Afew years ago we published an article on security related certifications that were being marketed as a means to advance your career. At that time there were a relatively small number of certifications that we were seeing listed on resumes. Today, we are still routinely asked which certifications are needed for career advancement or which ones are being requested by hiring managers. Frankly, unless the role has a specific requirement that connects to one of the more technical certifications, for the most part, the hiring authorities are not demanding them.
As an industry we have not done a very good job of defining the various security job functions in a realistic fashion. Further complicating this is the arbitrary and capricious nature of the position descriptions published by security professionals when they are looking for staff. We continually see requirements in position listings that have no relevance to the role they are recruiting for. This makes it more difficult for the certifying authority to identify which body of knowledge they will measure. In addition, it appears that there has been an increase in the popularity of organizations creating a certification as a part of a marketing strategy for membership and mailing lists.
This past month, we undertook a study to try and identify how many certifications where available that were related to security-based activities. We did not include those that are developed and issued by companies relating to their products such as Microsoft Network Engineer or Linel Certified Expert. Thus far we have located 117 different certifications issued by 46 separate organizations. To further break this down, we categorized them into three areas: 67 security generalist activities; 15 crisis/continuity/disaster recovery activities; and 35 cyber and technology related. The next step would be to look at the marketplace and the demand. Unfortunately the only one that we were able to find information on to compare client requirements versus certification “mentioned” was the CPP issued by ASIS International. While the CFE, CISM and CISSP were commonly requested in the fraud and IT listings, we were not able to quantify and measure the frequency against the public job posting. In 1999, we estimated that the CPP was mentioned in a job posting 2.4 percent of the time. Last year that had grown to 5.1 percent and again this year through October to 5.5 percent. We analyzed this across a wide range of security roles from CSOs to site managers, so it appears that only a small number of professional-level security jobs consider it as a factor for consideration. Therefore going back to the original question regarding advancing your career, it suggests that the answer is: “It depends on the role.”
There is no silver bullet when it comes to advancing your career. Most organizations seek to fill positions with qualified individuals who have a record of accomplishments in the security management focus area of the position being filled. In addition, organizations like to hire people who they believe will fit into the organization’s culture and who can best engage effectively with the managers and individuals with whom they will need to interact. The higher up the career ladder you progress, the more true this becomes. Do you see the world’s leading organizations require their “C” level executive to be “certified” in a particular field? How often have we seen organizations recruit senior-level government executives to head security organizations? Are they any less capable leaders because they don’t have a particular certification? Certifications were designed to measure someone’s knowledge in a specific practice area. These tended to be in relatively narrow areas of expertise and also required a specified level of continued education to maintain the certification.
Our recommendation is to choose your educational and certification programs carefully. Ensure that the program has clearly defined course material and test objectives that realistically measure relevant knowledge in a given practice area. For those candidates in the beginning or mid-point of their career, certifications can help set you apart from other candidates; however, no certification is an indication of your ability to lead a program at a senior level of management, and any such claim is misleading. Having a lot of initials following your name will not advance your career if you cannot demonstrate a record of accomplishments, maturity, competence and a wide range of interpersonal, non-technical skills to a hiring authority.