Certifications can be one way to evaluate security
consultants, but opinions vary as to their value.The CISSP carries weight and can eliminate
some of the "riffraff," says Paul Fistori, vice president of
channel sales and strategic partners at security vendor Vericept.
Depending on the work, Global Information Assurance Certifications
and some vendor certifications can be important, some consultants
say.
As a CISSP, Joseph Granneman, CTO/CSO of Rockford Health System,
looks for that credential. However, it "covers so much, I don't
know if you can use it other than just an initial qualification,"
he adds.
When she worked at Bank of America, Rhonda MacLean says she
didn't get hung up on whether consulting candidates had security
certifications. Rather, she wanted to make sure she was comfortable
with their level of experience and that they were suited for the
job.
"When you pay a consultant … you're looking for someone who is
seasoned and can hit the ground running," says MacLean, who now
runs a consulting firm.
Outside of routine tasks,
certifications are probably among the weakest criteria to use
in judging whether someone is qualified for a security project,
says Jon Gossels, president and CEO of consulting firm
SystemExperts. "The trouble is that they tend to be relatively
low-level or journeyman certifications," he says. "There's no
certification that says security expert."
Aric Perminter, partner at Secure Technology Integration Group,
advises: "Don't let certifications be a show stopper to hiring a
contractor. Let real-world experience be a key driver."