The chapter looks at the burgeoning field of certification for individuals in the field of information security or cybersecurity. Individual information security certifications cover a wide range of topics from the deeply technical to the managerial. These certifications are used as a visible indication of an individual's status and knowledge, used to define experience and status, used in job descriptions and screening, and may define expectations placed on the individual. This chapter examines how these certifications are produced, the subjects they cover, and how they integrate and the various audiences to which the certifications are aimed. The role, the perceived and real value, and benefits of certification within the field of information security both from an individual and an organizational perspective are discussed. Finally, some conclusions on certification are presented.
TopA Brief History Of Information Security Certifications
Information security – originally computer security – came from an IT background. It was considered to be an IT specialism for a number of years and so didn’t really require much in the way of oversight, a single unified voice, certification or qualifications. Typically, certifications were created by one or more groups of willing, interested and altruistic individuals either responding to a perceived need or trying to set a standard that could be readily understood. By setting standards, these groups hoped to both define what made an individual competent and knowledgeable in the field of information security and provide a mechanism to identify those who were perhaps less than capable. There was not the need to submit to scrutiny or oversight as the numbers involved were small, the individuals knew each other and the roles many of the individuals worked in required some form of government vetting and clearance – and most, if not all of the groups were based in the United States. From these beginnings rose the information security certification industry we see today.
Today, there is no one “global body” that can truly claim to represent information security and the individuals in the field. Whilst there are a number of organizations who have global membership and reach, they do not capture everyone who works in the field, nor does everyone in the field want to hold the certifications they offer. Thanks to its multi-disciplinary nature, information/cyber security is a “big tent” and covers more than just technical roles. Thirty-five roles (CyberSN, 2018) related to security have been identified, ranging from the highly technical security analyst to CEO. These example roles – and all 35 – will have widely differing requirements for skills, knowledge and experience; yet all will require some knowledge of information/cyber security. However, for many non-technical roles, possession of certain certifications will not be possible, as they will not possess the relevant skills and experience – and they might never gain them. Examples of these individuals could include those people working in marketing, PR and finance for information security organizations.