Over the last five years the information security employment market has experienced rapid growth in the options available to security practitioners to improve their employability. The range of options is potentially confusing for those who want to enhance their career prospects by securing a recognised qualification.

So what are the options? Some are security specific and some are wider qualifications that may assist security professionals.

• CISSP – the standard badge. Well recognised, popular and international.
• CompTIA – internationally successful but little recognition in the UK
• CISM – for the information security manager
• Information Security MSc – improve whilst also becoming qualified but very time consuming
• MBA – to become more business focused
• PRINCE 2 – to improve your project management skills
• ITIL – to improve you service management knowledge
• CCSA /CCSE / MCSE – prove your knowledge of a particular technical platform or product
• CISA – to allow you to cross over into audit work
• CEH – prove your hacking abilities
• ISEB – Certificate in Information Security Principles – show you know the basics
• ISO 27001 Lead Auditor – unsurprisingly proves you can audit ISO -27001
• QSA – shows you can assess against PCI
• CLAS – government security
• CHECK –approved penetration tester

The list is extensive (for more in-depth descriptions see an article on Barclay Simpson’s website by clicking here) . What employers look for largely depends on the job that the person is going to perform. Technical security roles focusing on one issue, say Firewalls, will as a rule have little interest in a rounded information security qualification like CISSP. Wider ranging security roles looking after policies, compliance, risk assessment and awareness will have little need for a CCSE. As a rule a qualification will not provide an immediate increase in market worth. It is more subtle than that. The number of MBA’s explaining to employers that they are now worth twice as much as they were before the MBA is pretty closely related to the number of MBA graduates who are out of work .

CISSP is now the most recognised information security qualification. It is a testing exam looking at a number of different subject areas. As a recruitment consultant this is the qualification that is most often requested for information security consultancy or information security officer roles. Due to its recognition it is often placed in job specs. In short is provides a kite mark to those that do not necessarily come from the industry to get assurance that the person they are dealing with knows what they are doing.

CISM is more focused on information security management credentials and is making inroads into the qualifications market but once a practitioner reaches this level the need to be qualified has often passed. The qualification has become more aspirational. In reality as far as job requirements are concerned CISSP and CISM are considered the same. If a job specification mentions CISM it is done as follows: CISSP/CISM preferred.

An MSc in information security is definitely a useful way into the industry. I would also recommend it to a non-graduate in the industry who is suffering discrimination from employers for not having a degree. It is however a massive time commitment for someone already established in the industry. It is a course of action that is better suited to someone who will learn and develop from the course rather than someone looking to prove the knowledge they have with a certificate.

As for the rest.... It is very much horses for courses. Before embarking on a time consuming and potentially expensive qualification think carefully about what you want to get out of it. If you are going to constantly deal with outsourcers and need to develop skills in service management an ITIL certificate may well help. If you are heavily involved in projects, or want to be, then a PRINCE 2 qualification will have its place. One can definitely be over qualified in any profession, information security included. By this I do not mean that you have too much experience to perform a role but that the mass of qualifications one holds implies that one has had little time to devote to carrying out the role that you are being paid to perform.

Mark Ampleford leads the 4 strong information security recruitment practice at Barclay Simpson ( www.barclaysimpson.com ). He has been in recruitment since graduating from Liverpool University in 1999 and joined the Barclay Simpson in 2001 to establish the practice.