Honing non-security related skills and getting certifications may help security professionals deal with the evolving cyberthreat landscape. It will also help them stand out in an industry where the basic security certifications have become a norm.
Scott Robertson, Asia-Pacific vice president of WatchGuard Technologies, pointed out standard certifications do not mean anything if a professional does not know how the latest Trojans work or what new social engineering techniques spammers are using.
The IT security landscape is constantly changing and evolving with new threats, with breaches and hacking methodologies being created on a weekly basis, Robertson noted. Managing security threats is no longer a parochial challenge, with networks based in distant locations prodding, engaging and penetrating defenses in a persistent manner, he explained.
Agreeing, Joseph Steinberg, CEO of security firm Green Armor, observed certifications outside the world of IT security can also be beneficial. Those pursuing IT security management careers, or pursuing opportunities in business related to IT security may find that management and business-related certifications would be of high value, he said.
In some cases, these non-security certifications may also be required as pre-requisites for security certifications, he added. A person cannot earn a CCNA (Cisco Certified Networking Associate) Security certification without holding a CCNA certification in the first place to show his or her expertise with Cisco networking technologies, Steinberg noted.
Robertson explained that even with basic skills, IT security professionals are still required to know about applications, protocols, networking, human behavior and the business itself, a lot of which is outside the scope of IT security certification.
Steinberg added if someone has no knowledge of networking for example, it would be impossible for him to be a "guru at implementing authentication systems". Furthermore, as he moves to more advanced roles, his responsibilities will almost always encompass multiple aspects of security and require interfacing with people of different set of expertise, he said.
Skill set focused certifications can also be taken to signify that a user is an expert in the specific area of the security, Steinberg added. For example, the ISSMP (Information Systems Security Management Professional), an additional "concentration" certification to the CISSP indicates that besides having a good broad knowledge of IT security, the holder has advanced expertise in information security management and its related domains, Steinberg pointed out.
Broad-based certifications still important fundamentals
Broad-based security certifications such as CISSP (Certified Information Systems Security Professional) are value-adding to IT security professionals, providing potential employers the objective confirmation that an applicant has a certain amount of knowledge and experience in the field, Steinberg said. He added this was an edge for those applying for IT security positions at his company.
The ISC2 (The International Information Systems Security Certification Consortium), the organization that maintains and administers the CISSP certification, told ZDNet Asia it updates its security certifications regularly. The organization's 80,000 members, all employed in the security industry, reviews the certifications, recommend what should be inside the examination and keep a constant look out for skill sets important to the security certifications, noted Freddy Tan, CISSP chairperson of ISC2.
The number of people holding basic security credentials has increased "dramatically" and the increased commonness of both broad and focused certifications has diluted their value as a differentiator, Steinberg pointed out. This increases the expectations that people at a minimum will have certifications and raises the knowledge and experience bar for security professionals, he said.
Since certifications provide "proof" of a person's knowledge, people who have experience with specific technologies or brands of security technologies should get certified, Steinberg advised.
"It would deliver comfort to a potential employer, offering the assurance that years of experience listed on a resume have translated into valuable, reusable skill sets," he said.