A solid identity and access management program is vital to combating enterprise data privacy and security concerns. But, for many identity practitioners, the rapid rate at which technology and IAM trends change can make it hard to keep up.
In fact, 26% of respondents to IDPro's 2020 survey of identity professionals reported they do not feel proficient in their jobs, and many said receiving mentorship or a certification in one or more areas of identity could serve them well in ensuring job success.
The security industry -- despite its size and numerous certification programs available -- does not have a vendor-neutral certification specifically for identity. And, while the number and quality of industry trainings are improving, many who want to be an identity specialist are left confused about how to embark on their career.
Despite the lack of a universal certification path, there are a few standout options that can assist identity professionals in their careers. Here, explore the benefits and limitations of certification programs, the must-have IAM skills for any identity pro and the best certification options to demonstrate IAM proficiency.
Benefits and limitations of the top IAM certifications
Certifications demonstrate a minimal level of competency, achieved through completing standardized examinations. Taking an exam -- or retaking the exam to renew certification or improve scores -- can quickly become expensive, so candidates should consider if the upfront cost will be worth the investment.
There are many incentives for IAM professionals to pursue certifications. Individuals who complete certification programs may enjoy benefits such as better employment opportunities, job retention and professional credibility. They may also help achieve personal goals or corporate requirements. However, individuals should never assume obtaining an IAM certification will automatically yield better job prospects.
Networking opportunities may also present themselves as a result of certification. Many IAM certifications are completed through nonprofit organizations, such as (ISC)2. Because membership is often a prerequisite, candidates can take advantage of peer resources. Memberships come with additional costs, however, which may deter some individuals from the certification process. But cultivating interpersonal networks can help establish professional mentorships and distribute further expertise among certified members.
Fundamental IAM skills and standards to know
Is IAM certification worth the time, money and energy in an industry that is subject to such sustained technical and regulatory change?
"Yes, there is shifting," said Raghu Dev, director of identity and access management at financial services company Bank of New York Mellon. "But, if you pay attention to the fundamentals, you'll notice they remain the same."
The fundamentals, Dev said, come down to "a) managing the lifecycle of an identity and b) managing the lifecycle of their access." These core IAM skills can be sharpened and demonstrated in the process of becoming certified -- even if the curriculum is focused on larger infosec concepts and not limited to specific IAM principles.
Additionally, the ability to be flexible and to learn on the go is essential for a successful career in IAM, said Eve Maler, CTO at ForgeRock. "There is always work in this area that is in flux," she added.
Studying popular standards, such as Security Assertion Markup Language, OpenID Connect and Open Authorization (OAuth), is a practical way to better understand advanced IAM intricacies and prepare for future tech environments. "For example, the OAuth standard and the stack that is built on top of OAuth [have] powered the API economy -- and the IoT economy is built on top of the API economy," Maler said.
Ultimately, IAM professionals' decision whether to get certified -- and which of the top IAM certifications to pursue -- will depend on their career goals, their job's responsibilities and the specific vendors they use in their work.
The top IAM certifications
Certified Information Systems Security Professional (CISSP)
Offered by (ISC)2, CISSP is considered the gold standard certification for individuals who wish to prove their competency on a wide array of infosec principles and best practices.
IAM professionals would be well suited to hold a CISSP certification. Candidates must prove their comprehension of IAM skills, as well as how to successfully design, implement and manage a cybersecurity program. The CISSP Common Body of Knowledge covers 10 core subject domains, one of which -- Domain 5 -- exclusively covers IAM. This vendor-neutral certification requires at least five years of relevant work experience and is awarded after achieving a passing score of 700/1,000 on the exam, which costs $699.
CompTIA's Security+ certification demonstrates a person's competency with core knowledge required of any infosec role, including IAM. Security practitioners commonly pursue this certification prior to CISSP. The CompTIA Security+ credential counts as one year toward the five years' experience prerequisite of CISSP.
Advertised by CompTIA as a "springboard into intermediate-level cybersecurity jobs," the CompTIA Security+ program covers the latest trends and techniques in risk management, risk mitigation, threat management and intrusion detection. Candidates will gain hands-on troubleshooting experience and security problem-solving skills. IAM is one of the six core domains covered in the curriculum, constituting 16% of the exam. The exam costs $370 and must be renewed every three years.
Certified Information Systems Auditor (CISA)
ISACA's CISA certification demonstrates an individual's comprehension of infosec and IT auditing expertise, but it is not limited to auditing practitioners. The exam includes five job practice domains, including Governance and Management of IT and Protection of Information Assets.
Candidates for the CISA certification study how to perform an audit, in addition to ethics, standards and complex vocabulary. Understanding how to audit and secure information systems -- skills necessary to pass the CISA exam -- can also supplement other infosec careers, such as an identity professional, infosec risk analyst or risk advisory manager. The exam costs $575 for ISACA members or $760 for nonmembers and must be renewed every three years.
Certified Information Privacy Technologist (CIPT)
The International Association of Privacy Professionals' CIPT exam certifies an individual's knowledge of privacy-related issues and practices in the context of IT security. The course's Technical Measures and Privacy Enhancing Technologies Body of Knowledge covers identity and access management and authentication. CIPT certification can enable individuals in private and public sectors to demonstrate the practical knowledge required to apply privacy and data protection measures in the development, deployment or auditing of products and services.
With new data protection and privacy regulations cropping up worldwide, the job market for infosec professionals with certified privacy knowledge is strong. To better reflect the changing industry skills landscape, CIPT recently added two new domains to the curriculum: Privacy Engineering and Privacy by Design Methodology. The exam costs $550 and must be renewed every two years.
Identity Management Institute (IMI) certifications
IMI has established an independent accreditation process by setting standards of excellence for identity management professionals through various certification programs. To obtain an IMI certification, candidates must be an active member of the organization and pass the corresponding exam, which can cost between $290 and $395 each. IMI certifications include the following:
- Certified Access Management Specialist (CAMS). CAMS-certified professionals gain IAM skills necessary to ensure compliance and risk management requirements regarding system and data access are met.
- Certified Identity and Access Manager (CIAM). CIAM-certified professionals are IAM experts who work for a variety of organizations and demonstrate their ability to design, implement, improve and manage IAM programs, processes and tools.
- Certified Identity Governance Expert (CIGE). CIGE-certified individuals demonstrate their ability to guide and support their organization's management in addressing identity data issues, including privacy, security, regulatory and contractual compliance, customer expectations and authentication.
- Certified Identity Management Professional (CIMP). CIMP-certified professionals prove their ability to develop and implement identity management services that can streamline IAM processes, improve workflow, and coordinate activity tracking and reporting at scale.
- Certified Identity Protection Advisor (CIPA). Geared toward professionals who select, develop, configure and deploy IAM technologies, the CIPA certification covers Critical Risk Domains, including product selection and implantation, IoT and API security, and compliance assurance.
- Certified Identity and Security Technologist (CIST). The CIST professional is one who defines, develops and deploys IAM products to not only streamline IAM processes and reporting, but also counter threats.
- Certified Red Flag Specialist (CRFS). The CRFS program is a registered workplace identity theft prevention training program based on the U.S. government's Red Flags Rule. A CRFS-certified individual can identify risks to consumer information to better protect against identity fraud and theft security incidents.