Why Get Security Certifications?

I recently found out that my Post-9/11 GI Bill education benefits were going to expire at the end of August and I had a good amount of funds still available. I had already used some of the educational benefits for previous certifications, such as my CISSP, so I figured I would do the same again.

After speaking with some folks about which certifications to take, some suggested the Certified Cloud Security Professional (CCSP), offered by ISC2. It’s a newer certification, given how relatively new cloud security is, but also an area I’m not as well versed in, so I figure I would try to get the certification.

Now I know what some people are thinking, and believe me I asked myself the same thing, “Why even get a security certification?” I had to ask myself the same thing when considering the CCSP. It did get me thinking about why other people would get certifications – are there common reasons why people would?

Over the years I’ve thought about this on and off, but never came up with a list of reasons.  So now I decided to put my two cents out there in the hopes that this may help someone who’s thinking about getting one.

Below are the three common reasons why I think people would get a security certification.

1. You want to learn basic concepts/terminology or demonstrate baseline knowledge.

I’ve found that numerous people when they start off in security, myself included, often get certified to get a foundational understanding of security. This makes sense if you think about it – why Google a bunch of security concepts or topics when a security certification can provide some type of structure for you to learn it?

The Security+ certification is a great example of a foundational security cert for people trying to get into the security field. CompTIA recommends that you have a couple of years experience in IT administration and have taken the Network+ cert, but no other security experience or knowledge. According to such CompTIA’s website, the certification covers a fairly wide range of security concepts, such as “network security, compliance and operation security, threats and vulnerabilities as well as application, data and host security, access control, identity management, and cryptography.”

The Security+ isn’t the only entry-level certification out there, but it’s these types of certifications that I believe are great for folks looking to get into the security field.

Several well-known security professionals agree that certain security certifications are a great way to learn the basics:

  • Lesley Carhart mentions it her blog post about starting an InfoSec career here.
  • Daniel Miessler mentions it on his blog post about building a successful InfoSec career here.

Both blog posts are excellent reads on how to get into the security field as well, so definitely worth reading.

I think that people who have been in the security field for a while may also benefit from learning the basics through certifications as well. I’m not well versed in cloud security, hence why I’m taking the CCSP exam later this month.

Let me be clear though about what certifications will NOT do for you – it will not make you an expert and won’t speak to your proficiency or competency in security. Certs mean that you’ll understand the basics and that’s it.

In my opinion, even some of the most coveted and challenging security certifications, such as the Offensive Security Certified Professional (OSCP) or SANS Penetration Tester (GPEN), at best only demonstrate some level of competency.  I know several folks that don’t have these certifications but are some of the best penetration testers out there.

2. You need the certification to clear HR.

I recently attended a webinar that John Strand, another well-known security professional, hosted about being successful in InfoSec and touches on certifications. He highlights that people should not focus on security certifications but rather actually building your security skill set by doing, such as building a Linux server from scratch or setting up a test router at your house and managing it.

However, he does say that the unfortunately reality of working in corporate America is that we need certifications to get past HR for jobs, and I agree. I’ve seen, much like many others, that job postings require a CISSP, CISM, CCNA or some other certification to even get an interview. HR looks for certifications – if you don’t have it, you’re out of luck.

In a way, this makes sense. HR departments I’ve worked with aren’t well versed in security, let alone IT, making it harder for them to get a handle on who they should bring in for an interview. Certifications are a short cut way to get a pool of “qualified” candidates for an interview. HR doesn’t have to scrutinize the person’s resume for the right or ideal experience for the role, and to be fair they shouldn’t. The hiring manager ought to be weeding out candidates as they review resumes.

When I was a hiring manager, I often looked for certifications as well because it gave me some indication that if we were to bring that person on board, they would have the same security model or framework that I would have. For example, if the person has a CISSP-ISSAP certification, I at least knew that they had some kind of fundamental understanding of security architecture design and requirements gathering.

However, I would then dig into their resume and experience further.  How many projects has the person completed? What kinds of projects have they done? How many high level security architecture design documents have they drafted? How many requirements gathering sessions have they facilitated? These questions can’t be answered by simply having certifications.

3. Your certification is paid for by work/government/other.

This was my primary reason for taking the CCSP. Were it not for the Post 9/11 GI Bill I most likely wouldn’t be taking the certification. But if your company was going to pay for your certification, why not? I think it’s foolish not to get certified if you don’t have to pay for it.

I know of some companies that pay for annual certifications, which I think is fantastic for the folks who work there and can take advantage of it.

In summary, I believe the three reasons above are the most common reasons why people would get a security certification. Much like anything else in life, I think it’s important to know why we do what we do. Make sure you’re clear on why you want to get a security certification.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s