When earnings are weak or you're out of a job, is it worth paying thousands of dollars for security certification for yourself or an employee? The answer seems to be yes, especially if you're talking about one of the premier certifications from organizations such as the SANS (the SysAdmin, Audit, Network, Security) Institute and ISC2 (the International Information Systems Security Certifications Consortium Inc.) But just how much certification helps, and which are most valuable, depends on whom you talk to.
Security certification is one of the hottest two or three credentials in the entire IT industry when it comes to getting recipients more bonus pay, says David Foote, president and chief research officer of Foote Partners, a New Canaan, Conn. consultancy and IT workforce research firm. SANS and ISC2 report demand is booming, driven by the increased security demands of e-commerce and concerns over cyberterrorism in the wake of last year's terror attacks.
But other training providers say demand for certification has slumped along with the economy. Integralis Ltd., a European-based provider of security products and services, reports a 20% drop in demand for its training in Check Point Software Technologies Ltd. and Nokia products over the last eight to ten months.
While almost every vendor has their own program to certify users in their own tools, the most well-known industry wide certifications are GIAC (the Global Information Assurance
Security certification is delivering faster growing boosts in premium pay than all other IT certifications, says Foote. Based on a survey of pay in more than 1,800 organizations for the second quarter ending June 30, median premium bonus pay for security certifications rose an average of 13% over the same period a year earlier, even while overall average premiums for IT certifications fell slightly.
"The real growth seems to be coming from the GIAC certification family," Foote says, in areas such as intrusion analysis and incident handling, firewall analyst, network auditing as well as Windows and Unix security administration. Certification in those areas commanded, as of the second quarter, average median premium bonus pay of between 8% and 12% of base pay.
Not surprisingly, SANS is seeing its certification training revenue up almost 30% over the same time last year, says SANS director of research Alan Paller. "Certification is the way for the student to demonstrate to his or her boss, and their co-workers, a level of mastery" that gives them the credibility to enforce security policies, he says. Certification increases the effectiveness of "a guy who knows security, but nobody listens to them."
Another big growth area for SANS is in security training for the auditors who monitor information security, says Paller, to help them "fight back against the tech people when they're in the middle of an audit." Auditors are increasingly looking for courses that deliver a comprehensive look at information security, he says, rather than on how to properly configure an individual device such as a firewall.
CISSP certification also delivered an average 9% median bonus over base pay, according to Foote, a premium that should rise over the next few years as more companies compete for hard-to-find senior security managers. "A lot of companies are having trouble finding qualified people to run their security departments," says Foote, and the CISSP is the most accepted certification to qualify for consideration for such posts.
ISC2 saw a 134% increase in demand for its certification training in 2001, "and for 2002, we've seen the same growth, and maybe a little bit bigger," says John Berti, a senior manager with Deloitte & Touche in Winnipeg, Canada, who is also worldwide schedule coordinator for ISC2 security instructors. He says the renewed interest in security that followed the terror attacks of September 2001 has meant a lot of work for security specialists, as well as "a lot of people getting interested in being able to prove they can provide very good" information security services, he says. The reputation of the CISSP as the only certification "that covers the entire spectrum of information security" has driven demand, despite a price tag of about $2,500 for training and another $500 for the certification, he says.
Not everyone is seeing an up tick in certification-related training. When companies find business slowing, "the first thing they cut is travel and training," says Integralis' marketing communications manager Jack Wilkins. That's dampened demand for Integralis' product-specific courses, which can cost between $2,000 and $4,000, he says.
But Rich Mogull, research director for GartnerG2, a research arm of Gartner Inc., predicts such targeted security courses will grow more quickly than general security training. With an increased number of qualified job applicants looking for work, he says, employers can afford to hold out for those certified in specific applications. Since security training is sometimes even included in the purchase price of software, he predicts product-specific security training "will increase and will become part of deploying new enterprise applications."
Whether it's product-specific or high-level, security certification seems to be following the path of earlier certification programs such as the NCE (Novell Certified Engineer) and the MCSE (Microsoft Certified Systems Engineer): While they may not guarantee you a job or a raise, they're a useful -- and sometimes necessary -- credential. "The e-business juggernaut is just rolling and rolling and rolling," says Foote, driving demand for both seasoned network and security administrators. Even in today's buyer's market for IT skills, he says, employers are willing to pay something extra for certification.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.
This was first published in October 2002