The Value of Personal Certification

by Courtney Cavness, CISSP

atsec is in the business of performing IT security evaluations and/or consulting with our customers (typically, product developers) who want to achieve a product certification. Such certification is valued by end-users because it represents a recognized and agreed-upon benchmark of achievement/assurance that has been validated by an unbiased third-party. This type of certification is required in certain situations, for example, to meet an end-user (such as the government) mandate necessary for product acquisition, or to meet an organization’s own goals to serve as a market differentiator to enhance an organization’s reputation.

When applying certification to people rather than products, the same correlations can be drawn: a person may need to get a certification if their employer requires it, or if they want to set themselves apart in a field of job applicants. But the value (actual vs. perceived) of personal certification is a hotly-contested topic in some circles. You need only perform an online search for some key terms to find passionate proponents on both sides of the fence.

I know many brilliant IT people who eschew such titles/certifications and instead rely on their work history or a demonstration to prove their expertise. In fact, this is true for any employee or contractor – they must prove their value on the job. So then, what value does a certification or degree bring to an individual?

A respected certification/degree provides assurance – before any other judgment can be made – that the person has several important qualities:

• An understanding of which certification/degree is respected in their field.


• The prescribed level of competency necessary to achieve that title, meeting whatever benchmark has been accepted by the industry.


• The perseverance and dedication necessary to invest the time and energy to pursue the respected certification and education.

The word respected above is meant to signify whether the degree or certification is difficult to obtain, in that it takes some time and effort (and certain level of practical knowledge/skill) to achieve.

The main gist of the argument against personal certifications is that it has no actual value if it only involves taking a test that can be studied for and passed. I list above the reasons that I find value in a certification even if it only consists of a test. On the other hand, I agree that the combination of a test as well as some demonstration of knowledge allows for more assurance in the person’s capabilities. However, what constitutes a reasonable measurement of knowledge? It could include a combined test + demonstration (for example, performing a lab assignment simulating mitigating a threat for a network attack) or it could include taking into account the person’s relevant, on-the-job experience.

In the IT security industry, the CISSP certification issued by ISC(2) is arguably the “gold standard” of personal certifications. Not only does it have the reputation of being a difficult exam, but it also provides for broad professional testing, certification, and credentialing for IT security professionals. Because the field of IT security is itself very broad, it is easy to spend an entire career specializing in only a few areas. Therefore, this certification is not an indicator of specialized skills, but rather a high-level understanding of all aspects in the IT security paradigm. In addition, the exam is reviewed on an ongoing basis to validate its continued relevancy. In fact, the entire exam is "torn down" every 12-18 months to ensure it covers contemporary skills and emerging technologies (see article here).

The CISSP certification also has some requirements that go above and beyond simply passing the test, that signify that the person is “pre-approved,” if you will. The CISSP professional must*:

• have a certain number of years of security-specific, on-the-job experience (4 or 5 years, depending on level of higher education achieved)
  
  

  This proves the candidate has relevant, real-world IT security work experience (and is not just a “paper-tiger”). Therefore not just “anyone” can achieve certification just by passing the test, and I contend that this therefore serves as a demonstration of knowledge in the case of CISSP certification.



• take a vow of ethics (not on par with an M.D.’s Hippocratic Oath, but close) ;-)


• be able to pass a criminal background check


• obtain a minimum number of Continuing Professional Education credits yearly
  
  

  These can be gained via various means, including attending seminars, conferences, serving on the board of professional security organizations, providing security training, writing articles, etc. These activities help ensure the CISSP professional remains involved in the IT security community and up-to-date with the latest trends and changes in the scope of IT Security.

*All of these factors can be audited by ISC(2). The first two are part of the endorsement process to receive initial CISSP status.

The verification of these items, combined with the effort ISC(2) makes to prove a person’s identification when sitting for the exam, show that authentication is an important factor in their credentialing process.

An interesting parallel can also be drawn between the CISSP personal certification and the Common Criteria (CC) security standard that atsec uses to perform product evaluations: the validation of CC’s functional requirements (denoting security functionality that the product must perform) is similar to a person successfully passing the CISSP exam, while the assurance requirements (the grounds for confidence that functional requirements are met), can be compared to the person successfully completing the ISC(2) endorsement and/or auditing process described above.

atsec employees include experts in all areas of IT security, and hold various esteemed degrees and certifications including several Ph.D.s and CISSPs. We regularly spend time contributing to various IT security standards updates, serving on international standards technical committees, presenting new ideas at IT security conferences, writing articles for trade journals, and staying abreast of the latest concerns and issues in the field.

We do these things not because any certification requires us to, but because we want to remain a vital part of the industry. This is a value-add for our reputation, and by extension, to our customers who can be assured that our staff are some of the most knowledgeable people in the business.