Infosec certifications debunked

The information security profession is suffering from a proliferation of certifications, an infosec consultant told attendees at this week’s SC Magazine Forum in Napa, Calif.

"Our industry has an explosion of low-value certifications," said Jonathan Gossels, president of Sudbury, Mass.-based consulting firm System Experts, citing 78 unique infosec credentials. "The bar is set way to low for the body of knowledge."

Certifications are proliferating because infosec professionals are seeking to differentiate themselves as infosec transitions from a "black art to a commodity skill," he said. Also, many people hiring infosec professionals do not have security knowledge and are zeroing in on certifications.

He described the CISSP (Certified Information Systems Security Professional) as a reasonable credential and Cisco Systems' certifications – particularly the advanced ones - as meaningful, along with NSA certifications. Many others are "lightweight," entry-level credentials, where individuals can earn credit for someone as simple as proctoring an exam, Gossels said. Also, there are huge hidden costs to maintaining credentials.

"In general, when I look at the alphabet soup of certifications, if it's not broadly recognized, I wouldn't recommend it," he advised the audience of infosec executives.

"Remember, credentials are only one indicator of aptitude," Gossels said. "They don't tell me about someone's judgment, work ethic or intelligence."

Academic degrees, writing a book, and research are more meaningful indicators of a person's aptitude, he said.