Some months ago, I proudly earned my Global Information Assurance Certification (GIAC) in network intrusion detection from the Bethesda, Md.-based SANS Institute Inc. I was impressed by the technical depth of the course and by the difficulty of the evaluation process.
I'm confident that any potential hires with this certification will know one end of a TCP packet from the other. But whether they would ever get to use that knowledge in a commercial environment is a different question. The certification process goes much technically deeper than any security professional ever needs to in our environment.
That depth comes with a price, in terms of breadth. To cover network intrusion-detection systems in such detail means that host-based detection systems and other subjects are skimmed over. I recently completed my Certified Information Systems Security Personnel (CISSP) exam and found that it has gone to the opposite extreme, sacrificing much-needed depth for breadth. So are such certifications worth it? Perhaps, but not for the reasons you read about in the marketing literature.
Claims vs. Reality
The SANS Institute has data showing that people with a GIAC earn 12 per cent more than staffers without the qualification. This is a cute statistic, but one with questionable meaning: Better-funded companies are more likely to send their employees for GIAC certification and are more likely to pay them better. Professionals with the certification are generally more senior and experienced than non-certified staff. This doesn't prove that the GIAC raises your income.
I'd like to see statistics on the salary levels of staffers who fail their GIAC test, but I know I won't anytime soon.
Despite the inflated salary claims, the SANS courses offer good training. We have sent staffers to courses and they have enjoyed themselves and improved their technical knowledge.
However, a review of job postings will show that the GIAC isn't well known. I found 2,990 security job listings, of which seven mentioned GIAC and 11 mentioned SANS. A qualification requested for 0.6 per cent of jobs isn't going to set the world on fire.
There is one certification that does a little better. The CISSP was mentioned in 75 job descriptions, or 2.5 per cent of the jobs. That's better, but it's still not great. A more interesting statistic is that more than 70 per cent of the jobs that required a GIAC also required the CISSP.
Friends told me of recruitment agents who refused to put their résumés forward for appropriate jobs because they didn't have their CISSP. I also kept seeing CISSP books sticking out of people's bags on the subway, so I decided to pursue the certification myself.
The CISSP is administered by the International Information Systems Security Certification Consortium Inc., also known as (ISC)². It offers weeklong exam preparation courses, but because no courses in my area were convenient, I relied on books for my training.
I had only a few weeks to prepare before the next exam. It helped that I've had industry experience and that I come from an academic background. The exam focuses on military, government and academic security, all at a very shallow depth.
I enjoyed learning how high fences must be to deter intruders and the details of all the different kinds of fire extinguishers a data centre could have. But this information is irrelevant: I've never worked anywhere that had a fence, and I've been never responsible for fire extinguishers.
Of Academic Interest
A tenth of the content is devoted to security models and architectures. It's interesting, in a purely academic way, to review some historical attempts to formalize security approaches, all of which are monolithic and inflexible systems designed for military applications. We'd never be able to implement anything like this in our environment. Anyway, despite the expense and complication of these systems, they were never truly secure. This doesn't bode well for the informal systems used in commercial environments.
The exam consists of 250 multiple-choice questions. The (ISC)² allows six hours to complete the exam, but I was done in less than half the time.
(ISC)² uses a rigorous nondisclosure agreement to discourage discussion of exam content. The cynic in me wonders if this helps it keep costs down by allowing it to reuse the same exam year after year. The lack of current material in the test I took and the use of easy-to-mark multiple-choice questions doesn't contradict this impression.
Unlike its old exams, the (ISC)² 's code of ethics is public. One of these rules requires that I "advance and protect the profession," possibly by, among other things, hiring those who are certified, all else being equal. Thankfully, this is only a suggestion and, of course, all other things are never equal. But surely a good certification shouldn't need to push people to promote it?
There are areas of the certification that I do like. Every three years, I must earn continuing professional education credits to keep my certification current. I could even earn some by having this article published if I could get it into the system without (ISC)² connecting my pseudonym with my real name. Publishing encourages people who have the certification to help others and share knowledge.
With all the flaws I've mentioned, you might think that I won't be sending my staffers to be certified. However, while I don't think the CISSP experience will be useful in their daily work, it should fill in any missing theoretical background and provide an understanding of common jargon.
But the real value for my staffers is for their résumés and their morale. My team members are bright, so they will stroll through this exam and get a boost. Paradoxically, I feel that improving my staff's chance to get other jobs will encourage them to stick around: If they feel their current position increases their skills and experience and widens their next choice, then perhaps they will stick with it.
"Tuesday" is a columnist for Computerworld (U.S.) who writes anonymously.