Some security professionals have begun to question the
value of their most highly-valued certifications as more and more
people pass those tests.
Many employers, however, still look for those certification
letters on CVs as a way to screen applicants, said Peter
Stephenson, an IT security consultant at Eastern Michigan
University's Center for Regional and National Security.
Stephenson, a security manager and computer forensics
investigator for nearly 20 years, was laid off from a job in 2002.
He posted two CV's, one which noted he had a Certified Information
Systems Security Professional (CISSP) certification and one which
did not. As a result he found that many more companies responded to
the CV with the CISSP certification.
Even though the certificates were helpful in his case,
Stephenson said, professionals do have legitimate concerns about
them.
"This is a veritable soup of training and certification
opportunities, many of which are ill defined, except for the part
about the price," said Stephenson. "The problem is the
certification companies have turned it into such a money-grab that
the credibility of some of these certifications are starting to
slip."
Computing Technology Industry Association (CompTIA), which
offers the security+ certification, defended certifications as a
way for hiring managers to evaluate employees. CompTIA often
receives feedback from IT workers who say certification has helped
advance their careers, said Gene Salois, vice-president of
certification at CompTIA.
"Certification is the capstone for learning, since it validates
that learning has occurred," Salois said. "The skill benchmark
provided by certification is often used as a criterion for
hiring."
High-level security certifications can provide value, especially
for consultants trying to sell their services to customers, said
Joseph Popinski, director of network security consulting with
Information Engineering.
"Walking in the door with these certifications establishes you
as an expert in your field," said Popinski.
But Popinski also said he was concerned that more and more
security certifications do not require much professional
experience.
Stephenson agreed that many certifications are easy to obtain.
For example, a former stock broker, received a network security
certification by reading a book, and others with little practical
experience attend intensive "boot-camp" courses, then pass
certification tests, he said.
Stephenson agreed that certifications can also provide some
benefits.
Certifications that require holders to take continuing education
classes and require work experience are especially valuable, he
noted, and some companies require security professionals to get
certifications before they can work on some types of equipment.
Stephenson also noted that employers use them as filters for
hiring, certification companies make money and professional groups
such as CSI get people to come to their conferences for continuing
education credits.
"Every one of these certifications has a potential place in your
career path," he said. "You, who spend the money and take the
course, might actually see some benefit."
Grant Gross writes for IDG News Service