SANS: Popular certifications don't ensure security

Effective training emphasizes technical knowledge, survey says

Editor's Note: This story was updated at 5:22 p.m. Jan. 9, 2006, to reflect that the SANS Institute is a for-profit institute. The story previously stated that it was nonprofit.

Many popular information technology security certifications don't improve holders' ability to ensure computer systems' security, according to a new survey from the SANS Institute, a training and education organization for security professionals.

The survey found that respondents with certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems Security Certification Consortium -- also known as (ISC)2 -- and the Information Systems Audit and Control Association (ISACA) think that their training does not give them as strong an advantage in performing hands-on security jobs as platform- and vendor-specific certifications do.

Because respondents could vote for multiple certifications, "the low votes for CompTIA, (ISC)2 and ISACA certifications are compelling proof that these certifications should not be relied upon for people with hands-on security responsibilities," said Alan Paller, the institute's director of research.

The findings have tremendous implications for federal IT decision-makers, who use certifications to hire people, set salaries and trust that workers have the necessary skills to protect mission-critical systems, Paller said.

He is especially concerned that the Defense Department now requires its frontline information assurance employees to have such nontechnical certifications. DOD's decision, finalized in December, came after the Titan Rain scandal last year in which international cybercriminals circumvented DOD's security measures and stole classified information.

"If these certifications do not correlate with hands-on security skills, then DOD is misleading its commanders by implying their people have the necessary security skills when they do not," Paller said.

Certification providers disagreed with the survey's findings, which showed -- by margins as large as 6-to-1 -- that the SANS Institute's Global Information Assurance Certification (GIAC) and vendor-specific certifications more effectively train people to improve security than programs that are not platform- specific.

The other organizations contend that their services provide enough technical background for frontline security employees to adequately protect mission-critical systems.

The SANS Institute is arguing that frontline security employees must know the nuts and bolts of the technology they use, said Lynn McNulty, (ISC)2's director of government services. (ISC)2 agrees that security professionals need product and platform knowledge, but managers must have a broader perspective to coordinate activities effectively, he said. He added that vendor-specific certifications can limit career progress.

(ISC)2's Certified Information Systems Security Professional and ISACA's Certified Information Security Manager, two of the most popular and prestigious certifications, target their audiences well and are professional milestones, said Everett Johnson, president of ISACA's International Board of Directors.

DOD officials are satisfied with their choice of certifications, said Robert Lentz, director of information assurance in the DOD CIO's office. The department has codified competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification and Workforce Management," which requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.

Lentz said the certifications ensure that information assurance employees have adequate hands-on experience. Combined with additional specialized training that commanders provide on-site, they will ensure sufficient security for mission-critical systems, he added.

To improve frontline security, DOD and certification organizations must create new platform-specific security certifications -- sets of progressively harder security tests -- to evaluate the proficiency of low-level employees responsible for hands-on security, Paller said.

Hands-on security

Last November the SANS Institute asked 4,278 information technology security professionals to rank the various certifications for people in their line of work. They rated how likely holders of each certification are to have the necessary skills and knowledge to effectively manage hands-on security. Federal, state and local government contractors accounted for 22.3 percent of respondents.

Participants said the best certifications for hands-on security jobs are the SANS Institute's Global Information Assurance Certification (64.3 percent); vendor certifications from Microsoft, Red Hat, Sun Microsystems and Cisco Systems (59.9 percent); and those from the International Information Systems Security Certification Consortium, or (ISC)2 (35.2 percent).

Furthermore, security management professionals benefit most from certifications granted by (ISC)2 (54.1 percent), the Information Systems Audit and Control Association (ISACA) (31.9 percent) and the SANS Institute (21.9 percent), while certifications from (ISC)2 (59.2 percent), the SANS Institute (40.6 percent) and ISACA (31.3 percent) give an edge to people in security policy and awareness roles.

-- Michael Arnone

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above