Government // Cybersecurity
Commentary
2/26/2014
12:06 PM
Mark Aiello
Mark Aiello
Commentary
50%
50%

5 Reasons Security Certifications Matter

There's a lot of buzz around how certs aren't important. I'm calling BS, and here's why.

As thousands of cybersecurity professionals converge in San Francisco at the RSA Conference, I thought I would throw my two cents in on the certification debate. To wit, there’s a lot of buzz about the assertion that softer analytics skills matter more than certifications. I’ve even heard people say some security certs detract from a resume.

You know the No. 1 attribute of people claiming security certifications don’t matter? They don’t have any. In my years of experience placing security pros in good jobs, it’s that simple. Having the right certifications matters, and here's why.

1.  You will make more money. The 682 IT security professionals responding to the security cut of InformationWeek’s 2013 U.S. IT Salary Survey are unequivocal: Security staffers holding any security certification (CISSP, CISA, CISM) average $101,000 in total compensation vs. $87,000 for those with no certs. For managers, the spread is $130,000 vs. $121,000. Do you really need another reason?

2. Certs show your commitment to the security field. I know you’re serious about cybersecurity as a career, otherwise you wouldn’t be reading this. But how will a hiring manager know?  Easy -- by scanning resumes to see which applicants are committed enough that they’re willing to spend free time studying and doing homework, often paying for the privilege out of their own pockets. Just 44% of security staffers and 49% of managers in the salary survey expected to get certification reimbursement.

Most of us were not Jeff Spicoli, but admit it, we hated homework as kids. We couldn’t wait to grow up so we could spend our free time (and cash) doing just about anything else. I know a person who burned a full week of vacation and paid for lodging to obtain his Cloud Security certification.  As an employer and a hiring manager, that tells me he wants to become better. He’s the type of security professional that any company would be fortunate to have.

3. Certs make you more attractive to potential employers. Building on the above, obtaining a security certification shows you respect the industry and take pride in your profession. That kind of attitude is contagious. Moreover, it shows you’re smart enough to know what you don’t know and look to improve. It takes gumption to acknowledge that there are areas of one’s professional experience that could use a boost. Team members see this, and it rubs off.

All that adds up to a great employee. That hiring managers get this is a no-brainer. In a side-by-side comparison of otherwise equal candidates, most prefer the one with certs. Don’t take my word for it — check out the ISC2 Global Information Security Workforce Study. It concluded that almost 70% of respondents view certs as a reliable indicator of competency when hiring, and almost half require certification. 

[If you realize that mobile security means more than ensuring users don't download malware-bearing games from the Android store, take our 2014 survey and enter to win a 32 GB Kindle Fire HDX.]

4. Certs jump out when robots and spiders crawl resumes. Most, if not all, resume reviews begin with an electronic search. The HR pro types in some keywords and voila. I know from experience that people conducting keyword searches typically begin narrowly and expand only if early results fail. “Narrowly” means entering in a comprehensive (read: long) list of keywords, and I guarantee that at least one certification will be among them. If your resume includes those magic letters, it will always help you get on the fast-track through the electronic screening process.

Plus, the InformationWeek security salary survey shows you’ll be in the minority if you don’t have any certifications.

5. You become a member of a club. While it might not be as glamorous as joining Bushwood Country Club, earning a certification grants you membership to an exclusive club. This association affords you the opportunity to network with like-minded individuals, share information, and gain ongoing knowledge. You can attend conferences, webinars, and have access to information provided only to members. Again, a career win/win for you and your employer.

Now, before leaving an angry comment, I am not implying that you are not serious, a great team player, and worthy of a job if you don’t have security certification(s). We all know a certification is not more important than experience. But the two combined is a powerful and delicious combination. Peanut butter is great on its own. Add jelly and it’s irresistible to hiring managers.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mark Aiello is President of Cyber 360 Solutions, a cyber-security professional services and staffing firm headquartered in Boston. Cyber 360 Solutions is a division of Staffing 360 Solutions, a publicly listed company in the global staffing sector engaged in the acquisition ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
russellnomerconsulting
50%
50%
russellnomerconsulting,
User Rank: Apprentice
11/6/2014 | 11:40:47 PM
Re: Brownie points
Long lists of certifications are only valuable when the certification and knowledge alleged to be behind it is adequately applied to business needs.  I have seen my share of paper tigers over the years, where a list of certifications were obtained as a result of compiled test question brain dumps rather than actual hands on experience and learning leading up to the qualification for taking a certification exam.   Are industry certifications valuable?  It depends is a better answer.  Professionally speaking I have my CISSP, ITIL V2 and V3, MCP, Qualysguard, eDiscovery, and nearly thirty years of industry experience to draw upon when I engage a client.  That said, the value I bring to the table is the intellectual capital, the experience, the ability to understand the business direction and holistically align security strategies with it in a manner that provides transparency and accelerated decision making.  Are these skills I developed the result of certifications?  Partially, but not exactly.  You see, a truly competent task focused technical professional in our industry must go through a constant crucible of evolution and growth in order to get to a level slightly above mediocre.  Technology changes.  We have witnessed communications move from three hundred baud dialup modems to high speed wireless in a rather short time frame.  With each advance in technology moving us closer to ease of use and functionality we move further away from security.  In practice, the speed of use and function is driven by business goals and objectives which often look to security long after the planning phase of the pet project occurred.  As a result, security is sprayed on rather than baked in to the process.  A truly certified professional who has spent the time really learning how to apply their skills will understand how to communicate and collaboratively build solutions that empower the business to thrive through trust, innovation, and accountability.  If the certified party is the equivalent of a paper tiger who passed the test with brain dumps and without proper training and experience, the business will get zero value from the resource.   In addition, when we come across such resources who are quick to work at a lower rate, they damage the rest of us by diminishing the value of the sweat equity we invested in learning our trade.  I see this far too often with outsourced entities who attempt to contact me for opportunities at compensation rates I was earning in the early 1990s.  They claim to have other certified people who will work for peanuts and I politely tell them I will be available at my premium value based rate to resolve the mess as soon as I learn who they damaged.  You can make a career out of following where some of these imbeciles land because you know all too well that a big DNU should have been stamped on the CV by a competent recruiter focused on value for the customer rather than just matching keywords indicative of a desired certification.   Sadly, these things happen on a daily basis and corporations contract the equivalent of cancer when internal controls fail to proactively red flag incompetence.  This translates to loss of value, loss of time, and loss of opportunity.   Brownie points for a certification?  Yes, but buyer beware it could just be a knockoff.  Trust, but verify is the mantra that keeps you safer than most.

    
J_Brandt
50%
50%
J_Brandt,
User Rank: Ninja
3/31/2014 | 11:13:51 PM
Re: Brownie points
There is always a balance of experience and certification.  I think it's true of all areas not just security.  It's rare that certificates only adds anything of significance to a team.  Experience, validated by certification is another matter.
yslew
50%
50%
yslew,
User Rank: Apprentice
3/16/2014 | 4:06:55 PM
Re: Brownie points
Interesting and valid from HR PoV and for fed/gov't projects.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Author
2/27/2014 | 3:51:27 PM
Re: Brownie points
That's a good point to make re: long list of certs. Hiring managers I've spoken to tend to agree that while some certs are necessary and valuable, experience you have in the technology trumps it all.
Mark Aiello
100%
0%
Mark Aiello,
User Rank: Strategist
2/27/2014 | 11:49:19 AM
Re: Brownie points
Hi Lorna,

It has not been my experience that Certs are perceived as being outdated. Occasionally a NASCAR looking resume with a long list of Certs will be perceived and dismissed as someone who has just passed a lot of exams. More times than not it significantly enhances the perception of someone's competency.



 
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
2/27/2014 | 10:11:00 AM
Re: Brownie points
Do you see any generational divide in terms of thinking certs matter? Are younger IT pros more or less likely to be the ones seeing certifications as outdated?

Of course, it's likely that the longer you have been in a field, the more likely you've had time to get some certifications, so I'm not talking about a divide in who HAS them. I'm talking about perception.
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Strategist
2/26/2014 | 6:09:55 PM
Re: Brownie points
Hi Laurianne...I also like Fast Times at Ridgemont High

 
Laurianne
50%
50%
Laurianne,
User Rank: Author
2/26/2014 | 3:48:34 PM
Brownie points
The point re getting ignored by automated tools that are eliminating resumes based on certification keywords is important. How do you get around that with security certs? This is one area where hiring managers can and will be picky.

Also noted: Mark likes Caddyshack. Did you spot the reference?
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.