When it comes to education, most people agree, more is better. No one embodies that principle at least in regard to IT certifications better than Jerry Irvine. CIO of IT consulting firm Prescient Solutions and member of the National Cyber Security Task Force, Irvine holds more than 20 IT certifications, of which at least six are specifically information security-oriented.
"I'll stop getting certifications when I'm dead," says Irvine, though one wonders if even that will dissuade him. Irvine is a strong believer in the notion that the value of certifications in general and security certifications in particular shows up in your wallet.
"My opinion is the more certified you are, the more marketable you are. You can prove you know more because you have those certifications," says Irvine. "People look at you and say, 'This guy really does know his stuff.' That gives you the opportunity to make more money."
Anyone who puts in the time and spends the money to get certified is showing they care about staying current with security trends and techniques. That quality makes someone more desirable to an employer, he adds.
As a practical matter, many of today's information security certifications require much hands-on application of skills, such as CompTIA's CASP (Certified Advanced Security Professional), which requires candidates to configure firewalls and routers and perform other security-related tasks as part of the test. Being able to pass proves to a potential employer that you can do certain things, potentially giving you an edge over those who do not hold the certification.
For some jobs, obtaining a particular security certification whether for information security or physical security is a requisite for even being considered. In that case, you will surely know if there is a certification you need to obtain. Beyond that, however, attaining certifications is generally a matter of personal and/or employer choice. Some certifications require a great deal of work both in and out of the classroom, as well as sitting for the test. The question: Do they generate return on your investment?
Certifications should not be the end goal so much as a tool you can use in furthering your career, cautions Chris Brenton, an instructor at the SANS Institute and director of information security for CloudPassage, a cloud security provider. Brenton has been delivering certification training for quite a few years but perhaps surprisingly does not hold any himself.
Certifications are one way to prove what you know, says Brenton, but there are other ways, especially if you're a good communicator.
"It's how much do you know and how good are you at conveying what you know?" he says.
As someone who oversees hiring security professionals for his company, Brenton looks for experience beyond certification that show the job candidate has practical skills. For example, if the candidate created a piece of open-source software relating to security (such as for vulnerability scanning or implementing host-level security), that indicates real-world knowledge, he says.
Sign up for CIO Asia eNewsletters.