Employers want to see passion for a job not just an industry certification and educational degree.
In a session titled 'Information security certifications – do they still provide industry value?' at the RSA Conference in San Francisco, a crowd of around 250 delegates were asked how many had some sort of industry certification, which the majority did, while a third said that theirs had lapsed. Asked how many had the CISSP certification, around three-quarters raised their hand.
In a debate on which has the greater value: an industry recognised certification or a university degree, Richard Moore, vice president and senior information manager at RBS Citizens, said that there is more value with a degree than a vendor certification, as an undergraduate will be more experienced in working with people and there would be more value for the business line.
Andrew Ellis, chief security officer at Akamai Technologies, said: “We want to understand someone who understands what they are doing. We are looking for people with highly technical degrees and bring them into security.
“We look at certificates, if they have them they say 'with this, this person is qualified to practise with quality', but then if a practitioner has a certificate such as CPA, that is the most common reputational certificate. The challenge is as those who have them grows, so it becomes the bottom bar and it carries the reputation of the lowest person who owns that certification.”
Hord Tipton, executive director of (ISC)2, said that some certifications can be achieved through high standards and some by spending one to two hours on a webcast. “A CISSP is not a silver bullet and while it is extremely popular, some people do not understand the differences between certifications and are likely to have both a PhD and an industry certification. You may like people to have both but your choice depends on the job and how smart a person you need. You cannot judge or pick by certificate.
Jennifer Jabbusch Minella, CISO at CAD, said that people are certified now for competency and not for a job title.
Tipton said: “There is one thing we all have to deal with – risk. The management controls what happens to a certain degree but you cannot, they don't care what level of certificate you have, and you can configure the network and firewall but if an employee messes up against policy, you shouldn't be accountable.”
Asked by an audience member what is wrong with the current system, moderator Thomas Stamulis, regional director at Verizon, said that this is a question of where money is spent and where you get value, as this is an opportunity to see what provides the most value.
Jabbusch Minella said: “I work with all types of organisations and I end up being an intermediary between technical and management and often, the CISO has no technical background and dealing with these people frequently, it ends up being a problem. There is a need for this, I have seen it in industry and it is something that we have to address, but we also need to fix the problem with incompetent people protecting public information.”
Another audience member said that the value of a certification shows that an individual has dedicated time and money to their profession. Jabbusch Minella said: “I think it is fair to say that whatever certification you have, someone has a flaw with it. I've been vocal on it and work with vendors on process and understand what goes into it, and when the value is not right, what do you do if it is not adding value? So I stepped in and said 'lets take feedback'.
“You always pay to play, and engineers say 'can they pass and have perseverance' and if the answer is yes, you don't need the CISSP. If you care and be passionate to do that, it means something to me.”
Tipton said: “Credentials, regardless of the person, have to evolve and meet the communities out there, and I've been associated [with (ISC)2] since 2004 and we look at the questions and change them every quarter and review it every year, and it has stood the test of time, but I wouldn't want to take it again.”
Ellis said: “We look for indicators of passion, if you're passionate we will look for people who care about something, as they will bring that passion to work.”
Jabbusch Minella said: “Until we have more structure as to what certifications mean, we cannot hold those titles responsible.”