What is the value of professional certification?

Recognition for and therefore the value of professional certification is rising within the information security domain. In an increasing number of markets across Europe, chances are that if there is a job being advertised that requires someone to ensure information security of systems, data, software, or the company overall, they will be asked to demonstrate at least a baseline of practical knowledge by having earned a professional certification in the field.

This is a reflection of the growing appreciation on the part of the employers that commonly understood best practice approaches and methodology for information security actually exists, and of the increasing dependency on it as companies and governments become ever more reliant on connected and therefore besieged IT systems. It is also a recognition of the serious nature of the responsibilities that come with the job – responsibilities that justify the application of professional standards to the task, as the potential impact of getting it wrong can be devastating.

Documenting practice
It is important to note that professional certification is not about gaining a certificate after the completion of a training course. Certification can more accurately be described as a form of standardization as it federates recognition for practice knowledge. When individuals pursue professional certification, they are verifying their skills and abilities that more often than not have been developed over time through professional development and on-the-job experience. Training is optional and on its own for the uninitiated will not be enough to achieve a professional-level certification. People become certified professionals by passing a rigorous examination and receiving the endorsement of their colleagues with respect to their practical experience.

(ISC)2 was formed 25 years ago, as a not-for profit membership body, with the objective of establishing broad recognition for practice knowledge. The goal was to both document grass roots experience and create a structure for maintaining the currency of this on-the-job knowledge over time. Today over 20,000 of our globally 100,000 certified members from around the world regularly participate in the biannual Job Task Analysis surveys we conduct to maintain all of our certifications. Also, as the need for security develops, our members have similarly influenced the development of new areas of certification. In the last 12 months, we have established certifications for the Healthcare Information Security and Privacy Practitioner (HCISPP) and the Certified Cyber Forensics Professional (CCFP).

The value of any professional certification lies in the rigor applied to ensure its continued relevancy. Regular robust assessment ensures holders of the certificate can continue to provide instant assurance that they possess the most up to date, real-world knowledge required in their field. It is also an assurance that they can communicate using, and work under, the same terms and concepts as colleagues working all over the world. This assurance comes from the fact these concepts have been tried, tested and verified to represent best practice through the experience of thousands working in the field. These are basic maxims that we generally associate with professions that have been established for many years, such as engineering, accounting or architecture.

An asset to society
The need becomes quite obvious when you consider the challenges faced without the foundations of recognized professional practice, particularly in fields of practice that carry significant levels of responsibility. In healthcare, for example, there has always been a recognition for the sensitive nature of data and the need to keep it secure, yet in recent years this has become a sector where reported breaches are prolific. The move away from paper-based processes and the emergence of what has become known as “Connected Healthcare” requires a whole new set of data governance measures that must be understood across the various organizations and suppliers that now interact with front-line healthcare providers. Often for very legitimate reasons many organizations have access to records that would have previously been inaccessible because they could only have been viewed in person. The healthcare industry is therefore in the process of redefining the norms that can uphold its ingrained respect for privacy.

In the absence of comprehensive national-level or international good practice standards, vulnerabilities have emerged, breaches have become numerous and public trust has waned. This became obvious when the United Kingdom’s NHS Care.data scheme aimed at creating a central database for healthcare records was officially stalled earlier this year. The public backlash at the request of a whole population to give consent to allow the transfer of their sensitive health information, previously only known to individuals at a local Primary Health Care Trust, to a centralized database, caused uproar with UK Parliamentarians. The HCISPP is the response to this and similar scenarios around the world by subject matter experts who work within healthcare and understand the value of sharing the lessons they learned and establishing a relevant baseline of knowledge for information security and privacy.

It’s a value that also translates to governments and their policy makers who seek to regulate for our safety and economic well-being. Governments are becoming particularly active in the cyber-security arena as awareness of the nature and impact of cyber threats develops. They must draw on the best information available, and a professional certification body with its privileged access to a wealth of front-line knowledge has a significant contribution to make. As a result, the certification bodies and their professional community are becoming an asset to society in general, getting involved in community awareness, consultation on standards and cyber security strategy, skills frameworks, academic development, and cyber security capacity building in underdeveloped countries.

The career move
When an individual chooses to become a certified professional their initial instinct is usually to further their career and earn a higher salary. There is a reasonable body of research within Europe’s largest markets that demonstrates a link between greater recognition of the value of certification with increased earnings and career potential. In fact, the now widely-acknowledged skills gap for people with cyber security skills and competency ensures that those with certifications face strong prospects.

Once certified, the motivational factors deepen, as the individual becomes part of a recognized community. For most professionals, this increases their belief that they can achieve success in their job role and encourages self-worth. This self-efficacy – an internal belief that they have the ability, knowledge and skills to succeed in specific situations just as their peers or seniors have – is invaluable. Certification increases self-efficacy by affecting confidence and the approach to goals, tasks, and challenges within the workplace. It also facilitates resilience, instils persistence and a determination to succeed despite the obstacles faced in their professional lives – because they are secure in their capability and knowledge.

Further, professional certifications have to be maintained. Professionals have to pursue continual learning by earning continuing professional education credits in order to retain their certification. By continuously updating their knowledge, professionals are better placed to both create and identify opportunities for success, and proactively move their career forward. They are better able to apply the learned knowledge and in turn improve their skills and expertise to more effectively perform their job functions. For their employers, this translates into a stronger business, better able to achieve its strategic goals and objectives.

The commitment
When I first became a Certified Information Systems Security Professional (CISSP) with (ISC)2 in 1998; I was one of only a few in the United Kingdom and Europe to have done so. At the time, few employers recognized this new credential. The salary and career benefits were not as obvious as they can be today. Despite this, the pursuit of my credential still clearly communicated commitment to achieve the certification, sign up to a professional code of ethics and maintain currency. In short, it communicated commitment to being a professional. This is a value that I and many of my colleagues perceived as hiring managers, and one which I believe has strongly contributed to the ensuing development of professional certification across Europe. I remain passionate about the development of this value, responding to members’ commitment as well as their clear desire to be active in the effort to move the profession forward.

In summary, while often misunderstood, and not necessarily the only solution available for the development of skills and knowledge in cyber or information security, professional certification has proven to be an extremely effective mechanism in a fast-changing world. By providing a vehicle by which knowledge, skills and experience can be broadly shared and also validated, certification has helped the world develop a much needed capacity to defend against very new, evolving and all-too-often poorly understood threats in a relatively short period of time. I believe this is a value that is very difficult to quantify, yet increasingly easy to appreciate.