Certification Value More Political Than Practical

Some months ago, I proudly earned my Global Information Assurance Certification (GIAC) in network intrusion detection from the Bethesda, Md.-based SANS Institute. I was impressed by the technical depth of the course and by the difficulty of the evaluation process.

I'm confident that any potential hires with this certification know one end of a TCP packet from the other. But whether they would ever get to use that knowledge in a commercial environment is a different question. The certification process goes much technically deeper than any security professional ever needs to in our environment.

That depth comes with a price, in terms of breadth. To cover network intrusion-detection systems in such detail means that host-based detection systems and other subjects are skimmed over. I recently completed my Certified Information Systems Security Personnel (CISSP) exam and found that it has gone to the opposite extreme, sacrificing much-needed depth for breadth. So are such certifications worth it? Perhaps, but not for the reasons you read about in the marketing literature.

The Claims vs. the Reality

The SANS Institute has data showing that people with a GIAC earn 12% more than staffers without the qualification. This is a cute statistic, but one with questionable meaning: Better-funded companies are more likely to send their employees for GIAC certification and are more likely to pay them better. Professionals with the certification are generally more senior and experienced than noncertified staff. This doesn't prove that the GIAC raises your income.

SECURITY BOOKSHELF Of the three books I used to study for the CISSP, the best was The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, by Ronald L. Krutz, Russell Dean Vines and Edward M. Stroz (John Wiley & Sons, 2001). It covered the information required, and I found no major errors. CISSP Exam Cram, by Mandy Andress (The Coriolis Group, 2001), was the next most useful. Each chapter concluded with links for further reading. CISSP All-in-One Exam Guide, by Shon Harris (Osborne McGraw-Hill, 2001), was worth buying for the practice exams on the enclosed CD, but the book itself included some very confusing explanations and wasn't very useful. Had I more time to study, I would have used the above as study aids and instead relied on Security Engineering: A Guide to Building Dependable Distributed Systems, by Ross J. Anderson (John Wiley & Sons, 2001), as my primary resource. It covers most CISSP exam subjects and includes anecdotes based on real experience. LINKS : Here's a link to the SANS Institute's GIAC salary data and the pay increases it associates with the certification. Visit the (ISC)2 site for more information on the CISSP.

I'd like to see statistics on the salary levels of staffers who fail their GIAC test, but I know I won't anytime soon. (If you've ever offered a higher salary to new hires based on their certifications, I'd love to hear about it in the Security Manager's Journal forum.)

Despite the inflated salary claims, the SANS courses offer good training. We have sent staffers to courses and they have enjoyed themselves and improved their technical knowledge.

However, a review of job postings will show that the GIAC isn't well known. I found 2,990 security job listings, of which seven mentioned GIAC and 11 mentioned SANS. A qualification requested for 0.6% of jobs isn't going to set the world on fire.

There is one certification that does a little better. The CISSP was mentioned in 75 job descriptions, or 2.5% of the jobs. That's better, but it's still not great. A more interesting statistic is that more than 70% of the jobs that required a GIAC also required the CISSP.

Friends told me of recruitment agents who refused to put their resumes forward for appropriate jobs because they didn't have their CISSP. I also kept seeing CISSP books sticking out of people's bags on the subway, so I decided to pursue the certification myself.

The CISSP is administered by the International Information Systems Security Certification Consortium Inc., also known as (ISC)2. It offers weeklong exam preparation courses, but because no courses in my area were convenient, I relied on books for my training.

I had only a few weeks to prepare before the next exam. It helped that I've had industry experience and that I come from an academic background. The exam focuses on military, government and academic security, all at a very shallow depth.

I enjoyed learning how high fences must be to deter intruders and the details of all the different kinds of fire extinguishers a data center could have. But this information is irrelevant: I've never worked anywhere that had a fence, and I've been never responsible for fire extinguishers.

Of Academic Interest

A tenth of the content is devoted to security models and architectures. It's interesting, in a purely academic way, to review some historical attempts to formalize security approaches, all of which are monolithic and inflexible systems designed for military applications. We'd never be able to implement anything like this in our environment. Anyway, despite the expense and complication of these systems, they were never truly secure. This doesn't bode well for the informal systems used in commercial environments.

The exam consists of 250 multiple-choice questions. The (ISC)2 allows six hours to complete the exam, but I was done in less than half the time.

(ISC)2 uses a rigorous nondisclosure agreement to discourage discussion of exam content. The cynic in me wonders if this helps it keep costs down by allowing it to reuse the same exam year after year. The lack of current material in the test I took and the use of easy-to-mark multiple-choice questions doesn't contradict this impression.

Unlike its old exams, the (ISC)2's code of ethics is public. One of these rules requires that I "advance and protect the profession," possibly by, among other things, hiring those who are certified, all else being equal. Thankfully, this is only a suggestion and, of course, all other things are never equal. But surely a good certification shouldn't need to push people to promote it?

There are areas of the certification that I do like. Every three years, I must earn continuing professional education credits to keep my certification current. I could even earn some by having this article published—if I could get it into the system without (ISC)2 connecting my pseudonym with my real name. Publishing encourages people who have the certification to help others and share knowledge.

With all the flaws I've mentioned, you might think that I won't be sending my staffers to be certified. However, while I don't think the CISSP experience will be useful in their daily work, it should fill in any missing theoretical background and provide an understanding of common jargon.

But the real value for my staffers is for their resumes and their morale. My team members are bright, so they will stroll through this exam and get a boost. Paradoxically, I feel that improving my staff's chance to get other jobs will encourage them to stick around: If they feel their current position increases their skills and experience and widens their next choice, then perhaps they will stick with it.

This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com or go to the Security Manager's Journal forum.