“Value of InfoSec Certification Survey” – Results Preview Featured in Dark Reading

July 28, 2011

Last year at RSA, we launched the “Value of Info Sec Certification” Survey.

A preview of the results are featured in today’s issue of Dark Reading, in an article by Kelly Jackson Higgins.

On Thursday, August 4th, at 1:45 PM PST,  as the first part of our Professional Development Workshop at Black Hat, we are going to announce the full results.

We were very happy to receive 1349 respondents to the survey, and from reviewing the background of the respondents we find it to be a very good sampling of the Information Security industry:

2/3 of the respondents have worked in information security for more than 6 years

25% of the respondents have worked in the industry for more than 12 years

1000 of our respondents either hold or have held an information security certification  (Yes, exactly 1000)

699 of the respondents hold or have held the CISSP  (667 current/ 32 no longer)

50% percent of the respondents earn 100K or more

35% have a long term career goal of becoming a CISO or CSO, an additional 10% aspire to be a CTO or CIO – (Competition should remain fierce for these roles!)

25% of the respondents said that they had a Written Career Plan – (which means that we are making progress)

These results are just the tip of the iceberg – you will have to come to our session at Black Hat if you want the full release.   Anyone who is not in attendance at the conference and would like a copy of the results after the conference, you can sign up at Infosecleaders – Research – shortly after the release.

A special thanks to all of those who participated.  Thanks for making this a great success.    Stay tuned for our next industry survey!


Lee and Mike


Posted by lee | Filed Under Behavior, Planning, Resume, Security Industry, Skills, Survey 


2 Responses to ““Value of InfoSec Certification Survey” – Results Preview Featured in Dark Reading”

  1. Poseidon on August 19th, 2011 1:32 am

    Hello Lee and Mike,

    I recently listened to an old Pauldotcom podcast (Episode 159) where the subject of certifications was discussed with both of you as guests.

    Two years is a long time in the infosec space. Infosec has traditionally been associated with a counter-culture of mythical black wearing Ninjas, and I could sense that the topic of certifications was so main stream that was felt to be almost repulsive to think about.

    I also found it ironic that the same people that were knocking certifications spend quite a bit of time promoting training from sponsords that lead to certifications.

    When the question was asked about College and University curriculums, you couldn’t even bring yourself to suggest a path.

    I thought we could be over with such a taboo subject in infosec, but I see that we are still obsessing over it.

    As I contemplated a career in infosec, certifications represented a career map that would guide me on the long road to being exposed to the material I needed to know to work in infosec. The terms I learned in certification courses, gave me the ‘language’ to seek more from other sources.

    I do recognize that some, simply opt to read the questions in the back of the chapter to past the certification test.

    Certifications at least tell an employer where you have been and some of the concepts you have been exposed to, and as you said on Episode 159, the investment and commitment you have made to the craft. It doesn’t get you a job, but at least adds to the conversation.

    Perhaps one day, I too will deny having certifications and a college education, and join the counter-culture of black wearing Ninjas and claim to have learned the craft from mythical underground warriors. (John Strand, the Ninja Warrior…)

    The answer to the question about ‘the curriculum to pursue in college for a career in infosec’ (Episode 159) that you couldn’t answer at the time is quite simple – Infosec is a vast field that involves everything from Physical security, to Social Engineering, Software Engineering, Digital Communications, Regulatory compliance, Network design and infrastructure, and the list goes on…

    Take an introductory class in information security, most of which cover a wide variety of topics, and see if the subject still appeals to you. If it does, try to find the niche in the market that you would enjoy the most and are willing to invest time in. As mentioned above, it could propel you into a career in Software engineering specializing in secure coding, Hardware design (somebody designs firewalls and routers and not all of them learned in their basement), to Psychology specializing in Social Engineering, or even Law (thanks for all those lawyers in EFF).

    I hope that it isn’t too shocking that the industry has matured enough that clean cut professionals with an education actually work and keep our networks safe, and we don’t all have to be wiz teenagers, tattooed beer obsessed drinkers, or dress like Ninjas to be credible.

    Although, I still play the part when I go to Defcon. Black Hat is a bit more corporate nowadays.

    A lot of people are goal oriented, stop doubting or knocking certifications and encourage people to go out and sign up for a course and learn something. The journey towards the certification is what will teach them something, the destination is the journey.

    I wouldn’t encourage script kiddy like behaviour by learning just by playing with tools downloaded from the internet. Encourage them to learn the technology which is where the ‘Professional’ will be defined in their career as a Information Security ‘Professional’.

    Thanks for taking the time to educate.


    P.S. You are free to publish my comments if you find them to be appropriate.

  2. Poseidon on August 20th, 2011 12:14 pm

    If you are still convinced that Certifications or Diplomas are trivial, apply the view to the Medical profession and see if it still
    holds true. We require by law and it would be unthinkable to most of us to trust a Medical Doctor or Technician with our vital organs or family
    members unless they have a formal education and the required lincenses.

    In fact, most of us don’t even interview our Doctors and take it at face value that the White coat and Diploma on the wall makes them credible and
    only go as far as perhaps asking for a second opinion before willingly giving up our bodies for surgery or injest their prescribed drugs.

    Perhaps we should be promoting more formal education and certifications for Security Professionals before we trust them with our vital
    infrastructure rather than trivializing its value.