Do Certifications Separate Wheat from Chaff?
With so many newcomers claiming to be security experts, IT managers are looking to certifications as proof-positive of a person's skills. Does that work?
''When these people are going to be put in charge of auditing or compliance for an organization, you need some measurement of their skills,'' says Joanne Kossuth, CIO at Olin College, a small university in Needham, Mass.
Constrained by tight budgets and limited human resources, Kossuth is looking to outsource her expanding security needs. ''Small to mid-size organizations are having a rough time having security professionals on-site and on staff,'' she says. ''But you have to know that what you're getting is better than what you have.''
Whatever outsourcer she contracts with, Kossuth says she'll be looking for certifications, including the industry's three main vendor-neutral offerings: the SANS Institute's Global Information Assurance Certification (GIAC), the ISC2's Certified Information Systems Security Professional (CISSP), and Comptia's Security+. Kossuth holds the GIAC certification herself.
Manzow points out that the top security problems are a result of human error. ''The number one mistake companies make is not having their staff certified,'' she says.
According to Manzow, more than 17,000 people will gain the Security+ certification this year. She calls Security+ a foundation for technician-level jobs. IT personnel that get the certification are certified for life.
Tom Gonzales, senior network administrator at the Colorado State Employees Credit Union in Denver, puts stock in the SANS GIAC, which he says is great for IT managers focused on strategy because it offers a broad knowledge of the industry. He is a big fan of the practical assignments that GIAC holders had to complete. However, the SANS Institute this week announced those practicals are no longer necessary for certification.
But Gonzales is skeptical of broad-based certifications overall, including the CISSP, which he holds.
''Certifications aren't as special as they once were. I would take the guy who has the knowledge to manage security networks over someone who has the certification,'' he says.
Joel Snyder, a security expert and senior partner at Opus One, a consultancy in Tucson, Ariz., shares Gonzales' wariness of certifications.
''It's not the way to delineate your security expertise,'' says Snyder. ''Hands-on experience is so much more important and so critical.''
For instance, Snyder says being able to ''parrot'' a security model learned academically is no match for someone who has written a security policy and has had to argue for it within a corporation.
Critics of vendor-neutral exams say the information presented can appear out of date. ''Just like a standards body, certification organizations are too slow to change,'' says Andreas Antonopoulos, senior vice president and partner of Nemertes Research in New York.
He says people are tested on things such as mainframes. ''They have a fuddy-duddy flavor to them and the information may not apply to the growing enterprises of today,'' Antonopoulos says.
However, he admits that they do provide a common language for security experts. ''It's a matter of standardization and showing that you use the same terminology I do. But I would not assume it to mean that you know how to deal with today's technologies.''
Gonzales predicts the certification organizations will begin to go more in-depth with their programs, homing in on newer technologies, such as intrusion prevention and detection, with a wider variety of tests.
Experts say these tests already exist from vendors such as Cisco and Checkpoint Software, but have the stigma of being associated with specific products rather than neutral learning outlets.
Barbara Vibbert, manager of training and certification at Checkpoint, says if companies want their employees to have access to the latest technology education, vendors have the resources to constantly update their testing programs.
Checkpoint offers several security certifications for various job levels, including the Checkpoint Certified Security Administrator, the Checkpoint Certified Security Expert and the Checkpoint Certified Security Expert Plus. She says these programs range from administration to implementation to troubleshooting.
''Vendors have a vested interest in keeping their certificants on the cutting edge,'' says Vibbert.