Historically there has been a shortage of college and university-level education programs focused on the knowledge, skills and competencies required for effective management of corporate security risk-related activities. Certification helped to fill this void and aimed to improve the quality and capabilities of security practitioners. However, senior-level security roles have evolved into wide-ranging and complex positions, and managers now find themselves accountable to their organization’s leadership team. It is not likely that any certification is a measure of their competency to succeed in these broad types of senior management roles.
Generally, the design of certification programs measure knowledge in a specific practice area. They focus on relatively narrow areas of knowledge and require specified levels of continuing education to maintain the certification. The number of certifications now available, together with the costs associated with acquiring them, make selecting those that would be of most value a challenging decision. Security practitioners can look to the demand for certification in the marketplace to aid in their choice of certification.
In 2015 SMR undertook a study identify how many certifications related to security activities were currently available. We did not include ones that were developed and issued by companies relating specifically to their product offerings, i.e. “Microsoft Network Engineer.” We have updated the study annually, and thus far we have located 117 different certifications issued by 46 separate organizations. The certifications can be categorized as covering: 67 security generalist activities; 15 crisis/continuity/disaster recovery activities; and 35 cyber and technology related.
While CFE, CISM and CISSP are commonly requested in fraud and IT listings respectively, we were unable to quantify and measure the frequency of requests against public job postings. The only certification we found substantial statistics for was the CPP issued by ASIS International.
We have regularly evaluated CPP certification included in a listing vs. actual client requirements across time. For instance, in 1999, we estimated that the CPP was mentioned in job postings 2.4 percent of the time. In 2016, that number was 5.5 percent. We analyzed this across a wide range of security roles, from CSOs to site managers, and the numbers suggest only a small number of professional-level security jobs consider CPP as a factor for consideration.
The role of security and risk management has moved into the C-Suite, and the world’s leading organizations rarely require their C-level executives to be certified in a field. Additionally, we often we see organizations recruit senior-level government executives to head security and risk-related functions. These individuals are not considered less capable leaders because they don’t have one or more certifications.
Given the many education options now available, security practitioners should choose educational and certification programs carefully. Ensure the program has clearly defined course material and test objectives that realistically measure relevant knowledge in a specific practice area.
All things being equal, certification can help set one candidate apart from another for those at the beginning or mid-point of a career. However, no certification is an indication of the ability to lead a program at a senior level of management. Any program that claims to do that is misleading.
Certification is not a guarantee of career success. Lots of initials following your name will not advance your career if you do not possess a wide-range of additional interpersonal, non-technical skills. You must be able to demonstrate a record of accomplishments as a mature, competent candidate for senior-level security positions.