If you determine that information security certifications will help your career, which ones should you take? What is the right order? In Part 1, I introduced this topic. In Part 2, I suggest you do some research and sleuthing before embarking on a certification exercise.
Information security certifications span many categories including general, technical, or audit/risk-oriented. TechTarget’s IT Security Certification Guide helps people sort through the large, growing number of certifications. Ask ten different, private sector (the government sector requires a separate, dedicated post) information security professionals which certifications are important, and you will get ten different answers. Some technical certifications are powerful. If that is your cup of tea, the question is which ones do you need? The answer is it depends on your current or desired role, plus your career trajectory. SANS has a list of 20 Cool InfoSec & Cybersecurity Jobs, including Forensic Analyst, Prosecutor Specializing in Information Security Crime, CISO, and Security Maven in an Application Development Organization.
If you are looking for a new job in information security, it should not be a guessing game to figure out which certifications to pursue. One strategy for making your next career move is to actively target and profile the organization, plus the specific job requirements. Here is a start:
- What are the top ten employers in your preferred geographic location, or job-hunt target market? Search on LinkedIn to identify any contacts you may have at these organizations. Or you may simply need to contact a different group in your current organization.
- Once you have a target list of companies or organizations, and have made some contacts. Ask very specific questions about current or upcoming job openings. Ask about the skills or certifications that are desired or required by the hiring manager.
- Is there a nearby OWASP or ISSA chapter? Members often know about job openings before they are posted, and will sometimes announce posted jobs at meetings. They could also give you insight into the specific tools or certifications you will need.
When it comes to understanding the profile of an ideal candidate, there is a gap between the recruiter and the hiring manager. Hiring managers are typically more interested in experience; but recruiters are drawn to certifications. This bifurcation is characterized in the July 2009 Booz Allen report, Cyber IN-Security, Strengthening the Federal Workforce, as the presence of “A disconnect between hiring managers and human resources specialists. Frontline managers are consistently less satisfied with the effort to hire cybersecurity talent than their peers in human resources.”
The February 2014, Ponemon Institute study, Understaffed and at Risk: Today’s IT Security Department, indicates 59 percent of respondents say professional certifications and degree programs are rewarded. The report also notes, “On-the-job experience and professional certifications make the biggest difference when hiring a security practitioner. Most job recruiting takes place at conferences.” Ideally, a candidate has a degree, experience, and certifications. Just to add comic relief, here is a comment from a LinkedIn posting of Part 1: some of the best attackers are high school kids, hacking into systems set up by people with certifications, experience, and advanced degrees.
In John Hale’s article on 15 Top-Paying Certifications for 2014, he reports on a survey (he did not publish how many people were included, or his methodology) and states that Certified in Risk and Information Systems Control (CRSIC) topped the list with a mean salary of $118,253. Certified Ethical Hacker (CEH) ranked ninth on the list with a mean salary of $103,822. Certified Information Systems Security Professional (CISSP) did not have enough respondents; but he indicated the average pay is $114,287. Note that this is not vendor-neutral, and is essentially marketing for his firm that offers certification training.
Certifications are not for everyone. Talent and experience trump certifications, especially if you are already established in your career. It also depends what your career goals are. The 2014 worldwide CheckMarx Information Security Salary report indicates 90% of CISOs have certifications. The January 2014 Wall Street Journal article, New Cyber Threats Juice Pay for Security Chiefs, states that in the higher-paying financial services industry, “CISO salaries have grown between 50% and 100% over the past couple of years. Given the heightened demand, CISOs can command salaries ranging from $350,000 to $1 million per year.”
Some people believe certifications are not worth the paper they are written on. To quote one of my favorite bloggers, Daniel Miessler, "Certifications don’t have any inherent value. They’re worth precisely as much as people value them. If employers are asking for them at places you want to get hired, they matter. If the places you want to get hired don’t care at all about them, they don’t have value there. It’s that simple."