Thursday, August 9, 2007

Certifications and pay

A recent Computerworld article points to an increase in salary for information security practitioners with certifications. Despite questions about the usefulness of some certifications - Bejtlich's take on the CISSP is a great example - they're still required or desired for many positions. Despite views from some in the industry about it, the article notes that the CISSP is amongst the most valuable certifications - at least from a pay perspective:

"Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified InformationSecurity Manager (CISM)"
How does this negative view of the CISSP from respected industry folks like Thomas Ptacek and Richard Bejtlich fit with a high value for the CISSP? For one, more senior IT staffers are getting the CISSP. The oft maligned "mile wide, inch deep" coverage is well suited to the broad view of management. Similarly, the CISSP's experience requirement helps, but doesn't guarantee more time in the field, and thus one would expect a correlation to higher wages.

More technical certifications, such as many of the SANS paths - GIAC, GCIH, and such are more likely to be found in the hands of technically oriented professionals. The value of the certificates is definitely there, but the correlation to higher wage may not be as easy to show - fewer senior managers and C level positions are likely to have the SANS technical certifications.

Where does that leave us as professionals? Well, for one, the government is requiring more certifications. Per the article there is a "Department of Defense directive which requires over 100,000 security professionals in certain specific job roles to be certified within a five year period" which will drive certification for many in the public sector. Second, compliance requirements dealing with PCI, HIPAA, FERPA, the GLBA, SOX, and other standards mean that companies are looking for security staffers - and certifications are an easy filter for HR.

Given those trends, a certification may just be a good route to a few dollars more on your paycheck, or into a new job - if your friends give you a hard time, tell them to think of it as analyzing and exploiting the system.

No comments: