Security Musings

Security Musings

Musings on Certifications

Collected musings on information security certifications.

Other Related Articles in Musings on Certifications

Is Tech Target deliberatly misleading with respect to Information Security Certification?

By Stephen Northcutt
July 26, 2007 Robert Westervelt posted the following in his Tech Target blog, "Companies are beginning to seek out more security talent in niche areas according to the latest job skill and certification research from Foote Partners LLC. Security certification premiums increased 2.2% over the last six months compared to other areas that are flat or losing ground, according to David Foote, president of the research firm. I interviewed Foote today to find out what niche areas may be highly coveted. The premiums could be embedded into base pay or in addition to base pay in terms of bonus or variable pay. Among the certifications paying a premium: (There’s no big surprises here) certified information systems security professionals (CISSP), certified information systems auditor (CISA), certified information security manager (CISM). Some extensions doing well: CISSP - management and professional, architecture and professional, engineering professional. These are earning between 10-16% of base pay."[1]

What about GIAC? He probably should know about The Global Information Assurance Certification, [2], after all, on July 29 when I searched for "Information Security Professional" on Google, GIAC was listed second.[3]

Of course, real estate in an article or blog is limited and he might not have had time to mention GIAC even though it ranked higher than some of the other certs he does mention. However, I was curious, was this a one time event, or a pattern? So, I googled Robert Westervelt to see what he had written in other publications. Well clearly, as of 20 Jul 2005, he knew about GIAC, because in yet another interview with David Foote, he wrote that several GIAC certifications were listed as hot:

  • SANS/GIAC Security Expert (GSE)
  • SANS/GIAC Certified Forensic Analyst (GCFA)
  • SANS/GIAC Certified Windows Security Administrator (GCWN)
As well as cold:
  • SANS/GIAC Security Essential
  • SANS/GIAC Firewall Analyst [6]
And, I was not the only person to notice: I was copied on an email from Kevin Fuller to Robert Westervelt, and if Mr. Westervelt answered, he did not copy me, "A nice article. No mention of the SANS certifications though. Didn’t Mr. Foote include them in his survey or did you just fail to mention them. When it comes to focused skills and certification SANS is one of the best around at “skill based” certifications."[7] And there are troubling signs that glorifying CISSP at the expense of the rest of the industry may be editorial policy at Tech Target itself. An article that claims to cover compliance by Peter Gregory is nothing more than an advertisement for the CISSP: "CISSP Common Body of Knowledge, The Certified Information Systems Security Professional, or CISSP, is offered by the International Information Systems Security Certification Consortium (ISC)2, and seeks to provide an objective baseline for measuring competency. The CISSP Common Body of Knowledge (or CBK) defines the knowledge base required of CISSP candidates. The CBK consists of 10 categories that CISSP candidates are expected to be familiar with in order to pass the rigorous CISSP certification exam. The categories are:
  1. Access control
  2. Telecommunications and network security
  3. Information security and risk management
  4. Application security
  5. Cryptography
  6. Security architecture and design
  7. Operations security
  8. Business continuity and disaster recovery planning
  9. Legal, regulations, compliance and investigations
  10. Physical (environmental) security" [8]

Peter Gregory, by the way, is a co-author of CISSP for Dummies, if he can pose as a journalist to pump up sales of his book, that is a conflict of interest that Tech Target should have caught.[9]

The bottom line: The CISSP is certainly the most well known certification, but it is hardly a magic shoe-in to understand government regulation as Gregory claims. In fact, GIAC offers a compliance specific certification[10] that is far more in-depth than the CISSP, the testing takes three full days and even with that, I would not make the claims for the GSE-Compliance credential. Gregory makes for the CISSP. Considering that GIAC ranks just after the CISSP on Google for Information Security Certification and is a major source[11] for ISC2 Common Body of Knowledge[12] information, it is odd that Westervelt did not mention it. In addition, GIAC has been selected along with the CISSP and CISA, CISM, as a certification provider for the Department of Defense in 8570.1M.[13] Tech Target should review their editorial policy[14] to ensure balanced coverage of the Security Certification landscape.

All links below acquired July 29, 2007:

7. Email from Kevin Fuller to Robert Westervelt, Tech Target, copy Stephen Northcutt, July 27, 2007