This is the second of five articles discussing the benefits (if any) of security certifications in the job market. In the first article, a number of studies suggested that certifications do indeed improve prospects for hiring and higher salaries.
In this article, I conclude the review of recent studies and surveys with yet more encouraging news for holders of security certifications.
* * *
In June 2008, NetworkWorld writer Jon Brodkin pointed out that "Overall, the value of 164 IT certifications measured by Foote dropped 4.9% the past two years and 1.6% in the six-month period ending April 1 [2008]." However, Brodkin wrote, "Some certifications are bucking the trend and rising in value. IT security certifications rose 3.1% in value over the past two years and 1.2% in value in the last six months. Certain types of security skills are seeing dramatic growth. A 27% rise in value was measured for the Certified Information Security Manager designation, just in the past six months. In second place with a 25% rise in the last six months was the GIAC Security Expert cert."
In a follow-up article, Brodkin reported on a survey carried out for the International Information Systems Security Certification Consortium, (ISC)^2, which showed "that holders of the CISSP, SSCP or CAP certifications who work in the Americas and have at least five years experience earn [an average of] $102,376 per year – more than $21,000 higher than IT pros who also have five years experience but lack the certifications."
Reporting on the popularity of security certifications, Joan Goodchild of CSO Magazine wrote about a CompTIA survey that came out in late October 2009. The study of more than 1,500 IT workers found that many of them planned to pass certifications in security, ethical hacking and digital forensics.
Goodchild added …[M]ore companies are requiring IT security certification…. [T]he number of organizations where IT security certification is required has increased by half and is continuing to grow; 32% of employees were required to have certifications in 2008, compared to 20% in 2006.
Foote Partners maintains a database with constant updates to produce its annual "IT Skills and Certifications Pay Index." The latest edition (as of this writing in the first week of January 2010) includes "data collected through January 1, 2010." A 55-page PDF sample of the $2,500, 305 page quarterly report ($9,750 for a year's worth of reports) is available free online to illustrate the format of the report (most of the charts have been redacted to blanks).
Among the 201 specializations studied by Foote Partners, 34 certifications specifically involve security, auditing, forensics or penetration testing.
Founder David Foote, who also serves as Foote Partners' CEO & Chief Research Officer, was quoted in a Dec. 31, 2009 interview in a Bank Information Security podcast as saying that "Information security is the hot career option for professionals in 2010 and beyond." He was also interviewed back in August 2009 by Carolyn Gibney of SearchSecurity and said much the same thing: "Foote says there's reason for those in the security industry to be optimistic."
The Jan. 5, 2010 issue of the System Administration and Network Security (SANS) NewsBites started with the following assertion in an advertisement for the organization's courses:
The hottest security skills employers are seeking for 2010:
1. Red teaming/penetration testing (systems/networks and applications)
2. Forensics
3. Security essentials
4. Reverse engineering malware
5. Auditing networks and systems (hands-on testing)
6. Intrusion detection
7. Security management and leadership
8. Securing virtual systems
9. CISSP certification
Plus: Effective presentation skills for security professionals.
This last point is important: in addition to technical skills, communications and management skills are valuable to IA professionals. Recently Paul Dorey, chairman of the Institute of Information Security Professionals in Britain, was quoted as follows:
"We are entering a time when IT security people are going to have to move from being merely advisers to the business to real professionals whose views are listened to," he said. As IT supports every aspect of life, security breaches become potentially life-threatening or disastrous for their organisations. Just as bridge designers and structural engineers work to common and consistent standards and are therefore respected, he said, so security professionals should command the same level of respect.
For that to happen, security professionals need to communicate effectively with a wide range of disciplines – including audit, risk assessment and compliance, IT and engineering. "They need to be like chameleons to fit into those disciplines," he said. "You may not become an expert in them all, but you must at least don the facade. ... Get some mentoring to help you understand them."
In the next article in this five-part series, I'll look at the wider context of certification and licensing for a range of professionals in the United States and point to the efforts beginning in the early 2000s to force certification for IA officers in the U.S. Department of Defense.