Interest in IT security certifications is booming, as more US companies tighten up the protection surrounding their critical network infrastructure and as a growing number of employees view security expertise as recession proof.
Three of the top 10 IT certifications in terms of demand among US employers are security related, according to Foote Partners, a consultancy that tracks IT employment trends. These include the Red Hat Certified Security Specialist – which ranks as No.2 on the Foote Partners list – as well as the CompTIA Security+ (No.3) and the GIAC Security Essentials Certificate (No.6).
"Throughout the whole recession, security [expertise] has done nothing but keep going up in value," says David Foote, CEO of Foote Partners. "Companies are realizing that there's no such thing as perimeter security. A lot of breaches are internal. It's a question of not just how do you prevent intrusions, but it's a question of how do you protect data."
Worries about security breaches are prompting companies to get more IT employees trained and certified in information security, Foote says. "Employees are looking at security certifications as career safety," he adds. "Security is a great long term career move because there's a steady drumbeat of regulations and compliance."
Infosec certifications have been gaining popularity since 2005, when the Defense Department issued a directive known as 8570 that requires military employees, defence contractors and other federal employees involved with information assurance to have security credentials. As vendor-neutral certifications, both the CompTIA Security + and GIAC Security Essentials Certificate meet this mandate.
"We've had record months throughout the year, driven by the government sector. The Defense directive 8570 is having a significant impact," says Terry Erdle, senior vice president of skills certification at CompTIA. "We're seeing interest from federal government, state and local government, education, defense contracting and federal contracting."
The fastest-growing infosec certification is Red Hat. Launched in 2006, this certification is aimed at senior network administrators and is designed to prove that a person has deep skills related to running Red Hat Enterprise Linux in a secure fashion.
"Between this time last year and today, the number of people who have passed [the Red Hat Certified Security Specialist] exam has grown by 70%," says Randy Russell, director of certification at Red Hat. "Clearly, something is happening with this particular credential."
To qualify for this certification, network engineers must first pass the Red Hat Certified Engineer test and then be trained as a Red Hat Certified Security Specialist. Engineers must pass three exams, in advanced networking security, Linux policy administration and directory services/authentication, in order to earn this credential.
Russell says more IT professionals and their employers are interested in this certification because they understand the security risks that exist today.
"Security has become something that is much more evident. Exploits have become well known. It has become more ingrained in the public mind, the corporate mind and the IT mind that security is not an add-on. Security is something that is fundamental to your practices in your IT shop," Russell says.
Another driver is tighter federal regulations about data privacy and security dating back to the Health Insurance Portability and Accountability Act of 1996 for healthcare companies and the Sarbanes-Oxley Act of 2002 for public companies. Another compliance-oriented driver is the Payment Card Industry Data Security Standard, which launched in 2004.
"There is a growing regulatory environment that mandates certain kinds of security controls and oversight in an organisation," Russell says. "A lot of organisations are really upping their game and looking for ways to meet those requirements through skills [acquisition.]"
Another fast-growing security certification is the CompTIA Security+, which is aimed at network administrators with at least two years of experience. The number of IT professionals taking this exam, which measures competency in system security, network infrastructure, access control and organisational security, is double what it was a year ago.
For employees, the impetus to pursue an infosec certification is not only job security but a pay increase. "We do see that there are some salary... advantages to getting certified," Erdle says, adding that IT professionals who have the CompTIA Security+ certification report pay raises as high as 5% to 7%.
Erdle says he expects CompTIA's Security+ to remain a hot certification because of the industry-wide push toward healthcare IT, mobility and cloud computing will require security, too. "You're going to see us start to add modifiers around cloud, [software as a service], health IT and green IT," Erdle says.
Also popular are the suite of 20 Global Information Assurance Certifications, which have demonstrated about 25% growth during the last year, according to Jeff Frisk, director of the GIAC Certification Program.
"The Foote Partner reports have listed the GIAC family of certifications as maintaining and growing in value... not only the value in how people are being compensated and promoted but also the value that it brings to an organisation," Frisk says.
Most popular is GIAC's general purpose Security Essentials Certificate, but other job-specific GIAC credentials such as GIAC Certified Incident Handler, GIAC Certified Forensic Analyst and GIAC Certified Intrusion Analyst are also in demand. Overall, more than 32,500 GIAC certifications have been awarded in the 10 years since the program began.
"Our certifications mesh very well with specific real world job duties and job tasks," Frisk says. "If you're a chief information security officer, you're going to need risk analysts, incident handlers, firewall experts, intrusion detection people, Unix people, Windows people and forensic specialists. A lot of the value of our certifications... is that they qualify or validate that specific skill set."
All of the popular infosec certifications claim to measure the real world skills necessary to protect systems, software and information from attacks. That's why the organizations offering these certifications, and selling the training necessary to prepare for them, say they are growing.
"Our certifications are harder to obtain, more relevant and more prestigious," Frisk says of the GIAC program. "It's not the easy way out. We do not rubber stamp people. You have to demonstrate skills to hold a GIAC credential... That's part of the reason that demand is up."