[ISN] Employers want security certifications

From: InfoSec News (isn@private)
Date: Thu Nov 06 2003 - 01:22:23 PST

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--November 5, 2003"

    Forwarded from: William Knowles <wk@private>
    
    http://www.nwfusion.com/news/2003/1105seccert.html
    
    By Grant Gross
    IDG News Service
    11/05/03
    
    Peter Stephenson, an IT security consultant, says he wouldn't bother 
    getting a security certification unless it helped feed his family. In 
    his case, it did. 
    
    Some security professionals have begun to question the value of their 
    most highly-valued certifications, as more and more people pass those 
    tests, said Stephenson, a consultant at Eastern Michigan University's 
    Center for Regional and National Security, during a presentation at 
    the Computer Security Institute's (CSI) Computer Security Conference 
    and Exhibition in Washington, D.C. 
    
    Many employers, however, still look for those little certification 
    letters on resumes as a way to screen applicants, he said.
    
    Stephenson, a security manager and computer forensics investigator for 
    close to 20 years, didn't pay attention to certifications until 2002, 
    when he was laid off from a job. He then decided to seek 
    certifications because headhunters weren't calling, even with his 
    years of experience. At one point after taking the Certified 
    Information Systems Security Professional (CISSP) certification in 
    2002, he posted two versions of his resume on the Internet, one with 
    the CISSP certification listed and one without. The CISSP resume 
    generated several calls from employers, the second resume, even with 
    all his experience listed, generated no calls, he said. 
    
    Even though the certificates were helpful in his case, Stephenson 
    said, professionals do have legitimate concerns about them.
    
    "This is a veritable soup of training and certification opportunities, 
    many of which are ill defined, except for the part about the price," 
    Stephenson said. "The problem is the certification companies have 
    turned it into such a money grab that the credibility of some of these 
    certifications are starting to slip." 
    
    A representative of CISSP vendor International Information Systems 
    Security Certification Consortium  wasn't immediately available for a 
    comment on Stephenson's talk, but the Computing Technology Industry 
    Association (CompTIA), which offers the Security+ certification, 
    defended certifications as a way for hiring managers to evaluate 
    employees. CompTIA often hears stories from IT workers who say 
    certification have helped advance their careers, said Gene Salois, 
    vice president of certification at CompTIA. 
    
    "Certification is the capstone for learning, since it validates that 
    learning has occurred," Salois wrote in an e-mail. "The skill 
    benchmark provided by certification is often used as a criterion for 
    hiring." 
    
    Stephenson's comments also generated a healthy debate among the 
    security professionals attending his presentation.
    
    "What do we get for our money here?" asked Terri Curran, director of 
    sponsored research and information security officer at the 
    International Institute for Digital Forensic Studies, based in 
    Weymouth, Mass. 
    
    High-level security certifications can provide value, especially for 
    consultants trying to sell their services to customers, answered 
    Joseph Popinski III, director of network security consulting with 
    Information Engineering, based in Huntsville, Ala. 
    
    "Walking in the door with these certifications establishes you as an 
    expert in your field," said Popinski, whose resume includes the CISSP 
    and the Certified Protection Professional certifications. 
    
    But Popinski also said he was concerned that more and more security 
    certifications do not require much professional experience. "I want to 
    make (certification) a goal to strive for," he said. 
    
    Stephenson agreed that many certifications are easy to obtain. One 
    acquaintance of his, a former stock broker, received a network 
    security certification by reading a book, and others with little 
    practice experience attend intensive "boot-camp" courses, then pass 
    certification tests, he said. "They join that elite bunch of security 
    professionals known as CISSPs, and those of us who've been in this 
    business for more years than I like to think about, we get to stand 
    right next to those people in front of employers, and it becomes a 
    crap shoot as to who's going to get the job," he said. 
    
    Stephenson agreed that certifications can provide some benefits. 
    Certifications that require holders to take continuing education 
    classes and require real-world experience are especially valuable, he 
    noted, and some companies require security professionals to get 
    certifications before they can work on some types of equipment. He 
    pointed to certifications from the SANS Institute as especially 
    relevant for technicians and engineers. 
    
    Stephenson listed many other benefits of certifications, mostly for 
    people other than those who are already certified. Employers use them 
    as filters for hiring, certification companies make money, 
    professional groups such as CSI get people to come to their 
    conferences for continuing education credits, and sellers of ink 
    benefit as resumes get longer, he said. 
    
    "Every one of these certifications has a potential place in your 
    career path," he said. "You, who spend the money and take the course, 
    might actually see some benefit." 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 06 2003 - 04:24:54 PST