Which Accreditations and Certifications Do Information Security Professionals Really Need?
One of the most difficult parts of recruiting information security (infosec) professionals has to do with accreditations and certifications.
Often times, hiring managers want individuals who have every certification under the sun because they feel this creates credibility and ensures knowledge in a candidate. In return, IT security professionals often obtain numerous certifications in an effort to make their resume float to the top of the stack.
The question naturally becomes: what do you really need?
For Human Resources and Hiring Managers
Between infosec certification programs such as the ISC(2) CISSP, the 24 SANS GIAC certifications programs, and vendor-specific certifications like Symantec, there are currently over 50 options.
To determine the value of infosec certifications, infosecleaders.com conducted a survey of information security professionals. Of the 1349 respondents, 52% either currently hold or once held CISSP certification. This is by far the most popular and often obtained infosec certification.
Requiring or even requesting multiple certifications for any job opening adds boundaries that restrict the potential labor pool. Moreover, since many IT hiring managers suggest the difficulty in hiring information security professionals usually comes down to job location or pay, any additional parameters makes the IT security recruiters job that much more difficult.
Given the tight labor pool for IT and Information security professionals, hiring managers may want to consider well-qualified candidates that offer the necessary skills, values, and behaviors. Then as an added incentive, offer company-sponsored certification options to make the compensation package more attractive.
For InfoSec and IT Professionals
Even though 76% of survey participants agreed (28% strongly, 48% somewhat) that certifying bodies offers certifications to market their organizations and advance their brand, these security management professionals still felt it was important to have them.
Specifically, 51% of non-certified respondents either agreed that not having a certification restricted their career, while 77% of certified participants thought it provided them greater access and 74% felt they had a competitive advantage over non-certified candidates. Additionally, over 80% of IT security professionals indicated that because of their skills they’re entitled to better pay than database administrators, system administrators, and software engineers.
Based on these responses, some might feel that one of the biggest drawbacks of the certification process is that it can often create a false sense of security as well as a continuation of the entitlement belief that developed in the early days of information security when infosec professionals were rare.
Instead, infosec professionals might want to focus on developing the right combination of experience, education, and talent. For some, this just might make certification irrelevant.