There’s an alphabet soup of certifications out there ”“ from physical security to IT, from management to niche areas such as disaster recovery. Here’s a breakdown of some of the most important ones for security professionals.

One of the most recognized security certifications around the world is the CPP, or Certified Protection Professional, offered by ASIS. The organization tests in 30 countries, from the Philippines to Turkey. The CPP is in its 30th year, and provides an overall understanding of the security industry from a managerial perspective (there are currently about 6,000 CPPs worldwide).

“It can be mandatory for the next step, or it can be mandatory for the job,” says Daphne Philos, program director for certifications with ASIS. In the U.S., for example, certain government or military positions require CPP certification.

But experience is just as important as knowledge, she says, so unless you’ve applied it, you’re not ready to move into management. Individuals must have two years in a position of responsibility and at least nine years of security experience.

“Some people have written books on security, but it doesn’t mean they’re eligible for the CPP because they haven’t had the experience that we’re looking for,” says Patrick Bishop, general manager with Profile Investigation Inc., based in Toronto.

Once you certify, you have to re-certify every three years by getting points for different activities (such as taking a four-month university course, teaching a course, writing an article for publication or attending a workshop or seminar, for example).

ASIS also offers two other certifications. A PSP, or Physical Security Professional, which conducts threat surveys and designs integrated security systems. A PCI, or Professional Certified Investigator, has expertise in the areas of case management, evidence collection and case presentation.

The PCI is slower to gain widespread acceptance, however. Where this is going to grow in interest, Bishop says, is within organizations such as hospitals and large government agencies that have homegrown investigators.

Of all the certifications, the CPP designation is showing up in more job postings and some industry experts say it has definitely become a requirement for high-level positions.

“I personally see more and more job postings where they’re asking for CPP or CPP equivalent,” says Glen Kitteringham, director of security and life safety with Brookfield Properties at the Petro-Canada Centre in Calgary. Kitteringham is also the CPP rep for the Calgary chapter.

But right now in Western Canada, particularly in Calgary, employers are reluctant to turn people down because they don’t have their CPP. But it would still give them an edge in the job market.

But Kitteringham doesn’t turn up his nose at people who don’t have their CPP. “I know people in the industry who I respect immensely, who I consider to be leaders, and they don’t have their CPP,” he says. “But I also know these people are leaders in many other ways — they have their own body of knowledge and their own professional certifications.”

The CPP is an international certification, and some feel it isn’t Canadian enough. The Canadian Society for Industrial Security (CSIS) is one organization trying to drive the acceptance of Canadian born-and-bred certifications.

This includes the CSO (Certified Security Officer), CSS (Certified Security Supervisor) and CSP (Certified Security Professional) and the Accredited Security Professional (ASP). Certification is based upon competency levels, such as education and skill sets, rather than testing, and re-certification is required every five years.

 “Certification will mean something to those who believe there is a higher standard that needs to be achieved, but more importantly maintained,” says Graham Ospreay, Immediate Past President of CSIS and chairperson of the Canadian Security Certification Authority (CSCA).

CSIS is working to further develop the program and its acceptance. “A lot of people do latch onto the CPP and I think it’s primarily because most employers are unaware of any Canadian credential,” he says.

The Association of Certified Fraud Examiners (ACFE), founded by former Special Agent Joseph T. Wells in 1988, administers the “CFE” designation on behalf of its 40,000 members. Almost half of the ACFE's members are CFEs, and the rest are associates in the field of fraud detection and investigation — many are working toward the CFE designation. Besides experience and adherence to the ACFE’s ethical guidelines, applicants must successfully pass an exam covering topics from investigations and criminology, to financial statements and interviewing techniques. CFEs are expected to not only know how a fraudster commits the crime, but why. The designation is well-known and respected, and requires 20 hours of continuing education per year, in three-year periods, to maintain.  The ACFE estimates CFEs earn about 18 per cent more than non-CFEs in similar positions.

Information technology is increasingly playing a role in the security industry, and certifications are becoming more important here, such as the Certified Information Systems Security Professional (CISSP) from ISC(2).

“The CISSP is something I went after mostly because I think it complements the physical security designation that I have,” says Jason Caissie, Security Advisor, Protection Services with RBC, who also sits on the local executive committee for the Toronto chapter of ASIS and this past fall ran the PSP review course. “There’s a very big push in the industry for convergence between physical and IT security.”

The CISSP is a more prominent designation in the IT industry, and it’s already a requirement for many positions.

ISC(2) offers three base certifications on the IT side, which are globally recognized (in Canada, it has 3,100 certified professionals). The most common is the CISSP, which is aimed at executives on the management side. It requires five years of direct professional experience, a commitment to the ISC(2) code of ethics and endorsement by a fellow certified ISC(2) member — as well as passing a six-hour exam.

“Threats are rapidly evolving and it’s so important that professionals keep up with the latest technology,” says Sarah Bohne, director of communications and member services with ISC(2).

It also offers the Systems Security Certified Practitioner (SSCP), which is designed for those on the front lines of security, such as information systems auditors and application programmers. It demonstrates to an employer — particularly in a smaller business without a designated security department — that the candidate has the ability to handle certain security functions, even if it’s not their primary responsibility. The Certification and Accreditation Professional (CAP) is geared more toward a government audience, and is a way of certifying the people who are certifying the systems.

“Salary increases often can come with certification,” says Bohne. “It’s more prevalent in the U.S., but we’ve heard of members who have gotten promotions directly after becoming certified.”

(ISC)2 has introduced an online self-assessment tool, called studISCope, for information security professionals that acts as a simulation of the CISSP or SSCP exam, offering a personalized reporting system with learning progress indicators that provides insight into a candidate’s knowledge strengths and weaknesses.  The tool also provides a readiness gauge that pinpoints the candidate’s comprehension level of the specific areas covered in the exam.
 
studISCope can also serve as a valuable management tool for employers, offering an objective, low-cost way to assess their staff’s information security knowledge, skills and abilities prior to sitting for the exam.

Another certification is the PCIP, or Professional in Critical Infrastructure Protection, from the Critical Infrastructure Institute (CII). This demonstrates an ability to protect assets (such as energy, utilities, financial, communications and transportation) from terrorist attacks, severe weather and other hazards. This also includes the growing threat of cyber-terrorists over the Internet.

A new certification is the EC-Council Disaster Recovery Professional (EDRP), offered by EC-Council, which is aimed at teaching IT professionals about the methods of identifying vulnerabilities and counter-measure approaches in the event of a disaster — anything from weather to a malicious attack. The course is designed to help them mitigate failure risks while providing a foundation for securing and restoring a network.
The IT industry, in general, has been regulated for a longer period of time than the security industry, and the formalities, professionalism and certifications are already in place.

A more recently developed certification becoming more important to security professionals is the International Association of Privacy Professionals (IAPP), created in 2001 and established to “define, promote, and improve the privacy profession globally.”

The IAPP currently has over 4,000 members, in 32 countries, and membership can range from “Individual” to “Corporate.” The IAPP provides a forum for privacy professionals to share best practices, track trends, advance privacy management issues, and provide education and guidance. To assist them in this goal, the IAPP developed the Certified Information Privacy Professional (CIPP) designation, with specializations, so far, in Government — CIPP/G, as an extension of the CIPP, and Canadian legislation — CIPP/C, as a stand-alone designation. Each designation requires 10 hours of “continuing privacy education” each year to maintain the certification, which is re-evaluated every three years.

The IAPP is the largest association of privacy experts in the world, and members encompass the full breadth of the privacy community.