Content

Time to pop the certification bubble

Are professional standards really slipping? Ron Condon reports on a fierce debate

What does your professional certification say about you? Is it a measure of your professional skills, integrity and knowledge, or just a piece of paper to get you past the first hurdle in a job interview?

This question came under scrutiny at the recent SC Forum in the U.S., where the assembled delegates – most them holders of the CISSP certification – heard the industry's leading certification dismissed as being "a mile wide and an inch thick".

The speaker, Jonathan Gossels, head of consulting firm System Experts, said the infosec industry had been experiencing "an explosion of low-value certifications" that offer little indication of a person's ability to perform anything but the most mundane tasks.

"The bar is set too low for the body of knowledge," he said, "and the standards of content are deficient." He also went on to describe many of the governing bodies as "self-serving", forcing their members to pay to keep their certifications current, while allowing them to earn CPE (continuous professional education) points in trivial ways, such as by attending an exhibition or officiating at an exam.

Gossels conceded that CISSP and some vendor-specific certifications, such as those offered by Cisco, were among the best in the market, but poured contempt on most of the 78 credentials he had identified.

The boom has occurred, he said, because information security is moving "from a black art to a commodity skill". While the recruitment of infosec professionals was once done by technical people, he continued, the task is being increasingly handled now by HR or by purchasing departments, which lack understanding, and therefore "choose lightweight credentials as a shortcut" to picking candidates.

"The reason for having them is purely defensive," he said. "These credentials don't cover intelligence, judgment or work ethic. We need to stop this proliferation of meaningless qualifications. We don't need 78 credentials, we probably need just eight – and they need to be real."

Many of the delegates agreed. "We don't let HR do our recruiting," said the CSO of a major brokerage. "We can't rely on certifications based on multiple-choice questions. We set five essay questions for our applicants."

This not only helped him choose candidates with the right skills, he added, but it also reduced the number of applicants.

Another delegate, who held the CISM certification from Isaca, also questioned the accuracy of some of the exam papers.

If you have any comments, send them to [email protected]

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.