Ron Condon
December 03, 2004

Time to pop the certification bubble

Are professional standards really slipping? Ron Condon reports on a fierce debate

What does your professional certification say about you? Is it a measure of your professional skills, integrity and knowledge, or just a piece of paper to get you past the first hurdle in a job interview?

This question came under scrutiny at the recent SC Forum in the U.S., where the assembled delegates – most them holders of the CISSP certification – heard the industry's leading certification dismissed as being "a mile wide and an inch thick".

The speaker, Jonathan Gossels, head of consulting firm System Experts, said the infosec industry had been experiencing "an explosion of low-value certifications" that offer little indication of a person's ability to perform anything but the most mundane tasks.

"The bar is set too low for the body of knowledge," he said, "and the standards of content are deficient." He also went on to describe many of the governing bodies as "self-serving", forcing their members to pay to keep their certifications current, while allowing them to earn CPE (continuous professional education) points in trivial ways, such as by attending an exhibition or officiating at an exam.

Gossels conceded that CISSP and some vendor-specific certifications, such as those offered by Cisco, were among the best in the market, but poured contempt on most of the 78 credentials he had identified.

The boom has occurred, he said, because information security is moving "from a black art to a commodity skill". While the recruitment of infosec professionals was once done by technical people, he continued, the task is being increasingly handled now by HR or by purchasing departments, which lack understanding, and therefore "choose lightweight credentials as a shortcut" to picking candidates.

"The reason for having them is purely defensive," he said. "These credentials don't cover intelligence, judgment or work ethic. We need to stop this proliferation of meaningless qualifications. We don't need 78 credentials, we probably need just eight – and they need to be real."

Many of the delegates agreed. "We don't let HR do our recruiting," said the CSO of a major brokerage. "We can't rely on certifications based on multiple-choice questions. We set five essay questions for our applicants."

This not only helped him choose candidates with the right skills, he added, but it also reduced the number of applicants.

Another delegate, who held the CISM certification from Isaca, also questioned the accuracy of some of the exam papers.

If you have any comments, send them to scfeedback@haynet.com

Similar Articles

Sign up to our newsletters

More in News

Hacker defaces Facebook fan page of children's theme park

After contacting Facebook and claiming he was allowed access to manage the page, a miscreant blocked previous administrators and littered the page with sexual and racist references.

Warrantless email snooping banned in Texas

Law enforcement in the state must now have a warrant to peruse through residents' email messages.

City of Waukee website pulled offline after hacker defaces site

The website for the city of Waukee in Iowa was defaced two days in a row by saboteurs.

Return To Top

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.

Resources

User Center

OTHER SC MAGAZINE WEBSITES

Copyright © 2013 Haymarket Media, Inc. All Rights Reserved
This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.