I get asked this question by students all the time – what is the value of a certification? And the second question to follow is inevitably: Which one is right for me? In today’s world where there is significant clamor over the need for more cybersecurity professionals, one would think that the employment door is wide open. Not so fast, the path to good employment is not as simple as show up and start working, and in fact, finding a good job in cybersecurity has never been harder. As the needs have increased, so have the expectations. And certifications can play an important role in obtaining a good job.

When hiring someone for a job, the two prevalent questions on every hiring manager’s mind are; will this person fit in with the rest of our team, and can they actually do the job we need done. The answer to neither of these is found in a resume, an application, or a certification. It happens in a face-to-face interview. Getting to the interview is a multistep process, specifically designed to say “no”, winnowing the number of applicants to a select few. To show how certifications can affect this process, let’s look at two people competing for a job, Alice and Bob. Both Alice and Bob have identical resumes, job histories, applications, sans one little detail – Alice has a certification, and Bob does not. Let us also assume that they are both the ideal candidate – they fit the team, can do the job and are the candidate the company dreams of hiring and employing.

Odds are, Bob doesn’t stand a chance – HR will more than likely screen his application to the “no” pile long before anyone who could recognize his value gets a chance to see it. This could be because in the description there is a requirement for XYZ certification, a common tactic to make it easier to sort through to the “no’s”, and also sometimes required by contract or regulation (think DoD 8570). So, can it hurt having a certification – not really. Can it hurt not having one – big time – as your application for a job is put on the “No” pile by an HR functionary.

So Many Certifications, Which One is for Me?

In a day long past, there was only one, the dreaded CISSP. But as time went along, and thoughtful minds began to explore the entirety of the information security workplace, they discovered that one size did not fit all, and in fact, wasn’t helpful at all. Certifications are designed to attest to a holder’s knowledge in a specific area. As the breadth and detail of the information security workforce grew, specialization entered the workforce and the certification area as well. This makes the key determining factor on which certification to choose the specific job/career you are seeking.

Where does CASP fit in?

The CompTIA Advanced Security Professional (CASP) certificate is one that is designed to demonstrate a significant in-depth knowledge across a wide array of security domains. This knowledge is aligned with that of a hands-on professional who is engaged in the design and implementation of security in an enterprise situation. Where the CISSP is designed for managers and policy types, the CASP is designed for security operators and engineers. Elements of the CASP body of knowledge includes understanding the security implications of:

  • application vulnerabilities
  • buffer overflows
  • integer overflows
  • fuzzing
  • enterprise storage
  • TCP/IP suite
  • DNS
  • Network traffic analysis
  • cryptographic tools and techniques
  • penetration testing and tools
  • sniffers
  • port scanners
  • password crackers
  • tools such as Wireshark, Metasploit and John the Ripper

The CASP certification is designed for professionals with ten years of experience, including five years of hands-on experience. Although relatively new, the CASP is already finding its place as the technical alternative for enterprises looking for professionals to assume hands-on operational roles over the previous standard CISSP.

If you are a professional looking for a new opportunity, real world experience is still the prime qualification employers are looking for in a candidate. Demonstrating task competency is still a challenge, but at least if you reach the stage of the interview/hiring process where you are technically challenged, you have passed the dreaded HR winnowing of resumes. If you are looking for senior work as a technical lead, or senior analyst, then the CASP demonstrates a significant knowledge level competency is specific elements to a fairly granular level.

If you are a hiring manager or HR professional and you are not currently using the CSP as a differentiator in the hiring process for senior technical personnel, then this may be just the tool to assist you in sorting out the candidates. Although some believe the SANS GIAC series to be the gold standard in certifications, one must be wary of the financial bias associated with this series. SANS CIAC series certifications typically cost thousands of dollars more than the CASP or CISSP, and as such tend to be restricted to a subset of professionals that have employer paid training and certifications. Yes, these are valid, but in practice they are limited to a relatively small subset of the overall capable security professional population and this subset is bounded by $, not necessarily skills.

Adding CASP to your resume, or to a set of hiring qualifications is not significant financial impediment to most professionals, and if applicants cannot pass this test, then they are not the senior talent you want. Whether or not they fit in your environment is a test only your team can make. Whether or not they have the technical knowledge expected of senior/lead security personnel, the CASP can give you an indication on this element of their background. The time to start using this credential to separate applicants is here and the time to hold this certification is now for senior hands-on professionals.

Wm. Arthur Conklin is an Associate Professor and Director of the Center for Information Security Research and Education in the College of Technology at the University of Houston. He holds two terminal degrees, a Ph.D. in Business Administration (specializing in Information Security), from The University of Texas at San Antonio (UTSA) and the degree Electrical Engineer (specializing in Space Systems Engineering) from the Naval Postgraduate School in Monterey, CA. He holds a variety of security certifications including Security+, CISSP, CSSLP, CRISC, DFCP, IAM and IEM. His research interests include the use of systems theory to explore information security, specifically in Cyber Physical Systems. He has co-authored six security books and numerous academic articles associated with information security. Currently he is working on Smart Grid grants from DOE in the area of workforce development and training. He has an extensive background in secure coding and is a co-chair of the DHS/DoD Software Assurance Forum working group for workforce education, training and development. He is active in the DHS sponsored Industrial Control Systems Joint Working Group (ICSJWG) efforts associated with workforce development and cybersecurity aspects of industrial control systems. A senior member of several professional societies including ISSA, IEEE, ISACA and is a Fellow of National Board of Information Security Examiners.