Alta Associates
Specialists in executive recruitment for over 20 years.
8 Bartles Corner Road, Flemington, NJ 08822 • P: 908.806.8442 • info@altaassociates.com
Expert Advice
Joyce Brocaglia is the executive career advisor for CSO magazine. The following questions and answers are featured on CSO's online magazine (www.csoonline.com).
Back to Expert Advice Question List
When hiring information security personnel is certification indicative of expertise? If so, which certification is best? Or is experience more important?
The two most recognized certifications for the information security industry are the CISSP and the GIAC.
The CISSP, (Certified Information Systems Security Professional) is the oldest and most acknowledged certification (www.isc2.org). The CISSP was designed to recognize mastery of an international standard for information security and an understanding of a CBK (Common Body of Knowledge). Candidates must pass a 250-question multiple choice exam to be certified. They must have at least three years of direct work experience in one or more of the test domains of the CBK to be eligible to take the exam and they must maintain certification with continuing education.
The GIAC, Global Information Assurance Certification was founded in 1999 by the SANS (Systems Administration and Network Security) Institute (www.giac.org). This certification requires completion of a written practical assignment as well as one or more technical online exams. Certifications are renewed every two years by taking a refresher exam. Candidates can choose to participate in specific certifications such as: GIAC Certified Firewall Analyst (GCFW), GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Incident Handler (GCIH), GIAC Certified UNIX Security Administrator (GCUX) and GIAC Certified Forensic Analyst (GCFA).
In my opinion, the CISSP is the most widely accepted certification for information security managers and the GIAC lends itself to the technical practitioners. Although certification alone is not indicative of performance, it does show a certain level of expertise in the subject matter. According to Jim Wade, President of (ISC)² (International Information Systems Security Certifications Consortium, Inc.), "A professional certification is one way for employers to distinguish among individuals applying for a senior information technology position. A professional certification is one that is based on habitual knowledge, not completion of coursework or on the basis of specific knowledge of a particular vendor's products. Being awarded a professional certification indicates that an individual has and continues to maintain the knowledge and experience that measures up to the expectation commonly held among their peers in information security."