cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tryan
Newcomer I

Very interesting certification heat map (nationwide and state specific)

While trying to determine my next certification pursuit, I found a useful (in my opinion) data site. It shows a breakout of a collection of popular certs (Security+, CIPP, GIAC, CISSP, CISA, CISM), the number of certification holders for each, and the number of job openings requesting that particular certification: 

http://cyberseek.org/heatmap.html

For instance, at the national level it shows 76,413 CISSP certificate holders and 72,700 job openings requesting that certification. To me, that would indicate that the certification rate is keeping pace with the industry demand.

For CISM however, it shows 12,428 certificate holders and 23,932 job openings requesting that certification. In my mind, that would seem to indicate that if one is pursuing certifications to remain marketable and employable (such as myself), the CISM would be a wise investment as demand seems to outpace supply.

What do you think? Filtering the results to just my state showed a similar pattern.

P.S. For my fellow grizzled and cynical IT veterans, I would like to mention the fact that I have no affiliation, vested interest, or benefit from the site mentioned above. Prior to 9:00 a.m. EST on 2/26/18, I had never heard of the above site.

(Edited: Title changed during editing and I didn't catch it until now).

27 Replies
MarcinJkt
Newcomer I

I feel the only thing indicated by this heatmap is a tremendous skillset gap that we are facing in the market, where it comes to managerial-level security and risk capabilities. Cool visualization, anyway - would love to see something similar for Europe

Lamont29
Community Champion

I was certified CISM and CISA prior to the CISSP. I found the testing experience for the CISSP anticlimactic because of my prior preparation and knowledge. The CISM & CISSP will largely cover the same knowledge areas. The CISM seems to be a condensed version of the CISSP in my opinion.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
marcosrrc
Viewer

Very interesting information.  I do not see any certification about Cyber Security Risk Management though.

EdmundDantes
Newcomer I

While the numbers you cite do indicate a greater shortage of CISMs than CISSPs, I interpret them as showing both certifications are in exceptionally high demand.  Think about it.  If there are 76K CISSPs, and 77K CISSP job openings, the majority of CISSPs probably already have jobs and aren't looking to fill those openings.  There are probably a dozen openings for each available candidate.  Them CISMs have it even better.  

jbetancourth
Viewer II

I understood the stats exactly as you did, with the job openings referring to additional positions to be filled.

And makes sense that the CISSP is the most requested certification.

mgoblue93
Contributor I

@MDCole9761

> I'm currently seeking work with my
> CISSP out of state

Just curious...some of my colleagues and I have been curious about this for a while...

In your experience, the jobs your applying to, what's the breakdown for CISSPs required for private v. public sector?  Are you looking for commercial work or are you looking for gov't work?

In my travels, and I'm arguably in the 2nd hottest IT market in the country, we only see having a CISSP being needed in about 3% of the private sector openings. 

 

The public and private sector buttons on that heat map back our personal observations up.

In the public sector though, darn near everyone wants a CISSP candidate.

Thoughts?

tryan
Newcomer I

I think that's a valid observation. The Department of Defense does require a certification for sensitive positions, and the CISSP is one of the qualifying certifications (link to PDF here). In my CISSP certification class, at least 50% were DoD employees or contractors that had to pass the test by a certain date or they would lose their position.

As a result, it's not difficult to imagine that would fuel a lot of interest in the CISSP and equivalent SANS certifications (i.e. GSLC/GCED).

I have seen a few job postings with a preference for a CISSP, or a requirement for a CISSP or similar certifications, but outside of federal contracting gigs nothing that required a CISSP.

Baechle
Advocate I

Here's my take in the public/private certification requirement:

 

Soft skills are favored for IT leaders who interact in the C-Suite over technical skills.  In either public or private spaces, there is likely few technically certified professionals in the C-Suite and they're more likely to have degrees in business management than computer science.  These leaders then turn around and hire more technical subordinates or issue contracts.  This is where you begin to find more certifications.  In larger organizations these decisions are guided by both Human Resources and Management Accountants.  

 

Management Accountants evaluate the Cost of Quality ("CoQ") that involves assessing four areas, (a) Preventative Costs; (b) Appraisal Costs; (c) Internal Failure Costs; and (d) External Failure Costs.  When we're talking about certifications we're talking about mostly (a) Preventative Costs and possibly (b) Appraisal Costs.  In either the case of public or private sector organizations, the name of the game here is controlling costs.  The fact of the matter is that certified professionals cost more than non-certified professionals.

 

Let's look at providing an opportunity for an existing employee to become certified, and support that in a continued way.  A Preventative Cost includes the increased salary and benefits to retain a now-certified employee.  Another Preventative Cost now also includes initial or CPE-required training costs (tuition, travel, and non-productive salary; or increases in salary to offset training costs along with increased leave to attend training).  An Appraisal Cost is the cost of the examination (one or multiple attempts).  Finally this is offset by the savings from reduced Internal and External Failures.

 

 

In the Private space this is notoriously hard to get people to quantify.  As long as people can get to their email, business files, and the Internet then there is nothing perceptively to improve.  It's not until there is a catastrophe that the Private sector actually valuates the cost of either Internal (inability to transact business) or External Failures (loss of business from poor reputation, or damages from the result of litigation).  Effectively this is $0 because the perception is there is nothing wrong.  So, from the Management Accountant's perspective, you are adding overhead cost for no benefit.  You'll typically find someone looking for certifications in the private sector space when you have senior leaders that have been severely burned by IT failures before.

 

In the Public space, especially the Department of Defense, the Internal and External Failure Costs are very much quantified - sometimes quantified by loss of life and in most other cases leading to the policy that mandates baseline certification, through lost incumbent votes.  Comparatively, the costs of Prevention (through initial and continuous training, and the increased costs of salary and benefits to retain that investment) and Assessment (Paying for government personnel to attend certification exams) is offset by the Internal and External Failure savings values that are very well quantified (because the law requires the government to account for expected and actual losses).

mgoblue93
Contributor I

 

 

Just referencing my previous posts, when I bring up the difference between public and private, it's from the notion of how the CISSP is viewed?  What does having the CISSP in a job req really truly mean for an organization?

 

It's NOT to suggest that only the public sector believes in having qualified people on staff.  Quite the contrary as both sectors consider cyber a priority equally.  Let's not get hung up on jargon either.  You can have a private sector employee without a cert who is just as qualified as a public sector employee who got their cert solely as a condition of employment.

 

My personal opinion, the private sector doesn't care about CISSP certifications because that piece of paper hasn't shown a direct benefit (meaning $$$ -- business are in the business of making money first and foremost) to the bottom line.

 

> In the Private space this is notoriously hard to get people to quantify.  

 

> In the Public space, especially the Department of Defense, the Internal

> and External Failure Costs are very much quantified

 

Where does that information come from?

 

I think Sony, Target, Equifax would like to have a word with you about the impact, publicly, about their breaches.

 

Baechle
Advocate I

@mgoblue93,

 

 

 

I apologize if I didn't communicate this well.  I was attempting to establish why you don't see such a high number of job postings requiring or requesting certain IT certifications when compared to government.  I will address each of your points below.

 

Just referencing my previous posts, when I bring up the difference between public and private, it's from the notion of how the CISSP is viewed?  What does having the CISSP in a job req really truly mean for an organization? 


The CISSP and any other certification, degree, or diploma is an Appraisal Cost for an organization of its service capability.  It serves as a method of examining the service provider (employee or contractor) and determining if they posses a baseline set of knowledge.or aptitude.  It then permits an organization to decide, as a result of that baseline if additional Preventative Costs are required by training existing service providers, or replacing them with more capable service providers.

 


It's NOT to suggest that only the public sector believes in having qualified people on staff.  Quite the contrary as both sectors consider cyber a priority equally.  Let's not get hung up on jargon either.  You can have a private sector employee without a cert who is just as qualified as a public sector employee who got their cert solely as a condition of employment.

 

 


I apologize if I stated somewhere that a certification causes someone to be qualified.  What I was trying to convey was that a certification program is a way for an organization to appraise if their service providers meet basic training and knowledge requirements.

 

My personal opinion, the private sector doesn't care about CISSP certifications because that piece of paper hasn't shown a direct benefit (meaning $$$ -- business are in the business of making money first and foremost) to the bottom line.


I agree with you.  When an organization wants to make a change, hopefully they do it using real information.  Typically this is done with the assistance of a Management Accountant who conducts a Cost of Quality ("CoQ") assessment.  The question to be answered here is, "Does requiring our service providers to be certified increase retained earnings?"  The problem in many organizations is that the estimated savings from a reduction in Internal and External Failures is hard (or takes too much time and effort) to assess - or the estimate is that the impact to the brand will be minimal or temporary enough to outweigh the cost of adding additional controls.

 


> In the Private space this is notoriously hard to get people to quantify.  

 

> In the Public space, especially the Department of Defense, the Internal

> and External Failure Costs are very much quantified

 

Where does that information come from?


 

I am talking about estimating the savings in preventing Internal or External Failures before they happen, rather than quantifying the loss after it happens. 

 

The difference between the public and private arenas are, that the public space has an entire (Intelligence) community that assesses and reports on their threats, and has had a regulatory or administrative requirement to appraise their capabilities to defend against them for ages.  The private sector is only just catching up with the requirement in certain specific sectors such as the introduction of regulations that impact baseline computer security such as HIPAA.  In the case of an organization subject to HIPAA for example, t is entirely reasonable to assume obtaining the services of a certified specialist in healthcare IT security has a return on investment in reducing Internal/External Failure Cost such as through avoiding litigation and civil penalties.

 

The concepts that I'm referring to here are part of the Common Body of Knowledge for the Institute of Management Accountants ("IMA"), blended with the Risk Management portion of the CBK for the CISSP under (ISC)^2.

 


I think Sony, Target, Equifax would like to have a word with you about the impact, publicly, about their breaches.

You are kind of making my point.  There is an interest in increasing security after the costs are established from a realized security incident.  What was the certification and training requirement for their IT and Security staff, and what was their estimated savings from Internal/External Failure Costs from implementation of certification prorgams before they calculated the losses from their breeches?