IT professionals question validity of security certification

Some security professionals have begun to question the value of their most highly-valued certifications as more and more people...

Some security professionals have begun to question the value of their most highly-valued certifications as more and more people pass those tests.

Many employers, however, still look for those certification letters on CVs as a way to screen applicants, said Peter Stephenson, an IT security consultant at Eastern Michigan University's Center for Regional and National Security.

Stephenson, a security manager and computer forensics investigator for nearly 20 years, was laid off from a job in 2002. He posted two CV's, one which noted he had a Certified Information Systems Security Professional (CISSP) certification and one which did not. As a result he found that many more companies responded to the CV with the CISSP certification.

Even though the certificates were helpful in his case, Stephenson said, professionals do have legitimate concerns about them.

 "This is a veritable soup of training and certification opportunities, many of which are ill defined, except for the part about the price,"  said Stephenson. "The problem is the certification companies have turned it into such a money-grab that the credibility of some of these certifications are starting to slip."

Computing Technology Industry Association (CompTIA), which offers the security+ certification, defended certifications as a way for hiring managers to evaluate employees. CompTIA often receives feedback from IT workers who say certification has helped advance their careers, said Gene Salois, vice-president of certification at CompTIA.

"Certification is the capstone for learning, since it validates that learning has occurred," Salois said. "The skill benchmark provided by certification is often used as a criterion for hiring."

High-level security certifications can provide value, especially for consultants trying to sell their services to customers, said Joseph Popinski, director of network security consulting with Information Engineering.

"Walking in the door with these certifications establishes you as an expert in your field," said Popinski.

But Popinski also said he was concerned that more and more security certifications do not require much professional experience.

Stephenson agreed that many certifications are easy to obtain. For example,  a former stock broker, received a network security certification by reading a book, and others with little practical experience attend intensive "boot-camp" courses, then pass certification tests, he said.

Stephenson agreed that certifications can also provide some benefits.

Certifications that require holders to take continuing education classes and require work experience are especially valuable, he noted, and some companies require security professionals to get certifications before they can work on some types of equipment.

Stephenson also noted that employers use them as filters for hiring, certification companies make money and professional groups such as CSI get people to come to their conferences for continuing education credits.

"Every one of these certifications has a potential place in your career path," he said. "You, who spend the money and take the course, might actually see some benefit."

Grant Gross writes for IDG News Service

Read more on Hackers and cybercrime prevention