Value of credentials debated
WASHINGTON – Peter Stephenson, an IT security consultant, says he would not bother getting a security certification unless it helped feed his family. In his case, it did.
Some security professionals have begun to question the value of their most highly-valued certifications, as more and more people pass those tests, said Stephenson, a consultant at Eastern Michigan University’s Center for Regional and National Security, during a presentation at the Computer Security Institute’s (CSI) Computer Security Conference and Exhibition in Washington, D.C.
Many employers, however, still look for those little certification letters on resumes as a way to screen applicants, he said.
Stephenson, a security manager and computer forensics investigator for close to 20 years, did not pay attention to certifications until 2002, when he was laid off from a job. He then decided to seek certifications because headhunters were not calling, even with his years of experience. At one point after taking the Certified Information Systems Security Professional (CISSP) certification in 2002, he posted two versions of his resume on the Internet, one with the CISSP certification listed and one without. The CISSP resume generated several calls from employers, the second resume, even with all his experience listed, generated no calls, he said.
Even though the certificates were helpful in his case, Stephenson said, professionals do have legitimate concerns about them.
“This is a veritable soup of training and certification opportunities, many of which are ill defined, except for the part about the price,” Stephenson said. “The problem is the certification companies have turned it into such a money grab that the credibility of some of these certifications are starting to slip.”
A representative of CISSP vendor International Information Systems Security Certification Consortium was not immediately available for a comment on Stephenson’s talk, but the Computing Technology Industry Association (CompTIA), which offers the Security+ certification, defended certifications as a way for hiring managers to evaluate employees. CompTIA often hears stories from IT workers who say certification have helped advance their careers, said Gene Salois, vice president of certification at CompTIA.
“Certification is the capstone for learning, since it validates that learning has occurred,” Salois wrote in an e-mail. “The skill benchmark provided by certification is often used as a criterion for hiring.”
Stephenson’s comments also generated a healthy debate among the security professionals attending his presentation.
“What do we get for our money here?” asked Terri Curran, director of sponsored research and information security officer at the International Institute for Digital Forensic Studies, based in Weymouth, Massachusetts.
High-level security certifications can provide value, especially for consultants trying to sell their services to customers, answered Joseph Popinski III, director of network security consulting with Information Engineering, based in Huntsville, Alabama.
“Walking in the door with these certifications establishes you as an expert in your field,” said Popinski, whose resume includes the CISSP and the Certified Protection Professional certifications.