Tuesday, May 29, 2012

Are Security Certifications Useful?


Security professionals either currently employed or seeking employment are often requested to pass certification exams. In fact, many companies may not even consider an applicant for a position that does not have the "required" certifications.

With this being said, in this post we will discuss the purpose behind certifications, how we should view their obtainment, as well as list of different certifications currently offered in the industry.

The Purpose of Certifications

Many certifications are regarded as not possessing much value when it comes to determining the technical abilities or the "on the job knowledge" of a professional. While this may be the case for many certifications, we must keep in mind the true purpose behind certifications as a whole.

A large problem in any professional field is how to quickly manage and determine knowledge and expertise amongst a large group of individuals. This is a very common issue when attempting to hire a candidate for any position. While it may be ideal, thoroughly testing and measuring the technical, communication, and management abilities of each candidate that applies for the position is usually resourcefully and monetarily infeasible for any company. As such, industries attempt to establish an exam that, when passed, attempts to measure the baseline competency of the certified candidate. A company can quickly have an idea as to subject matters about which the candidate should know, since he/she demonstrated the knowledge when passing the exam.

In addition to this, specifically regarding technological fields, it would be unrealistic to expect the exam material to cover current specific technologies. Instead, these certifications aim to test the foundations of a specific field. For example, security certifications may try to test things such as if a candidate knows what a vulnerability is, or how to appropriately measure risk. With this being the case, certifications can be very useful to companies looking to hire employees, as they can ensure the candidate understands the foundations of the field.

However, certifications are not a panacea for employment. As noted above, certifications only test a subset of knowledge that is expected from professionals in a particular field, and exempts the rest. This means that if a company is looking to hire a candidate for a very technically-oriented position, it should not depend on most certifications, since these do not incorporate this knowledge. For example, many certifications in the field of security may test to see if a candidate is aware of what a buffer overflow vulnerability is, but not test to see if a professional knows how to develop an exploit that takes advantage of a buffer overflow vulnerability. This difference may be crucial to organizations who rely on their professionals to research and develop vulnerabilities for low level applications.

Also, it should be noted that there is a strong difference between being certified and being certifiable. Many very knowledgeable and capable professionals may not have taken the certification exams, but have the ability to pass them with ease. In addition to this, these uncertified professionals may have knowledge and experience in the field far beyond that of many certified counterparts. Having these abilities, but lacking the actual certification classifies a professional as "certifiable". On the other hand, some professionals may study enough to pass multiple certification exams, but not have any significant experience in their respective fields, which may be crucial to an organization looking to hire someone with this experience. It is therefore left to the employer to have means to determine the needed competency of the candidate.

In Summary

We can see that while certifications may not be the perfect solution to use when looking for an ideal candidate for a job, they are still very useful to employers, if the employer understands the purpose behind them, what they do and don't accomplish, and the further testing that may be required to test a candidate for other aspects related to a particular position. By testing the foundational knowledge of a field, certifications provide assurance to employers of the baseline knowledge of a candidate. In addition to this, it is very possible and common for the candidate to use the experience of studying for a certification exam as a learning experience. The common saying is "you get out of it what you put in," meaning that one can truly study to learn and benefit from the experience, or they could simply attempt to memorize terms and questions. Having the ability to learn from this studying allows certifications to be beneficial to both employees and employers.

Security Certifications

With this being said, since this is a security blog, here's a list of some of the more common security certifications available. This list is by no means exhaustive, so if I miss any (and I will), please let me know in the comments below!

  • Security+ - CompTIA's base security certification.
  • CASP - CompTIA's "middle-tier" security certification. Aimed towards "IT professionals with advanced security skill"
  • CISSP - The current industry standard security certification provided by (ISC)²® .
  • CISA - Security certification provided by ISACA that is aimed at IT security auditors.
  • Offensive Security Certifications - Offensive Security (creators of Backtrack Linux and much more) created certifications that are designed to be as practical as possible. These certifications are quickly gaining ground in the industry as being technically oriented, and provided industry skills that are useful for security professionals.
  • Security Tube Certifications - Vivek Ramachandran, founder of Security Tube, has created certifications based off of the informational videos published on the site. These certifications are very new, but are quickly becoming recognized in the industry.
  • CEH - Provided by the EC-Council, the Certified Ethical Hacker certification is designed towards Penetration Testers.

Hopefully this post has shed some light to both the benefits and the deficiencies of certifications. I will continue to update this list as I become aware of other certifications either through individual research or the comments. Again, I'm sure I am missing quite a few, so let me know below!

1 comment:

  1. Security professionals either currently employed or seeking employment are often requested to pass certification exams. In fact, many companies may not even consider an applicant for a position that does not have the "required" certifications. cold aisle containment