CISSP cert can boost your security career, but not your salary

UK firms looking to hire security professionals are using the CISSP certificate to filter CVs, but recruitment companies say eventhough it might enchance your career through credibility or it no longer translates into a higher salary.

When Cheryl Hennell, a senior lecturer at the University of Portsmouth, decided to pursue her Certified Information Systems Security Professional (CISSP) accreditation, she thought it would ground her 20 years of mostly academic experience and help her pursue work in the private sector. But even with high expectations, she has been surprised at all the CISSP certification has brought to her career.

Soon after gaining her certification she began speaking to business groups and is now flooded with speaking invitations and consulting offers. "The CISSP added to my doctorate and allowed me to be taken seriously which would not have been accomplished without the certification," she said. "Now businesses are contacting me to come out to do training to educate their staff. The invitations are coming thick and fast."

Hennell has joined 2,700 others in the U.K. who have obtained the CISSP certification, one of the few vendor neutral, internationally recognized security certifications to gain a following here. With the growing focus on security in the U.K., certifications, and particularly the CISSP, are becoming an increasingly important qualification for security professionals.

"Human resource departments use the certification as a filter," says Iain Sutherland, managing director of Information Security Solutions, a London based IT recruiting firm. "They will often check CV's for CISSP certifications. If you don't have it, you won't make the cut."

Security professionals have taken note. In 2004, 1,220 security professionals in the U.K. held CISSP certifications according to the International Information Systems Security Certification Consortium Inc., which maintains the CISSP. The number has more than doubled in the past three years. More certifications have been awarded in the U.K. than in any country in the European Union. That is due in part to highly publicized security breaches in the U.K. that have made businesses take security more seriously, said John Colley, managing director for Europe, the Middle East and Asia for (ISC)2. International firms have to cope with regulations in other countries like Sarbanes Oxley in the United States or Basel II in the European Union, which each have rigorous security requirements. As a result, security has risen up the corporate agenda. "The CISSP tells employers that you have a certain level of knowledge and experience and you prescribe to a code of ethics," Colley said. "Employers don't have to worry about the technical stuff."

A decade ago there was a small enough pool of security people that hires were made by word of mouth, said Fred Piper, director of information security at Royal Holloway, part of the University of London and based in Engham. But that has changed. As security has risen up the corporate agenda, the pool of security professionals has grown. Employers need more than word of mouth to trust that someone is knowledgeable and competent. The CISSP has given employers an independent assessment of skills that they can trust and has helped to break down the old boys network that once dominated the industry, Hennell said.

Brian Shorten, an IS risk manager at London-based Cancer Research U.K., said the certification as gone from a curiosity, back when got his certification in 2000, to a requirement for many positions. In a growing field that is drawing in lots of new talent, and one where mistakes can be very costly, it ensures potential employers that candidates have a certain baseline of knowledge. "I started two jobs where they had just gone through a bad audit," Shorten said. "My employer knew that I had a standard body of knowledge and I could just get on with it."

When Shorten hires people for jobs now he says that if they do not have a CISSP he expects them to begin focusing on obtaining the certification within six months.

CISSP certification average salary

But even with the certification quickly becoming a necessary part of any security professional's CV, the CISSP does not usually translate into any increase in salary. Sutherland says that a CISSP may allow candidates to apply for more senior positions but that employers do not give bonuses for acquiring the certification or better salaries to those who have it. Certification may often be a part of a professional development plan and if employees fail to get it they may find themselves penalized.

In fact as the certification becomes more widespread, it appears that salaries are actually falling for those with it. According to IT Jobs Watch, a website that tracks IT job postings, the average salary in job postings requesting a CISSP certification fell by 4.7% between the fall of 2006 and 2007 from 53,971 pounds per year to 51,429 pounds per year.

Nonetheless, demand continues to grow said Richard Nwanze, managing director of Net-Security Training, the largest independent test preparation firm for the CISSP based in Middlesex. Every year he prepares more and more students to take the grueling 6 hour exam. It's so popular that he says he often has to explain to those just entering the job market that they need five years of job experience to become fully certified. "Even when we explain how hard it is, that still doesn't deter some people just out of university," he said.

Read more on Security policy and user awareness