Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
People in the IT realm have heard over and over again about the need for skilled information security professionals. High-profile data breaches have become so commonplace in recent years that they have started to seem like hurricanes: a predictable and expected hazard that manifests on a recurring basis every year.
For up-and-coming IT professionals who find themselves on the outside looking in at all of the hiring demand and strong job opportunities in information security, certification presents a natural point of entry. The right certification can provide a solid foundation of training and knowledge, while offering a degree of reassurance to employers.
There are many different certifications for first-time learners, but that's not the only starting point. We asked survey respondents to tell us which of more than 75 different information security certifications was the first one they earned. In other words, where did they turn to first when assessing the security certification spectrum?
The most common jumping off point is actually a fairly advanced security certification, the Certified Information Systems Security Professional (CISSP) credential offered by (ISC)2. CISSP was the first brush with information security certification for nearly a third (29.5 percent) of survey respondents.
The other two credentials to really pop through are both more focused on foundation-level security training. CompTIA's popular Security+ credential was a fairly close second to CISSP in the "my first information security certification" column. Security+ was the first security certification for almost exactly one-fourth of all respondents (24.3 percent), followed by Cisco's CCNA Security credential (13.3 percent of those surveyed).
As suggested by the preeminence of CISSP certification among first-time certificants, many security professionals have some degree of experience in information security before even turning to certification. For quite a few, actually, certification comes along at a point in time where it seems like more of a graduation achievement than an educational entry point.
We asked survey respondents to tell us how long they worked in information security before turning to certification. Here's what we learned:
Question: How many years did you work in information security before obtaining your first certification?
Less than 1 year — 12.2 percent
1 year — 9.5 percent
2 years — 11.1 percent
3 years — 9 percent
4 years — 11.6 percent
5 years — 7.9 percent
6 years — 4.8 percent
7 years — 5.8 percent
8 years — 2.1 percent
9 years — 1.6 percent
10 years — 2.1 percent
More than 10 years — 22.2 percent
There's crowding at both ends of the spectrum. Clearly certification is an early flash point for many. Nearly 42 percent of respondents worked in security for just three or fewer years before turning to certification.
On the other hand, it's quite clear that early experience working in information security can turn into career momentum that carries you from one job to the next. The 22.2 percent of respondents who worked in information security for more than a decade before starting down the certification path are ample evidence of that.