In a recent article, Kevin Beaver presented a good overview of the pros and cons of certifications, like the Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP). This article and others share a common thread: that a good professional resume matters more than a few letters behind your name. I think most certified professionals would agree … to a point. I've been a CISSP since the certification began back in 1993, and I want to explain why certification is a good idea for most people in the security business.
I'd like to start by debunking the most popular myths about the CISSP certification.
- If you can pass a test, you can get certified. Not true.
- Professional certification is primarily a "badge of honor." Not true.
- Nobody relies on a certification to make a hiring decision. Somewhat inaccurate.
Let's take these in order.
If you can pass a test, you can get certified. There are certainly some product-specific certifications that might be test-based; however professional certification is a different matter. Both the CISSP and the new CSSLP require applicants to submit a resume that describes their experience in the field for five or four years, respectively. This experience must be detailed and endorsed by another professional who can talk with supervisors or co-workers to validate the experience.
Candidates must also agree to abide by a code of professional ethics and then pass a test that is one of the most difficult in the industry today. Afterward, certified professionals must enter a continuous learning process to maintain their certification. People can take the test right out of school, but they would then be called "Associates" -- not certified professionals. Anyone who lies about their experience or who fails to abide by the code of professional ethics can be decertified by (ISC)2.
Professional certification is primarily a "badge of honor." Around the world, certification is a very common way to differentiate between practitioners and professionals. In the United States, you can hire a plumber to do your taxes each year, but large corporations don't hire plumbers to certify their annual financial statements. Compare the CISSP or the CSSLP to the CPA certification used for accountants, and you will have a better understanding of the process.
The CPA certification could be considered just another "badge of honor," but it means more to the accounting professionals who attain it. My father was a CPA, and I remember the work he went through to get and keep his certificate: studying for months to take the test, taking classes each year to keep current, paying maintenance fees and staying out of trouble.
Like him, I consider my certification a prerequisite to practicing as a professional in my field. It doesn't classify me as an expert; rather, it shows that I meet a minimum standard of competence. I don't like to broadcast my experience or skills to the world whenever I speak in a group. I would rather not spend time explaining how I learned my trade each time I meet someone new. Instead, I hang a few letters after my name so that people will be less skeptical when I give advice on a topic related to the field of information security. For me, this has been an easy way to differentiate myself from the hacks in this business.
Nobody relies on a certification to make a hiring decision. Nobody should ever rely on a single certification to make a hiring decision, but having a certification makes it easier to get the interview. We see it in want ads that say "CISSP preferred." It's also true that many security professionals are hired by someone who has little security experience, like a CIO, CTO or operations manager. In these cases, professional certification and a college degree are two of the most important credentials you can offer to employers. If your resume has 60 seconds in front of a decision maker, how will you differentiate yourself from the other practitioners out there? Certification definitely helps.
The industry value of security certification
There is one thing that most skeptics miss when talking about professional certifications like the CISSP or CSSLP: There is a value to the entire industry when we develop a new, independent professional certification. The certification process established a baseline standard for quality across the industry. After working in the business for a few years, we all start to wonder how we can make things better for the next crop of new entrants into our field. In that regard, we must look beyond our own personal interests to those of the industry at large.
We all know that quality requires standards and repeatable processes. Where do those standards come from, and how are those repeatable processes promulgated to organizations that haven't used them before? We could rely on the free market, but it would help if we could assemble a group of experts and define the most effective practices as a basis for ongoing research, like we did with the CSSLP, for example. Our work produced a common framework for further research and is helping to standardize what it means to develop more secure software. During the process, we were able to start moving the industry toward a comprehensive set of standards and metrics. It won't happen overnight, but it will happen.
We also realized that certifying individuals would help spread the knowledge more quickly than merely certifying organizations or processes. If you certify an organization or a process, it's hard for others to innovate. Alternate methodologies may not become recognized, regardless of their effectiveness. However, by certifying people, those people can move into organizations that have never implemented security before and can improve the overall skill set directly inside those organizations. By setting a minimum bar, we have also improved the ability of any organization to know if their local "software security expert" is really at a level required to meet industry standards.
When all is said and done, I think we will find that certification helps to improve the professionalism and quality of security throughout the industry. At the same time, I am happy to agree with Kevin Beaver that professional certification is a tool, and that anyone who wants to become certified should use the process as a way to constantly improve their skills. Doing so is the best way to make the profession and the industry better over time.
About the author: Jim Molini, CISSP, CSSLP, has more than 22 years of experience in the field of information security, including extensive experience in system and software security, intrusion detection and risk management. He is currently a senior program manager in Microsoft's identity and security division. He has also worked in government and the private sector, including stints as CEO of Hyperion Inc., vice president of data security at First USA Bank, and as computer security coordinator for NASA's space shuttle flight software development team. He writes and speaks internationally on information security topics and currently sits on the (ISC)2 Advisory Board of the Americas.