Time to pop the certification bubble

Share this article:

Are professional standards really slipping? Ron Condon reports on a fierce debate

What does your professional certification say about you? Is it a measure of your professional skills, integrity and knowledge, or just a piece of paper to get you past the first hurdle in a job interview?

This question came under scrutiny at the recent SC Forum in the U.S., where the assembled delegates – most them holders of the CISSP certification – heard the industry's leading certification dismissed as being "a mile wide and an inch thick".

The speaker, Jonathan Gossels, head of consulting firm System Experts, said the infosec industry had been experiencing "an explosion of low-value certifications" that offer little indication of a person's ability to perform anything but the most mundane tasks.

"The bar is set too low for the body of knowledge," he said, "and the standards of content are deficient." He also went on to describe many of the governing bodies as "self-serving", forcing their members to pay to keep their certifications current, while allowing them to earn CPE (continuous professional education) points in trivial ways, such as by attending an exhibition or officiating at an exam.

Gossels conceded that CISSP and some vendor-specific certifications, such as those offered by Cisco, were among the best in the market, but poured contempt on most of the 78 credentials he had identified.

The boom has occurred, he said, because information security is moving "from a black art to a commodity skill". While the recruitment of infosec professionals was once done by technical people, he continued, the task is being increasingly handled now by HR or by purchasing departments, which lack understanding, and therefore "choose lightweight credentials as a shortcut" to picking candidates.

"The reason for having them is purely defensive," he said. "These credentials don't cover intelligence, judgment or work ethic. We need to stop this proliferation of meaningless qualifications. We don't need 78 credentials, we probably need just eight – and they need to be real."

Many of the delegates agreed. "We don't let HR do our recruiting," said the CSO of a major brokerage. "We can't rely on certifications based on multiple-choice questions. We set five essay questions for our applicants."

This not only helped him choose candidates with the right skills, he added, but it also reduced the number of applicants.

Another delegate, who held the CISM certification from Isaca, also questioned the accuracy of some of the exam papers.

If you have any comments, send them to scfeedback@haynet.com

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.

Copyright © 2014 Haymarket Media, Inc. All Rights Reserved
This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.