Without a doubt, the information security space is experiencing a dramatic increase in hiring. Finding qualified candidates is continuing to get more difficult, and the duties of managers are steadily increasing. As a result, hiring managers and human resource recruiters are looking for ways to make the process more efficient. Because most certifications in the information security industry come with experiential requirements, the search for candidates possessing industry credentials is seen as a good way to achieve this goal. However, other challenges begin to surface if the proper value of certification is not considered, which I explore in further detail in my recent Journal article.
I personally value certification in the hiring process and use this as a tool to screen potential employees before evaluating their resumes. Some scoff at this idea, as there are many qualified candidates without certification. While these candidates will almost certainly be filtered out, there are few better qualifiers to help parse through resumes and candidate requests in an efficient manner.
Whether it be on Internet forums or in discussion with industry peers, there are widely varied opinions about requiring certification as part of a job search. It appears that this practice is taking place in many organizations—glancing through job postings recently, I have seen many job postings requiring certification. Pushback from a few of my peers in the industry caused me to reevaluate my stance and to dig deeper into understanding the value certification brings to the process, the person and the organization. While my evaluation was not scientific in nature, it highlights many experiences I have had over the years as a hiring manager and is an aggregation of conversations I have had with many of my peers over the past year.
I suspect that some may feel that certification is becoming irrelevant or that candidates do not possess the skills that are expected, but if you put certification in the proper context, I truly feel that it helps in the hiring process and also helps identify a great employee with some of the positive characteristics I mention in my Journal article.
Read Thomas Johnson’s Journal article:
“The Value of Certification,” ISACA Journal, volume 6, 2017.
Kerry Anderson, CISA, CISM, CGEIT, CRISC, CCSK, CFE, CISSP, CSSLP, ISSAP, ISSMP
It is crucial for senior information security professionals to build new competencies and maintain existing ones. To quote my mother, a college professor and dean, “You are never done learning.” The rate of technological innovation continues to accelerate. According to Kurzweil’s The Law of Accelerating Returns, the 21st century will see almost one thousand times greater technological change than in the prior century. This means information security professionals will be called upon to respond to greater challenges in managing their associated risk. These new challenges will also generate exciting opportunities and career specializations. Many technologies we manage risk for today did not exist a decade ago, e.g., cloud computing, smartphones, virtualization.
Fortunately, the options for refreshing and extending knowledge and skills have expanded to allow the members of the information security community to maintain both proficiency and flexibility in their specific domains of expertise. Information security professionals can opt for online classrooms, traditional instructor-led classrooms or emerging learning technologies. Formal education will rarely be a one-and-done experience, but a series of programs, certifications and individual courses to maintain professional competencies over the course of a career will be needed.
In his 1959 book The Landmarks of Tomorrow, noted management expert and author, Peter Drucker, first described the concept of the of knowledge worker. Drucker discussed the requirement for continuous learning as well as continuous teaching on the part of the knowledge worker. The same necessity to continuously renew learning was listed as one of the seven habits in Stephen Covey’s book The Seven Habits of Highly Effective People.
To evolve from information security practitioner to professional requires not just participating in conventional learning activities but seeking out experiences with the potential to transform us and sharing one’s expertise with others in the information security community. For senior information security professionals, this means exploring new personal competency development options, such as blogging, teaching, writing articles and authoring books. These types of personal challenges are worth pursuing because of their return on personal investment (ROPI) is substantial in terms of the new competencies and confidence they yield.
Bob Smart, CISA, CISM, CRISC, MACS Snr, MBIS
Certifications bring clear benefits to professionals through improved global employability and earning potential. The fact that certified professionals in audit, risk and security can be paid up to a quarter more than comparably skilled and experienced staff without credentials confirms that organizations rate highly formal professional designations.
How do businesses realize this value?
Here is an example: You are about to hire an expert to perform a security review of a source code for a key application that is being developed. You have two short-listed candidates. One has recommendations as a very efficient reviewer, while the other has several relevant professional certifications. Which one would you choose?
A challenge with many professionals in information governance, risk, compliance and security management is that businesses rely on their professional judgment for decisions, full consequences of which are often not widely understood and may take a long time to materialize (e.g., several years until an overlooked application vulnerability is exploited). However, none of these occupations are regulated under state licensing laws and practitioners are not subject to malpractice liabilities. This is why professional designations provide employers with some form of (much needed) assurance that these experts possess the necessary experience, skills and knowledge of relevant frameworks, and commitment to continuous education. The trick is that not all certifications are made equal; therefore, businesses must be able to evaluate and recognize the credibility of relevant certifications.
My recent Journal article discusses the benefits that certifications bring to businesses. It also provides employers with steps to help them determine the value of individual certifications and to create a list of preferred credentials in a cost-effective way.
What benefits does your organization draw from staff certifications? Have you won a major contract due to your commitment to formal designations for your staff? Has your insurance provider recognized your reduced risk through a lower indemnity insurance premium? Has your support for professional certification improved staff retention rates? Have your employees become more motivated and enthusiastic about new learning and development opportunities?
Please post your comments and share your experiences and methods used to determine the most suitable certification(s) for your staff and deliver the most benefits to your organization as well as the employees’ professional development.
Read Bob Smart’s recent Journal article:
“Why Should Organizations Care About Professional Certifications?,” ISACA Journal, volume 2, 2013