Do Certifications Separate Wheat from Chaff?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
The emphasis on security in the enterprise has companies scrambling tobeef up their teams or turn to outsourcers. But with so many newcomersclaiming to be security experts, IT managers are looking to securitycertifications as proof-positive of a person's skills.

''When these people are going to be put in charge of auditing orcompliance for an organization, you need some measurement of theirskills,'' says Joanne Kossuth, CIO at Olin College, a small university inNeedham, Mass.

Constrained by tight budgets and limited human resources, Kossuth islooking to outsource her expanding security needs. ''Small to mid-sizeorganizations are having a rough time having security professionalson-site and on staff,'' she says. ''But you have to know that what you'regetting is better than what you have.''

Whatever outsourcer she contracts with, Kossuth says she'll be lookingfor certifications, including the industry's three main vendor-neutralofferings: the SANS Institute's Global Information AssuranceCertification (GIAC), the ISC2's Certified Information Systems SecurityProfessional (CISSP), and Comptia's Security+. Kossuth holds the GIACcertification herself.

Tara Manzow, product manager for the skills development department atComptia, says Kossuth is not alone in relying on certifications to seekout security professionals. In fact, she says the increase inregulations, such as the Health Insurance Portability and AccountabilityAct and Sarbanes-Oxley, are forcing companies to rethink the capabilitiesof their security teams.

Manzow points out that the top security problems are a result of humanerror. ''The number one mistake companies make is not having their staffcertified,'' she says.

According to Manzow, more than 17,000 people will gain the Security+certification this year. She calls Security+ a foundation fortechnician-level jobs. IT personnel that get the certification arecertified for life.

Tom Gonzales, senior network administrator at the Colorado StateEmployees Credit Union in Denver, puts stock in the SANS GIAC, which hesays is great for IT managers focused on strategy because it offers abroad knowledge of the industry. He is a big fan of the practicalassignments that GIAC holders had to complete. However, the SANSInstitute this week announced those practicals are no longer necessaryfor certification.

But Gonzales is skeptical of broad-based certifications overall,including the CISSP, which he holds.

''Certifications aren't as special as they once were. I would take theguy who has the knowledge to manage security networks over someone whohas the certification,'' he says.

Joel Snyder, a security expert and senior partner at Opus One, aconsultancy in Tucson, Ariz., shares Gonzales' wariness ofcertifications.

''It's not the way to delineate your security expertise,'' says Snyder.''Hands-on experience is so much more important and so critical.''

For instance, Snyder says being able to ''parrot'' a security modellearned academically is no match for someone who has written a securitypolicy and has had to argue for it within a corporation.

Critics of vendor-neutral exams say the information presented can appearout of date. ''Just like a standards body, certification organizationsare too slow to change,'' says Andreas Antonopoulos, senior vicepresident and partner of Nemertes Research in New York.

He says people are tested on things such as mainframes. ''They have afuddy-duddy flavor to them and the information may not apply to thegrowing enterprises of today,'' Antonopoulos says.

However, he admits that they do provide a common language for securityexperts. ''It's a matter of standardization and showing that you use thesame terminology I do. But I would not assume it to mean that you knowhow to deal with today's technologies.''

Gonzales predicts the certification organizations will begin to go morein-depth with their programs, homing in on newer technologies, such asintrusion prevention and detection, with a wider variety of tests.

Experts say these tests already exist from vendors such as Cisco andCheckpoint Software, but have the stigma of being associated withspecific products rather than neutral learning outlets.

Barbara Vibbert, manager of training and certification at Checkpoint,says if companies want their employees to have access to the latesttechnology education, vendors have the resources to constantly updatetheir testing programs.

Checkpoint offers several security certifications for various job levels,including the Checkpoint Certified Security Administrator, the CheckpointCertified Security Expert and the Checkpoint Certified Security ExpertPlus. She says these programs range from administration to implementationto troubleshooting.

''Vendors have a vested interest in keeping their certificants on thecutting edge,'' says Vibbert.