Certifications help security professionals make the cut
By Vawn Himmelsbach
Security professionals are finding it’s becoming increasingly important to earn a designation or two to help them make the resume cut, get promoted or get a salary increase.
By Vawn Himmelsbach
There’s an alphabet soup of certifications out there ”“ from physical
security to IT, from management to niche areas such as disaster
recovery. Here’s a breakdown of some of the most important ones for
One of the most recognized security certifications around the world is
the CPP, or Certified Protection Professional, offered by ASIS. The
organization tests in 30 countries, from the Philippines to Turkey. The
CPP is in its 30th year, and provides an overall understanding of the
security industry from a managerial perspective (there are currently
about 6,000 CPPs worldwide).
“It can be mandatory for the next step, or it can be mandatory for the
job,” says Daphne Philos, program director for certifications with
ASIS. In the U.S., for example, certain government or military
positions require CPP certification.
But experience is just as important as knowledge, she says, so unless
you’ve applied it, you’re not ready to move into management.
Individuals must have two years in a position of responsibility and at
least nine years of security experience.
“Some people have written books on security, but it doesn’t mean
they’re eligible for the CPP because they haven’t had the experience
that we’re looking for,” says Patrick Bishop, general manager with
Profile Investigation Inc., based in Toronto.
Once you certify, you have to re-certify every three years by getting
points for different activities (such as taking a four-month university
course, teaching a course, writing an article for publication or
attending a workshop or seminar, for example).
ASIS also offers two other certifications. A PSP, or Physical Security
Professional, which conducts threat surveys and designs integrated
security systems. A PCI, or Professional Certified Investigator, has
expertise in the areas of case management, evidence collection and case
The PCI is slower to gain widespread acceptance, however. Where this is
going to grow in interest, Bishop says, is within organizations such as
hospitals and large government agencies that have homegrown
Of all the certifications, the CPP designation is showing up in more
job postings and some industry experts say it has definitely become a
requirement for high-level positions.
“I personally see more and more job postings where they’re asking for
CPP or CPP equivalent,” says Glen Kitteringham, director of security
and life safety with Brookfield Properties at the Petro-Canada Centre
in Calgary. Kitteringham is also the CPP rep for the Calgary chapter.
But right now in Western Canada, particularly in Calgary, employers are
reluctant to turn people down because they don’t have their CPP. But it
would still give them an edge in the job market.
But Kitteringham doesn’t turn up his nose at people who don’t have
their CPP. “I know people in the industry who I respect immensely, who
I consider to be leaders, and they don’t have their CPP,” he says. “But
I also know these people are leaders in many other ways — they have
their own body of knowledge and their own professional certifications.”
The CPP is an international certification, and some feel it isn’t
Canadian enough. The Canadian Society for Industrial Security (CSIS) is
one organization trying to drive the acceptance of Canadian
This includes the CSO (Certified Security Officer), CSS (Certified
Security Supervisor) and CSP (Certified Security Professional) and the
Accredited Security Professional (ASP). Certification is based upon
competency levels, such as education and skill sets, rather than
testing, and re-certification is required every five years.
“Certification will mean something to those who believe there is a
higher standard that needs to be achieved, but more importantly
maintained,” says Graham Ospreay, Immediate Past President of CSIS and
chairperson of the Canadian Security Certification Authority (CSCA).
CSIS is working to further develop the program and its acceptance. “A
lot of people do latch onto the CPP and I think it’s primarily because
most employers are unaware of any Canadian credential,” he says.
The Association of Certified Fraud Examiners (ACFE), founded by former
Special Agent Joseph T. Wells in 1988, administers the “CFE”
designation on behalf of its 40,000 members. Almost half of the ACFE’s
members are CFEs, and the rest are associates in the field of fraud
detection and investigation — many are working toward the CFE
designation. Besides experience and adherence to the ACFE’s ethical
guidelines, applicants must successfully pass an exam covering topics
from investigations and criminology, to financial statements and
interviewing techniques. CFEs are expected to not only know how a
fraudster commits the crime, but why. The designation is well-known and
respected, and requires 20 hours of continuing education per year, in
three-year periods, to maintain. The ACFE estimates CFEs earn about 18
per cent more than non-CFEs in similar positions.
Information technology is increasingly playing a role in the security
industry, and certifications are becoming more important here, such as
the Certified Information Systems Security Professional (CISSP) from
“The CISSP is something I went after mostly because I think it
complements the physical security designation that I have,” says Jason
Caissie, Security Advisor, Protection Services with RBC, who also sits
on the local executive committee for the Toronto chapter of ASIS and
this past fall ran the PSP review course. “There’s a very big push in
the industry for convergence between physical and IT security.”
The CISSP is a more prominent designation in the IT industry, and it’s already a requirement for many positions.
ISC(2) offers three base certifications on the IT side, which are
globally recognized (in Canada, it has 3,100 certified professionals).
The most common is the CISSP, which is aimed at executives on the
management side. It requires five years of direct professional
experience, a commitment to the ISC(2) code of ethics and endorsement
by a fellow certified ISC(2) member — as well as passing a six-hour
“Threats are rapidly evolving and it’s so important that professionals
keep up with the latest technology,” says Sarah Bohne, director of
communications and member services with ISC(2).
It also offers the Systems Security Certified Practitioner (SSCP),
which is designed for those on the front lines of security, such as
information systems auditors and application programmers. It
demonstrates to an employer — particularly in a smaller business
without a designated security department — that the candidate has the
ability to handle certain security functions, even if it’s not their
primary responsibility. The Certification and Accreditation
Professional (CAP) is geared more toward a government audience, and is
a way of certifying the people who are certifying the systems.
“Salary increases often can come with certification,” says Bohne. “It’s
more prevalent in the U.S., but we’ve heard of members who have gotten
promotions directly after becoming certified.”
(ISC)2 has introduced an online self-assessment tool, called studISCope, for information security professionals that acts as a simulation of the CISSP or SSCP exam, offering a personalized reporting system with learning progress indicators that provides insight into a candidate’s knowledge strengths and weaknesses. The tool also provides a readiness gauge that pinpoints the candidate’s comprehension level of the specific areas covered in the exam.
studISCope can also serve as a valuable management tool for employers, offering an objective, low-cost way to assess their staff’s information security knowledge, skills and abilities prior to sitting for the exam.
Another certification is the PCIP, or Professional in Critical
Infrastructure Protection, from the Critical Infrastructure Institute
(CII). This demonstrates an ability to protect assets (such as energy,
utilities, financial, communications and transportation) from terrorist
attacks, severe weather and other hazards. This also includes the
growing threat of cyber-terrorists over the Internet.
A new certification is the EC-Council Disaster Recovery Professional
(EDRP), offered by EC-Council, which is aimed at teaching IT
professionals about the methods of identifying vulnerabilities and
counter-measure approaches in the event of a disaster — anything from
weather to a malicious attack. The course is designed to help them
mitigate failure risks while providing a foundation for securing and
restoring a network.
The IT industry, in general, has been regulated for a longer period of
time than the security industry, and the formalities, professionalism
and certifications are already in place.
A more recently developed certification becoming more important to
security professionals is the International Association of Privacy
Professionals (IAPP), created in 2001 and established to “define,
promote, and improve the privacy profession globally.”
The IAPP currently has over 4,000 members, in 32 countries, and
membership can range from “Individual” to “Corporate.” The IAPP
provides a forum for privacy professionals to share best practices,
track trends, advance privacy management issues, and provide education
and guidance. To assist them in this goal, the IAPP developed the
Certified Information Privacy Professional (CIPP) designation, with
specializations, so far, in Government — CIPP/G, as an extension of
the CIPP, and Canadian legislation — CIPP/C, as a stand-alone
designation. Each designation requires 10 hours of “continuing privacy
education” each year to maintain the certification, which is
re-evaluated every three years.
The IAPP is the largest association of privacy experts in the world,
and members encompass the full breadth of the privacy community.