Are CISSP, CISA and CISM credentials necessary?

Your Public Answer:
“Hi ..., Depending on your point of interest, the value you get out of specific certification varies. Certifications in general do not indicate that an individual does carry necessary skills for a job, but it is a very clear sign that certain individual has spent plenty of time on a specific topic. I usually say that certifications do not measure what you know but they do measure what you have studied. That is why I always ask about them during the hiring process. There is no way that a regular network security guy has studied IT governance or Audit Standards unless he/she is forced to do so via certification. Certifications also point out future willingness to study on more difficult topics. For an ambitious governance program CISSP, CISM and CISA will help you to form a baseline for all team members. Usually engineers do not have time to study about exams during regular business hours, as usual they are busy with something else; the certifications signify the time they have spent for their job with a sacrifice of their personal time. That is a dedication. When I ask any of engineers, “Can you get this certification because I need it in my team “(e.g. for an RFP), the answer usually gives an idea about how well my team is aligned with the short and long term goals. I have seen so many engineers with excellent skills on what they do on daily operations but most of them lacked a solid grasp of strategic initiatives. Interestingly, I found out that the engineers with several certifications have a tendency to be more efficient on strategic projects. I don’t buy the line “I develop my skills when needed...” Studying for certifications is better than surfing Slashdot. I do have all of those certifications. I leverage them in several different ways. a) First of all everybody speaks the same jargon. I have been working on enterprise security for more than 12 years and it had never been easier to tell an audience about the CIA triad. b) As Javed put it, certifications allow me to access specific resources through portals, e.g. I really like what I get out of ISACA portals. Mailings lists are another plus. c)They help a lot in customer facing engagements, I do have more than 10 of them, when customers notice the work behind those certifications we do pass the initial step of “Does this guy know anything?” phase. d) Certifications bring discipline; all of them come with specific experience requirements, continuous learning prerequisites so it is better than not having them. e) In many of the contracts, RFPs, assessments these certifications became an individual baseline like the SAS70 and ISO 27001 for the organizations, it is useless to get into we do not believe in certifications discussion That being said, here is what I think about those specific certifications: CISSP: As everybody says, the scope is as broad as a sea, but the depth is 2inches. It is a very useful certification for the people who are getting into the information security field from other disciplines. If a regular information security guy has a problem with getting it that is a red alert. I usually make it prerequisite for managers, network and system engineers. It even works for sales people if your core practice is security CISA: This was a very good exam. The curriculum is good. It gives instant access to years of audit experience. The COBIT framework is nice. I use the information I gained from this certification daily. I recommend for everyone. CISM: Another good solution from ISACA. It is a good start for the governance, and a basic overhaul of information security for managers. This is recommended if you are getting into information security management. There are also other frameworks like ISO 27001 and ITIL which are very helpful. For hands on GIAC certifications are nice but I still recommend vendor certifications for hands-on such as Cisco and Check Point... regards, - yinal ozkan