CISSP among highest paying certifications

[MrLinus]

Ok. Someone owes me a raise, dammit! If I'm supposed to be part of this high paid group, where's my take??!?!? Someone is asleep at the chequebook here!!! Hrmph.

Kidding aside, it does prove a point I had to make someone who claimed "Security is just a fad". I somehow doubt that it is and, in fact, it's going to grow. As companies become more and more aware of what they need to protect and that singular end-point/perimeter security isn't sufficiant. It's not just the gadgets that ensure security but EVERYTHING!

Source: Search Security @ Tech Target

Credentialed security specialists continue to enjoy higher wages than some of their IT brethren, according to the latest "Hot Technical Skills and Certifications Pay Index" released this week by IT research consultancy Foote Partners LLC, of New Canaan, Conn. The bonuses reflect a trend among employers to reward workers with specialized skills and to keep them from jumping ship.

The overall median wage for 62 certified skills grew 4% overall in 2004, compared to a 5.6% decline the year prior. In fact, much of the wage advancements were made the final quarter of 2004. Specific bonus figures that account for the promising percentage were not immediately available, but the data indicates companies again are willing to compensate workers moving beyond basic skill sets.

"There has been a renaissance in IT roles and a redefinition of IT jobs so pervasive that traditional job titles are becoming increasingly meaningless," David Foote, president and chief research officer, said in a statement. In general, pay for networking (11.6%), systems administration (9.2%) and programming and applications development (7.7%) skills grew the most in value, while beginning certifications (-21.1%), project management (-18.8%) and Web skills (-8.5%) dropped most dramatically.

Security skills rose 1.1% between 2003 and 2004. However, while overall security skills pay remained steady, certain security certifications continued to yield the highest payoffs among IT skills sets, according to 46,000 U.S. and European IT workers included in the study.

The highest paying security certs include:

• 
  * Certified Information Systems Auditor (CISA);
  * Certified Information Systems Security Professional (CISSP);
  * Cisco Certified Security Professional (CCSP);
  * SANS/GIAC Security Expert (GSE)
  * GIAC Certified Forensic Analyst (GCFA)
  * GIAC Certified Windows Security Administrator (GCWN)

Security certified skills losing value in the last six months include the GIAC Incident Handler, which stagnated, and GIAC Security Essentials Certification, where skills pay dropped 20% from Q2 to Q4 2004. Certs that have lost significant value in the last two years include the GIAC Firewall Analyst, according to the report.

So what's behind the reversal of fortune for IT professionals? Essentially a revived talent war, where companies will do more to hire or retain A-list employees. "More attention is being paid to the risks of losing workers who stuck it out through years of workforce reductions, and for good reason," Foote said. These workers, who often took on additional responsibilities during lean times, also have acquired business skills that make them more marketable. These "hybrid jobs" could eventually become the norm, where everyone is required to understand operational and process skills to work in IT.

Also fueling the bigger bonuses are technology-driven regulations, such as HIPAA and the Sarbanes-Oxley Act. This is especially good news for consultants with data and network security skills. The mixed success of offshore outsourcing also is an influence. Though the trend to send IT work outside the U.S. is expected to continue at a slower pace, nearly "60% of offshoring initiatives have been failing to measure up to expectations, especially in cost savings," he said.

[zencoder]

:BigEvilGrin: That's what I'm talkin' about!

Actually, I am not surprised to see the CISA above your mantle, MsM. (Mine is in the works...I am testing this summer, I believe.) CISA is big because of SOx and other regulations (in the US anyway), and CISAs seem to be a hybrid of Lawyer, IRS Agent, CPA, and Tech Weenie. I'd hate to meet the parents of that creature!

Anyway, yes, that certification is certainly attributed to many of the better paid professionals I know. I am curious how the forthcoming Information Systems Security Engineering Professionals (ISSEP) will play into this list...somehow, I doubt it would even get listed. Consider: it's a US Gov't specific cert from them, and has do with NSA IAM, so it's a much more limited category.

Also, I am very surprised they even list the GSE from SANS/GIAC. I recall getting an email in the last year or so saying "Please congratulate our first 2 GSE graduates". GSE is harder than most Doctoral programs. It's basically the golden crowning, after receiving 5 GIAC cert's, some with honors. Not a realistically attainable goal for most people but academia, I'd think.

[MrLinus]

I'm interested in CISA (amongst others) and am presently looking at the following for various giggle reasons: CEH (stop snickerin'!), Security+ (so that students can get a clue what to expect) and CCNA (never a bad thing to learn more). CISA might be an end of year/2006 cert to persue.

Sigh.

So much learnin' and so little time..

[zencoder]

Security+ is a great step. Redundant for you, so you can probably breeze through it with the obligatory crash week before hand (It's comptia, damnit. They asked me A+ questions when I took my Linux+ years ago.)

I teach Sec+...we push it as a bare minimum requirement for NOC/SOC level personell. Not many companies have bought in to that idea yet, I'm sure you can imagine. But we can always dream...

I'm actually interested in CEH myself. I want a biz card like that Netscape programmer had years ago (kidding). If I find the image, I'll upload it.

John Smith
Hacker

Netscape Incorporated

:P

[off topic]
Ok, this is officially #400. Where's my prize?

[sysmin770]

Security is sort of a fad right now. Like most things organizations freak out about everything up front, and then cut members out of their IT staff later. There will always be a need for security people, and of course new regulations will make sure that security is fresh on their minds. I think the field will grow throughout the next few years and then top off.

My issue is that many “security” professionals really don’t have much of a clue. They know how to do a port scan and run a vulnerability scanner and that is about it. They read a book on security and feel they have enough security knowledge to ward off experienced attackers. Something I find humorous is how many security people I talk to that don’t know much about networking. Come on!

People that are really serious about getting into the security field should start with the basics and remember the three areas of IT: experience, education, and certification. Competition is still pretty tight for jobs so it is best to have as much experience in those three areas as possible. Experience is the most important thing and certification will never totally outweigh education. Learn everything you can from anyone who will show you. Oh, and by the way you should go to at least one Def Con, even if it is just for the experience.

[Jebo Majku]

CISSP + lots of experience = more cash
CISSP + no experience = no more cash
i think the same could be said about the CISA.

one could also argue. even if some of these guys *didn't* have the CISSP, they would probably be in the $100,000 + per year salary bracket just on account of their experience and contacts in the industry they work in.

it was debated on another closed forum. it matters if you have a CISSP and it matter even more how long you have maintained your CISSP status for.

IMO - for a lot of the ppl on this forum - the SANS GIAC group of certs are more relevant because they are geared towards hand's on staff. eventhough they are not as well known in the HR & hiring community.

http://www.giac.org/certifications/roadmap.php

on a side note. I must have aquired at least 20 IT certs by now and NONE of them have done squat to get me a raise.

[Jebo Majku]

Originally posted here by sysmin770
Security is sort of a fad right now. Like most things organizations freak out about everything up front, and then cut members out of their IT staff later. There will always be a need for security people, and of course new regulations will make sure that security is fresh on their minds. I think the field will grow throughout the next few years and then top off.

My issue is that many “security” professionals really don’t have much of a clue. They know how to do a port scan and run a vulnerability scanner and that is about it. They read a book on security and feel they have enough security knowledge to ward off experienced attackers. Something I find humorous is how many security people I talk to that don’t know much about networking. Come on!

People that are really serious about getting into the security field should start with the basics and remember the three areas of IT: experience, education, and certification. Competition is still pretty tight for jobs so it is best to have as much experience in those three areas as possible. Experience is the most important thing and certification will never totally outweigh education. Learn everything you can from anyone who will show you. Oh, and by the way you should go to at least one Def Con, even if it is just for the experience.

I will agree on para#1. Security is a big fad right now and may have plateaued. I am not sure how long the positions will exist. I mean, in 5 years from now, will security stop being a specialized position in the company and secuiry duties will be just amalgamated under the duties of Sys Admin? Very possible.

I disagree on para #2. Pretty much all security guys I have ever met *kick ass* in all matters IT and know their stuff inside out.

[thehorse13]

CISSP + lots of experience = more cash
CISSP + no experience = no more cash
i think the same could be said about the CISA.

Exactly.

Mitts, all the letters after my name did actually come in handy when they assigned my Govt sevice grade.

Bling Bling $$$

[rapier57]

Originally posted here by Jebo Majku
IMO - for a lot of the ppl on this forum - the SANS GIAC group of certs are more relevant because they are geared towards hand's on staff. eventhough they are not as well known in the HR & hiring community.

I'm beginning to think that a qualified, experienced person (with certs, mind you) having trouble getting hired is largely due to the HR community. Most couldn't write a correct and appropriate job recruitement notice to save their lives. They won't respond to your application unless you are called for an interview. They put requirements for certs like CISSP and CISA on entry level positions or basic packet sniffer duty jobs. Of course, management of the companies behind those HR people are providing the direction and requirements. Heck, I recently laughed at one recruitment announcement that required 5 years experience in SOX 404.

Kinda reminds me of one position announcement that required 5 years of experience in Windows 95--this was published two months after the release of Win95.

[catch]

I'd suspect the CISM as a higher paying, yet unmentioned cert... the new security management certs from (ISC)2 are not taken as seriously yet.