I just wrote about a survey from the International Information Systems Security Certification Consortium (ISC)2, the organization that offers certifications including the CISSP, saying that security pros need new skills to deal with the security issues posed by cloud computing and mobile devices. That organization, of course, has a vested interest in the outcome of the poll, but it hired consultants Frost & Sullivan to conduct the global survey of more than 10,000 security professionals.
Though the debate continues over the value of certifications, among the interesting points in the survey results: Six of 10 respondents said they're looking to add at least one new certification in the next year. That suggests that these security pros recognize that they need more training and are looking for guidance to help them deal with their companies' issues.
As for the instruction they sought, first in their minds was training in information risk management, and applications and systems development security. The report says:
Many organizations have come to the realization that their own internally created software suffers from the same security risks as those coming from a vendor.
I'm no security expert, but that seems obvious, doesn't it?
According to the (ISC)2 report:
The concern is that the certifications considered of high value today may be perceived to be devalued and, consequently, less significant to information security professionals and, more importantly, their employers. Frost & Sullivan believes that many vendors are addressing the current skills gap [by] increasing the complexity and continuing educations requirements of their certifications.
Interestingly enough, of the respondents who are involved in hiring, 90 percent ranked security certifications somewhat or very important. The survey also asked why. While common responses tend to be employee competence, quality of work and company policy, other reasons are emerging including regulatory requirements, company image or reputation and customer requirement. In fact, the survey found that security pros worldwide are spending more time addressing the security concerns of their customers.
In this SearchCIO.com piece, (ISC)2 Executive Director Hord Tipton asserts that the CISSP continues to be popular and that only 1 percent of those who do not renew say they're doing so because they feel the certification has been devalued. He says the board continues to update the CISSP to address technologies such as virtualization and cloud computing.
But it quotes him saying:
Due to the popularity of the CISSP, don't expect it to do everything. We're finally getting through to human resource directors and hiring officials that they really need to look under the hood when hiring for specialized positions.