Time to pop the certification bubble
Are professional standards really slipping? Ron Condon reports on a fierce debate
What does your professional certification say about you? Is it a measure of your professional skills, integrity and knowledge, or just a piece of paper to get you past the first hurdle in a job interview?
This question came under scrutiny at the recent SC Forum in the U.S., where the assembled delegates – most them holders of the CISSP certification – heard the industry's leading certification dismissed as being "a mile wide and an inch thick".
The speaker, Jonathan Gossels, head of consulting firm System Experts, said the infosec industry had been experiencing "an explosion of low-value certifications" that offer little indication of a person's ability to perform anything but the most mundane tasks.
"The bar is set too low for the body of knowledge," he said, "and the standards of content are deficient." He also went on to describe many of the governing bodies as "self-serving", forcing their members to pay to keep their certifications current, while allowing them to earn CPE (continuous professional education) points in trivial ways, such as by attending an exhibition or officiating at an exam.
Gossels conceded that CISSP and some vendor-specific certifications, such as those offered by Cisco, were among the best in the market, but poured contempt on most of the 78 credentials he had identified.
The boom has occurred, he said, because information security is moving "from a black art to a commodity skill". While the recruitment of infosec professionals was once done by technical people, he continued, the task is being increasingly handled now by HR or by purchasing departments, which lack understanding, and therefore "choose lightweight credentials as a shortcut" to picking candidates.
"The reason for having them is purely defensive," he said. "These credentials don't cover intelligence, judgment or work ethic. We need to stop this proliferation of meaningless qualifications. We don't need 78 credentials, we probably need just eight – and they need to be real."
Many of the delegates agreed. "We don't let HR do our recruiting," said the CSO of a major brokerage. "We can't rely on certifications based on multiple-choice questions. We set five essay questions for our applicants."
This not only helped him choose candidates with the right skills, he added, but it also reduced the number of applicants.
Another delegate, who held the CISM certification from Isaca, also questioned the accuracy of some of the exam papers.
If you have any comments, send them to email@example.com