a good dialogue to start with," McKnight says. "It shows our commitment not only in security expertise, but also value placed on real-world experience."
The CISSP, which is known for its high-level overview on the profession, has recently opened the certification for further specialization in areas such as architecture and management.
The push for this credential is also coming from the U.S. Department of Defense 8570.1 Directive, which requires all government and contract employees working on DoD IT projects to carry an approved certification for their particular job classification. "CISSP is #1, primarily because it covers almost every area within the 8570 directive," says Ray Kinard, Director, Northrop Grumman Cyber Academy, an American global aerospace and defense technology company.
CISSP certification is usually for mid and senior management IT security positions. This certification is offered through (ISC)2, the not-for-profit consortium that offers IT security certifications and training.
The CISSP examination is based on what (ISC)2 terms the Common Body of Knowledge (or CBK). Candidates interested in taking the exam must possess a minimum of five years of direct full-time security work experience in two or more of the 10 (ISC)2 information security domains (CBK), and agree to abide by their codes-of-ethics and policy for continuous education. In addition, they need to pass the exam with a scaled score of 700 points or greater out of 1000 possible points. The exam is multiple-choice, consisting of 250 questions with four options each, to be answered over a period of six hours.
Certified Information Security Manager is in demand, as organizations increasingly need executives to focus on governance, accountability and the business aspects of security. "Companies are looking for professionals with experience on both sides of the security fence," says Alice Hill, executive director for Dice.com, an IT job site. "They need candidates to identify and manage risks, as well as understand the relationship between information security and business goals."
As with the CISSP, the 8570 Directive requires CISM certification for senior managers that particularly focus on governance, compliance and risk management issues. "As we do a great deal of work with the Dept. of Defense," Kinard says, "we continue to look for and support attainment of CISM and other certifications as a business driver."
CISM is ideal for IT security professionals looking to grow their career into mid-level and senior management positions. CISM is offered by ISACA, an international professional association that deals with IT Governance.
The CISM designation is awarded to individuals with an interest in security management who meet the following requirements: They need to successfully pass the CISM exam; adhere to ISACA's code of professional ethics; agree to comply with the continuing education policy. They also must submit verified evidence of a minimum of five years of IT security work experience, including a minimum of three years of management work experience; and submit an application for CISM certification.
Global Information Assurance Certification is rising in demand specifically in areas of incident handling, forensics, intrusion detection and reverse malware engineering. Many organizations are seeking such experts for their IT security teams because of the growing threat landscape and rise in security incidents. "The GIAC certifications are hard-core and very specialized, which provides me an assurance that these candidates are truly proficient in what they do," says Kudrati.
Usually, professionals turn to GIAC certifications to get further expertise in a particular discipline. As a hiring manager, McKnight sees a lot more emphasis given to GIAC certifications in the last two-to-three years because of their hands-on technical training. "With what's going on in the industry, every company will need to assemble a team with one of these experts and target the ones that carry a certification and know-how package."
The GIAC is essentially geared toward mid-level security professionals who are looking to carve out a niche career path for themselves. The certification is offered by Sans Institute, a cooperative research and education organization.
There are no official prerequisites to take the GIAC certifications. Any candidate who feels that he or she has the knowledge may take the exam. Candidates can pursue GIAC exams with or without purchasing SANS training. The exam fees usually include two practice exams and one proctored exam. Each exam has an expiration date of 120 days accessible from their SANS Portal Account. Exams are taken online, however SANS now requires that a proctor be present when candidates take their test.
Certified Ethical Hacker is gaining popularity as companies seek experts to perform web application and penetration testing to ensure their infrastructure is secure. "A blooming field is security testing, and certifications like CEH are challenging technically and very valuable," Kinard says.
This certification is useful for entry-to-mid-level practitioners that are looking to conduct vulnerability assessments. "The CEH is currently preferred by most big employers for entry-level security positions," Reed says. "Employers feel these are professionals they can trust with critical IT security issues."
CEH is offered by the International Council of Electronic Commerce Consultants(EC-Council), a professional certification body. EC-Council's goal is to certify security practitioners in the methodology of ethical hacking. It largely demonstrates an understanding of the tools used for penetration testing.
To obtain the CEH, candidates can choose a path of self-study or complete a training course offered by EC-Council. Candidates must have at least two years of security experience and must sign an agreement to not misuse the knowledge acquired.
Securing an organization's infrastructure and keeping up-to-date with emerging technologies are critical. Vendor certifications, including Cisco's Certified Network Associate Certification (CCNA) and Microsoft's Certified Systems Engineer (MCSE), with focus on security and Check Point's Certified Security Expert (CCSE), are particularly in demand. The top information security certifications Dice has tracked for 2011 include Cisco Certified Security Professional and Check Point Certified Expert. "Demand for these certifications has been trending upwards, showing growth of above 50 percent since last year," says Hill.
These certifications are also on the rise because of their in-depth technical focus. "They help in understanding the technical skills associated with what professionals are trying to defend, and the inherent security capabilities of the infrastructure," Kinard says.
For most entry-level positions requiring one-to-two years of experience, employers seek vendor certifications, Security + and the CEH credential. Mid-to-senior positions demand more mature training in CISSP, CISM and GIAC.
Other certifications in demand include Security +, Offensive Security Certified Professional, Cloud Security Alliance's new Certificate of Cloud Security Knowledge, Systems Security Certified Practitioner and Certified in Risk and Information Systems Control.
"Certifications cannot be a substitute for on-the-job experience, but they are turning out to be a good measure for both proficiency and character," Kudrati says.