Thursday, July 31, 2014

Information Security Certifications

I get asked from time to time “what is the value of a certification”. The context is industry certifications specific to the information security field of study... so think: CEH, CISSP, GIAC certifications, OffensiveSecurity certifications (OSCP, OSCE, OSWP, etc) and the like. Questions regarding value, industry recognition and level of effort required to obtain said certifications often come up. As my previous blog posts suggest, I am currently teaching a SANS class, SEC542, and this very concept was brought up during our first class which in turn made me think about it, specifically if certifications really matter in the information security realm.

Personally I hold several GIAC certifications and the CISSP along with a couple of college/university degrees. I know many folks in my industry that do not have any of the same credentials as I yet are orders of magnitude better at what they do than most myself included. Talking numbers in terms of salary I can say we are on par, some of my peers with no college background and no certificates earn more than I do and others a bit less; that's just the reality. From a hiring perspective I can say personally that college education/degrees and these industry certifications don't make or break the deal for hiring a candidate nor do they differentiate between “qualified” or not.

The reality is that I am not currently solely responsible for hiring, and that value, just as beauty, is in the eye of the beholder. Often times companies will require that a candidate have a bachelor's degree as a matter of course while certificates are “nice to have” but not usually required. The value of a certification in this case could mean more leverage at the bargaining table or standing out amongst the other applicants. The perception of value regarding the certification process is that folks holding the certificate are thought to have demonstrable knowledge in their field and their superior knowledge comes with a price tag or prestige tag as the case may be. Which certificate is right though?

There are a multitude of different certifications to choose from in the information security industry, some with more clout than others. The process of becoming certified usually comes in the form of paying for and taking a class (although NOT always required), paying for and taking a certification exam and scoring high enough on the exam to get a passing grade and thus becoming certified. The re-certification process, since these types of certification do expire usually in an amount of time measured in years, consists of paying a fee and or submitting credits to show continuing education in the same field of study.

Let's quickly break it down based on what I have been through:

The CISSP exam is closed book, memorization oriented, mile-wide – inch deep. Lots of information to take in; my 3,231 page “Information Security Management Handbook” 6th edition sums up that concept nicely. However when it came time to take the test it was mostly all common sense (in my opinion, based on my experience). The type of common sense that one has after being in the industry for 5+ years gaining critical experience. 

SANS GIAC certifications are open book and seem to test on how well the test taker knows the material. The way to “know the material” is to have hands-on experience with the tools, know what you are looking at, how to interact with the subject media or target environment as the case may be and is centered on specific course material like forensics or penetration testing.

At the end of the day deciding on whether or not to get certified and which certification is right for you can come down to where you are in your career and where you want to go. Folks without a minimum of four years of experience are dissuaded from taking the CISSP while signing up for the GCFA exam without any forensic experience is setting yourself up for failure. Take your time and understand your current work environment to learn if earning a certification is something your current employer will pay for or will help you to earn more. Sometimes having the piece of paper counts.

Food for thought: