I am considering a dissertation topic. I want to validate the merits of industry certification. I want to compare and contrast the performance metrics of individuals who have attained certification to those individuals who have not certified. I would like an observation over a 3-5 year period.
I am early in the process, so I am just researching the feasibility of this study since information security personnel are high-valued personnel and I am doing risk management at this time. That is, I do not want to commit too much energy in this subject area and not able to retrieve the information that I need that will give me valid metrics.
Some of my colleagues who contribute here on this board might be able to assist as I pursue this journey, which will eventually benefit the information security profession overall.
So is your hypothesis that getting certified helps the person's job prospects? Is that what you seek to prove or disprove?
I can give you some anecdotes:
1) I got a CIO position once because I held the CISSP certification. I was the #2 choice for the position. However, even though the certification got me the job, it may not have been just the cert that did it. This was for a government position and in the job announcement they had put the requirement of the CISSP. The person they wanted over me did not have it. When asked if he would get it within 6 months of accepting the position he said no. Since they had posted it as a job requirement it would have involved lots of work and added more time to an already lengthy job hiring process to cancel the job posting and then repost it without the requirement for the cert. So having the cert got me the job, but if they had to do it over again they would have just left it out. However with the new DoD requirements for certs the candidate would have had to get it anyways.
2) in other jobs I have applied for, having certifications has helped. I remember some of my colleagues being excited about their job prospects once they obtained the CISSP.
In my experience having some certifications have helped. I make a good salary and have been able to work my way up into management. Attending a good Masters degree program has also helped my management thinking. Certs alone will not be the answer. Make sure to include in your research the education background, the locality of the individual (especially if you look at government workers who's salary can be inflated around big metro areas versus the same level of responsibility elsewhere). Look for what factors make the difference in certified versus non-certified individuals.
Just some of my thoughts.
It very much depends on what you chose to measure as a set of performance metrics. It appears to me that organisations look at a variety of factors; education, professional certs, personality, intelligence, work history, references and how you perform at interview. Having a CISSP or similar is often just part of a more holistic picture.
Steve Wilme CISSP-ISSAP, ISSMP