SC Magazine’s CISSP! Who Cares? article says that security certifications are not as valuable as they used to be because they are rather commonplace. Too many people going for the same job have the same qualifications. However, that is not my experience, and I disagree with some of the article’s statements.
I earned my CISSP more than 5 years ago. Let’s take a look at a couple companies I’ve worked for and count the CISSPs…
– Fortune 500 company: 3 CISSPs. 2 of 10 people on the security team currently have the CISSP; no one else. At least in that company, the cert isn’t common, even on the security team; overall, one other security team member has 5 technical certs, but no CISSP. If the CISSP was so common, most of the people on the security team would have it, and so would others in network, architecture, and other IT areas. But in this company, it just isn’t so.
– Another Fortune 500 company: 9 CISSPs. 3 in security, 4 in IT, 2 on the business side, with no relation to IT, risk, or security areas. Again, few on the security team, but more across IT and other areas. Still doesn’t sound like the CISSP is real common there.
– Fortune 100 company: 7 CISSPs. 2 in security and the rest in IT. Again, only 2 security team members have the CISSP. Are you seeing my point? If security certs were that common, I think I’d see higher numbers.
Sure, this is only 3 big companies, I counted only CISSP certs, and I’m a little biased. It’s also possible that I missed 2 or 3 CISSPs at each company, but that wouldn’t change my argument much. The SC Magazine article was broader than just the CISSP, but the CISSP was their focus, and there’s more CISSP certs out in the wild than any other security cert. But I’ve laid out what I’ve experienced, so I disagree: I don’t think the CISSP is as common as the article states. And I don’t think it’s value has dropped much.
The article also says that it’s the experience that counts, not the certifications, because certifications do not equal experience. That’s true, but when you’re trying to get hired, your experience may not have a chance to be recognized because your application did not contain those magical certification letters; you may not get in the door.
As I’ve stated before, what’s the downside of certification? Sure, it costs you time and money. But in my experience, it has been worth it. In my next post, I’ll list the top 7 reasons for getting security certifications.
Other Certification-Related Posts:
How to Pass Certification Exams
ITauditSecurity 
Do you think the CISA is evolving to a commoner’s certification? Tying it back to the other post under “Interviewing IT Auditors”, I’m seeing people pursuing the certification who has no any desire or business doing audits but obtaining the certification for the sake of obtaining or has no plans on making the transition to the audit world. I’ve seen an increase in the job market requesting CISA but it has nothing or little to do with the job position.
LikeLike
Yo,
No I don’t. CISA is a defacto cert in that you almost have to have it to work as an IT auditor. That doesn’t make it common, in mind, only required.
A common cert is one that if you don’t have it, it has a big impact on your chances of a job. Like not having a high school education.
However, I worked at 3 big companies as an IT auditor before I got my CISA. So you could, at least 7 years ago, get such a job without one if other circumstances allow. My circumstances were my 15 years IT experience across compliance and security (I also was the liaison with audit teams in those positions). I also had my CISSP, which was also a big factor (the main one each of the employers cited upon hiring me).
Because even an elementary understanding of audit and compliance are big pluses in many non-audit jobs, having the CISA is a good move for some people, even if they never audit. Besides, it’s a cheap cert that is not too hard to pass.
I don’t think that makes it common. It is still valuable.
LikeLike
Pingback: Security Costs and Security Budgets | The Puchi Herald Magazine