IT Security Certifications: 6 Trends to Watch
Which security certifications on the rise — and which are on the decline?
December 10, 2018
For those that specialize in cybersecurity or information security, the CISSP – or Certified Information Systems Security Professional – remains the go-to certification. This is particularly true for veteran IT pros as they build technical expertise and rise through the ranks; it’s also a differentiator from folks whose security focus is more on the risk management or compliance side of the house. (We’ll get to that separate-but-related universe in a moment.)
“The CISSP has been, and continues to be, the primary mark of an experienced individual that focuses strictly on information security,” says Matt Wilson, chief information security advisor at BTB Security. “It’s differentiated by being a bit more technical when compared against audit or management-geared certifications.”
For MSSPs, the CISSP can be a flag in the ground that says: Security is what we do. It’s a calling card that might help set you apart from generalists.
That said, it’s not the only game in town for folks looking for certifications that affirm their particular commitment to the technical nuts and bolts of cybersecurity.
“For the most part, the CISSP remains the most recognized and respected among the InfoSec community, but highly regarded certifications can be obtained from the SANS Institute and Offensive Security,” Wilson says.
There’s a particular certification in the “offensive” category that is losing its luster in the marketplace — we’ll get to that in a moment. But Wilson points out a fundamental truth about the value of certifications: Their value is tied to how hard they are to achieve.
“The Offensive Security certifications have gained significant credibility over the last few years — they’re difficult, technical tests that require the candidate to demonstrate functional knowledge and abilities through realistic scenarios involving test environments,” he says.
A new class of IT certifications has emerged with the sweeping adoption of cloud technologies throughout the business world. More specifically, organizations of all types and sizes need IT pros who can not only architect and operate cloud infrastructure, but secure it.
That necessitates a shift for many security veterans, and the growing category of cloud certifications can help facilitate it.
“With much of IT moving to the cloud, and with many of IT security professionals being focused mostly on on-premises IT, certifications such as the AWS Certified Solutions Architect and ISC2 Certified Cloud Security Professional are quickly gaining prominence,” says J. Wolfgang Goerlich, SVP, strategic security programs at CBI.
With a well-publicized shortage of cybersecurity talent drawing younger professionals and career-changers to the field, certifications can be a way to build knowledge and credibility in the absence of considerable on-the-job experience. According to Goerlich, CompTIA’s cybersecurity certifications form a good pathway for this group.
“For entry-level professionals, the CompTIA track continues to be strong,” he says. “Culminating in the CompTIA Cybersecurity Analyst (CySA+), CompTIA has long been a dominate player for junior talent and is well recognized by both consulting firms and internal teams.
MSSPs and partners struggling with the talent gap might do well to look for inexperienced people with these certs, especially if your firm is willing to train on the job.
To this point, we’ve focused on security-specific certifications that an individual pursues on his or her own, even if their employer is footing the bill. MSSPs, MSPs and other partners must consider a related arena, too: compliance.
On the compliance front, certification tends to be an organizational achievement — often a required one, especially for service providers – rather than an individual calling card. These are the certifications and frameworks that show your readiness to handle government regulations and audits and, as part of your larger security posture, your general commitment to protecting data and systems.
As such, compliance is not just for security practitioners or teams — it’s for everyone in the company, says Katie McCullough, CISO at OneNeck IT Solutions.
“Certification and compliance [have] requirements companywide and, in order to assure commitment and adherence, the ability to address them starts at the executive and board level,” McCullough says. “In fact, most compliance and certifications require evidence of the commitment from the leadership level and throughout the organization to security.”
As with individual security certs, McCullough says there are a variety of factors in weighing the importance of various organizational certifications related to security and compliance.
“The Center for Internet Security Controls tends to be recognized as the true security controls,” McCullough says. “However, frameworks such as NIST are very prevalent in the U.S., while global companies typically look for ISO certifications.”
McCullough notes that SOC 1 and SOC 2 audits are “table stakes” for MSPs and MSSPs: “These audits focus on the fundamental elements of security, availability, processing integrity, confidentiality and privacy,” she says.
Looking ahead, McCullough expects increasing attention to data privacy as a compliance matter, fueled in large part by GDPR.
“Although there aren’t specific certifications related to GDPR at this time, this will be a developing area in the coming months,” McCullough says.
Both Goerlich and Wilson say that the perceived value of Certified Ethical Hacker (CEH) certifications is in decline in the InfoSec community.
For Goerlich, this stems from a marketplace reality — and a general change in perspective on the signs of a person’s aptitude for the security field.
“The majority of the positions in InfoSec are on the defensive side,” Goerlich says. “The old-school perception was, if they can break in, they can keep people from breaking in. This perception has been fading and, so too has the certification value.”
Wilson concurs that the value of the CEH has “waxed and waned” among security veterans in recent years. In fact …
Discussion of the value of security certifications might kick up a notch or three in the new year, especially as the security industry’s growth continues unabated — and the shortage of qualified security pros grows alongside it.
“There’s a bit of a movement in some circles to de-emphasize the certification industry,” Wilson says. “The feeling is that merely having a certification doesn’t make a competent professional, and I agree wholeheartedly with that, but also that the popularity of information security has incented those certification organizations to lessen requirements and reduce test difficulty. That’s a larger, important problem to address.”
The jury’s still out on that issue. In the meantime, the right certifications certainly retain some value — it’s the “how much?” question that will continue to be debated in 2019.
“At a minimum, certifications show some dedication to an industry, and lend the holder more credibility in the eyes of most,” Wilson says.
Discussion of the value of security certifications might kick up a notch or three in the new year, especially as the security industry’s growth continues unabated — and the shortage of qualified security pros grows alongside it.
“There’s a bit of a movement in some circles to de-emphasize the certification industry,” Wilson says. “The feeling is that merely having a certification doesn’t make a competent professional, and I agree wholeheartedly with that, but also that the popularity of information security has incented those certification organizations to lessen requirements and reduce test difficulty. That’s a larger, important problem to address.”
The jury’s still out on that issue. In the meantime, the right certifications certainly retain some value — it’s the “how much?” question that will continue to be debated in 2019.
“At a minimum, certifications show some dedication to an industry, and lend the holder more credibility in the eyes of most,” Wilson says.
By Kevin Casey
Industry certifications have been a mainstay of IT resumes for decades. These credentials generally have been viewed as signs of someone’s professional commitment or specialization in particular technologies or roles.
That is, however, most definitely a generalization. An IT certification is not a guarantee of someone’s skill level or potential, and it’s certainly not going to tell you much about a person’s so-called soft skills, such as their ability to work well with non-technical business partners. That, among other factors, fuels an ongoing debate about the relative value of specific certifications.
This is perhaps especially true in the security field, which has its own beefy menu of longstanding and emerging professional certifications. They can certainly be valuable — and, as a result, part of an MSSP’s pitch to new clients, a sign of the team’s investment in its skills and general credibility in the InfoSec field.
Throughout the fourth quarter of 2018, as part of our “In Focus” series, we are featuring a series of galleries designed to help partners grow their businesses in 2019 and beyond. |
Like the broader IT industry, though, not all certifications are viewed the same — nor are they static credentials that never change. As we approach the end of 2018 and barrel into a new year, we asked several security and channel leaders for their insights on the current state and perception of IT security certifications. Here’s what MSSPs and other partners should keep in mind as they evaluate their certifications and plan for future training and professional development. Similarly, security pros at all experience levels should keep these trends in mind — especially if your New Year’s resolutions will include any career planning.
Read more about:
MSPsYou May Also Like