There are hundreds of security certifications out there, but not all are equal when it comes to validating a person’s security expertise. Like security ROI, compliance v. security, etc., this is a topic that seems to raise its head every so often in the security community. Last week, Stephen Northcutt (President of SANS and founder of the GIAC certification) gave his take:

“First, what does a security certification prove? Security certifications prove that the candidate meets a minimum standard. How do you know what a certification is worth? By making sure you understand what the minimum standard is and what the quality of a certification is.

Let’s do the quality part first. Anybody and his brother can go out and write some questions and pretend to offer a certification. But, when they do that, there is no quality review, and that gives people like the original blogger an understandably bad taste in their mouth. So, the first step is to find out if the certification provider has undergone, or is undergoing IS0 17024 certification for certifications. That doesn’t prove their content is perfect, but it goes a long way towards assuring their process is repeatable and solid.

Now, let’s address the “minimum standard” part of a security certification. Quality and respected Security Certification providers like (ISC)2, ISACA and GIAC, develop a Job Task Analysis for their certifications. Here is a nice discussion of a Job Task Analysis (JTA) that has nothing to do with Security. Each and every certification should have a JTA describing the knowledge, skills and abilities required for that particular job. The more detailed and fine-tuned the JTA, the easier it is to address the minimum standard assured by the certification. For instance, the CISSP is so broad you can really only say it proves you know the basic theory and terminology of security. The CompTIA Security+ is similar; it says you know enough theory and terminology of security to be entry level. The GIAC GSEC is pretty much in the same boat; it says you know essentially the same theory and terminology of security as the CISSP, but you also know some pragmatics (what tools to use and when, operating system basics, some hands-on experience). In all three cases the minimum standard is a broad understanding of security; none of these certs demonstrate deep knowledge, but all of them assure employers you have the foundation to understand security. This may sound trite at first, but all three also demonstrate that you can read, write, reason and memorize, which are, in fact, important skills.

In order to go beyond “memorizing mostly useless and dated facts”, the JTA has to get more specific. If I was an employer looking for a quality measurement tool for potential candidates, I would look for a security certification that has quality and is specific to the job I am trying to fill. For instance, SecureWorks, probably the best IDS/Log Monitoring Outsourcing contractor in the industry, requires Intrusion Detection certifications. Currently they require the GCIA, but I am sure that they would accept a resume from anyone with a quality certification in the same field.”

Stephen is right. If you’re evaluating job candidates you have to understand what holding a certification really means for a person’s expertise and ability. Here at SecureWorks, we gained that understanding through first-hand experience with the multitude of available certs. This experience led us to requiring the GCIA for all SOC analysts because it aligns very well with the baseline level of technical expertise and proficiency we need from our analysts to provide the best quality of service.

If you don’t have first-hand experience, I suggest taking Stephen’s advice: research the verifiable steps a certification provider has taken to ensure the quality of their certifications (e.g. ISO 17024) and how the specific certification applies to the job to be done (e.g. JTA).

This entry was posted on Tuesday, October 14th, 2008 at 11:52 am and is filed under General.