I get asked from
time to time “what is the value of a certification”. The context
is industry certifications specific to the information security field
of study... so think: CEH, CISSP, GIAC certifications, OffensiveSecurity certifications (OSCP, OSCE, OSWP, etc) and the like.
Questions regarding value, industry recognition and level of effort
required to obtain said certifications often come up. As my previous blog posts suggest, I am currently teaching a SANS class, SEC542, and
this very concept was brought up during our first class which in turn
made me think about it, specifically if certifications really matter
in the information security realm.
Personally I hold
several GIAC certifications and the CISSP along with a couple of
college/university degrees. I know many folks in my industry that do
not have any of the same credentials as I yet are orders of magnitude
better at what they do than most myself included. Talking numbers in
terms of salary I can say we are on par, some of my peers with no
college background and no certificates earn more than I do and others
a bit less; that's just the reality. From a hiring perspective I can
say personally that college education/degrees and these industry
certifications don't make or break the deal for hiring a candidate
nor do they differentiate between “qualified” or not.
The reality is that
I am not currently solely responsible for hiring, and that value,
just as beauty, is in the eye of the beholder. Often times companies
will require that a candidate have a bachelor's degree as a matter of
course while certificates are “nice to have” but not usually
required. The value of a certification in this case could mean more
leverage at the bargaining table or standing out amongst the other
applicants. The perception of value regarding the certification
process is that folks holding the certificate are thought to have
demonstrable knowledge in their field and their superior knowledge
comes with a price tag or prestige tag as the case may be. Which
certificate is right though?
There are a
multitude of different certifications to choose from in the
information security industry, some with more clout than others. The
process of becoming certified usually comes in the form of paying for
and taking a class (although NOT always required), paying for and
taking a certification exam and scoring high enough on the exam to
get a passing grade and thus becoming certified. The re-certification
process, since these types of certification do expire usually in an
amount of time measured in years, consists of paying a fee and or
submitting credits to show continuing education in the same field of
study.
Let's quickly break
it down based on what I have been through:
The CISSP exam is
closed book, memorization oriented, mile-wide – inch deep. Lots of
information to take in; my 3,231 page “Information Security
Management Handbook” 6th edition sums up that concept
nicely. However when it came time to take the test it was mostly all
common sense (in my opinion, based on my experience). The type of
common sense that one has after being in the industry for 5+ years
gaining critical experience.
SANS GIAC
certifications are open book and seem to test on how well the test
taker knows the material. The way to “know the material” is to
have hands-on experience with the tools, know what you are looking
at, how to interact with the subject media or target environment as
the case may be and is centered on specific course material like
forensics or penetration testing.
At the end of the
day deciding on whether or not to get certified and which
certification is right for you can come down to where you are in your
career and where you want to go. Folks without a minimum of four
years of experience are dissuaded from taking the CISSP while signing
up for the GCFA exam without any forensic experience is setting
yourself up for failure. Take your time and understand your current
work environment to learn if earning a certification is something
your current employer will pay for or will help you to earn more.
Sometimes having the piece of paper counts.
Food for thought:
