Security Awareness Programs & Computer-Based Training
The Employment Value of Multiple Certifications
Map Out Your Career - And Then Invest in It "Jobless recovery." That's one term used by observers to describe today's economy. It means that the economy is slowly improving, but without the corresponding growth in hiring and new job creation.To stand out in the hiring process, then, IT pros must seek out not just one, but multiple professional certifications to specialize and bolster their resumes, says Brian R. Schultz, a Senior Board Member (ISC)² who holds these certifications: CISSP-ISSMP, ISSAP, CISM and CISA. "Security certifications are on employer's minds these days, as companies look for certified personnel to safeguard assets," says Tracy Lezner, CEO, Lenzner Group, an executive security search and consulting services firm based in New York. "We are seeing more and more employers make certification a standard and a criterion for hire".
In this situation, security professionals need to make the right decision pursuing multiple certifications. Kent Anderson, CISM, a senior member of ISACA's Security Management Committee, advises prospects to ask 'Where do I want to go in my career?" Then weigh the value of certifications. "The power of certification is amazing to help security practitioners be what ever they want to be in the future," he says.
Ronald W. Pelletier, CISSP, CISA, CISM, CBCP, is a former senior manager of security risk advisory services at Ernst & Young, LLP. He was recently laid off and has acquired a new position as a senior security consultant with a private security consulting company. Being certified in multiple areas of specialization within security definitely gives him an edge in the hiring and interview process. "There is a confidence level in the job search, interview approach and overall job performance which certifications provide," Pelletier says.
Hiring Manager's View
For Debbie Wheeler, Chief Information Security Officer (CISO) Fifth Third Bank, certifications make a difference when evaluating a multitude of candidates and are used as an initial prioritization of candidates. "Certifications can initially draw a hiring manager's attention to a specific candidate, but hiring decisions, ultimately come down to the hands on experience and overall qualifications of the individual," she says.
For security positions, Wheeler usually looks for CISSP, CISA or CISM certifications, followed by other industry or software specific certifications such as forensic certifications or tool based certifications.
"When competing against someone else, one would like to think having multiple certifications will help over someone not having any or not the right combination," says Richard J. Roberts, RF, ARM, CPCU, ALCM, MBA, a senior board member with the Risk and Insurance Management Society (RIMS). In the end, no matter how many certifications one has, it still comes down to how one applies those certifications and how one uses that acquired information to help their present or new employer. "Certifications always bring value and speak volumes of an individual's capability," says Anderson. A combination of right certifications tells employers that this person is committed, adaptable and possesses the breath and depth of knowledge and experience required for the job.
Security Professionals, however, need to convey how all of their background will help the employer, so the certifications are just a piece of the puzzle. "The blending of proper expertise with proper education and certification will work the best for all individuals," adds Roberts. "Key to this is that you need to be able to communicate your value to employers."
Types of Certification
There are basically two types of certification available: Technical and Experience-Based. Within Technical the most common are: CompTIA Security, certified ethical hacking (CEH), the global information assurance certification (GIAC) and vendor certifications offered by CISCO and Microsoft such as, CCIE, CCNA, CCNP, MCSE, MCSA are very popular.
Experienced based certifications, which are most sought after, include: The certified information systems security professionals (CISSP), the certified information systems auditor (CISA) and the certified information security manager (CISM).
The market is flooded with a host of technical certifications provided by vendor product companies - all of which help individuals gain technical competency and demonstrate thorough understanding of Internet and security technologies. These certifications are good to pursue for individuals who want to stay in the technical field, for example: Network Engineers, Network and Database Technicians, System Administrators, System Architects etc.
The technical certification, adds Anderson, "makes the individual competent technology-wise, but necessarily does not help him grow in his career. Experience-based certifications are the ones which add value toward future growth. The goal here is to not just take the test and pass the exam, but enrich your career through continuous learning and improvement."
To secure multiple certifications, security professionals should first map out a career path for themselves. Specialize based on where you want to be. For example: You are five years into your career as a security practitioner and envision being a chief information security officer (CISO). You then need to look at certifications that will help you get there.
Look for experienced-based certifications like the CISSP, CISM, CISA, CPP, RIMS Fellow (RF), which are most valuable as an individual moves to senior positions, demonstrating not just depth, but breadth of knowledge.
Boot Camps vs. Self Study
Have a career focus while choosing to specialize in multiple areas. "Do not go for a shot gun approach," says Schultz. Enrolling in boot camps can help pass the exam, and is recommended for individuals with solid security experience who basically need to just hone their skills. Boot camps, however, are not helpful for fresh graduates or junior security practitioners, as they only aids in passing the test, present short-term memory and do not reflect absorption of principles in key security domains. "Purchasing a good study book and spending six months or so learning the material and principles is what goes a long way," adds Schultz.
Usually boot camps cost varies from $2,000-$3,500 for most technical and experience-based certifications, and training time duration varies anywhere from 3-5 days. Self study on the other hand is cheaper, but time-consuming and requires planning and discipline.
Take a Layered Approach
"Security practitioners should take the certification in steps," maintains Anderson. For example, if you are already CISSP certified and want to specialize in audits and take up CISM certification, then first get into the desired job role and become acclimated with the job function requirements. Learn while you work; then get the exam details and necessary paperwork completed. Submit them with the required authorities and set a timeline based on which you can decide to give the test. A good practice is to gain a broad certification like the CISSP while still in school or early in the security profession, and then gradually get a specialized certification based on job function and future goal.
Seek Management's Support
Mention to your organization's management team about your career goal and where you envision being. Discuss with them and see how you can balance work and take out time to study. "Most employers today are extremely supportive, as they clearly see the value addition in employee education and certification," says Schultz.
"Our organization will reimburse an employee for the fees associated with passing their certification exam, but we do not pay for boot camps or other training camps associated with the exams," says Wheeler. "We have had many individuals successfully take and pass the CISSP and other exams through independent study."