Related Stories

Top 5 Stories


Information Security Certifications: Badges of Dishonor

07 January 2013
Gregor Campbell

Gregor Campbell questions whether those who earn their CISSP are truly capable information security professionals, just by virtue of having passed an examination

For years there’s been talk of ‘professionalizing the profession’ – adding the kudos and polish that separates the righteous from the also-rans. The desire to do so is very strong, and has created an additional industry dedicated to the development of dodgy badges and certification. Everyone likes a badge – especially if it’s a badge of honor.

There are badges in information assurance and security that are deemed honorable. Many of us brandish the CISSP badge. In some organizations it is a requirement for certain roles, and I’m certainly aware of recruitment agencies that insist on it. I am not CISSP-qualified – perhaps I should be. My reasons for not being so are many, but they all center around the simple fact that many people I know who wear this particular badge are not capable and competent information security practitioners.

The number of active CISSP holders is soon likely to pass 100,000. In my direct experience, I think this number is a telling one; I believe the bar is lowering. I’ve always regarded any qualification you can scrape through via a week-long ‘boot-camp’ course to be suspect. Boot camps fill short-term memory. That which is learned in this manner normally fades just as quickly. Even with refresher courses, I think these and similar qualifications lend themselves to one simple capability: a decent memory linked to factual regurgitation.

I’m very aware that many (indeed most) holders of these badges are upright, solid and reliable professionals. The badge is not, in my opinion, proof of that. It’s what these people do and the changes they manage that are important. Give me experience and proven competence over a fading badge anytime.

How then do you test if someone is competent and capable without spending some length of time working with them? The answer is not simple. Testing competence cannot be done via a multiple-choice tickbox. It can only come by the thorough examination of evidence, and asking the person claiming competence some direct and tricky questions. The problem is the person asking the questions, and judging the responses, has to be an expert – someone who is themselves time-served and competent.

I’ve always been a keen student on initiatives to ‘professionalize the profession’, mostly because they are a source of deep amusement to me. Many web searches reveal that information security ‘competence’ is still seen as understanding facts about technical subjects, and not how to deal with security incidents when they occur, nor how to manage a team of near-savant technical specialists.

There are many areas that seek to measure and certify competence. Leadership is one area of management that is often singled out as worthy of measurement, as is strategic thinking. However, the UK government is now seeking to certify information assurance specialists using a number of certification bodies, or CBs. The CBs are the APM Group, the British Computer Society and the IISP, CREST and Royal Holloway Consortium.

The APM Group was the first CB to go live (June 2012) having satisfied CESG (the UK Government body that deals with information assurance matters) that their assessment process is appropriate. What impresses me about their approach is that they use experts who themselves are certified. They have an assessment process that includes review of CVs and an Evidence Form that draws out experience and capability, backed up by interviews that test the evidence. You can’t get that from a tickbox.

It looks as if the UK government will, at some point, demand that many people involved in government information assurance get appropriately certified or be denied the chance to practice. If the certification is as rigorous as the APM Group approach seems to be, then we might find ourselves having a model process for the professional assurance of our industry.

This scheme is currently looking solely at the UK government information assurance world. There’s no doubt that someone soon will seek to take this to a wider audience, and it will come of age once it’s internationally accepted. There’s a problem, however: this process takes time, and for most of the world, it wasn’t invented ‘at home’. The standard that is now ISO 27000 (1 & 2) struggled for broad international recognition when it was British Standard (BS) 7799. It needed the ISO badge, despite that fact that it changed little during the transition to ISO to be accepted internationally.

True competency-based certification is the way ahead. We need to test knowledge, skills, experience, capability and true understanding. I’d sooner deal with someone who’s been proven competent over someone who’s proven they can remember a list of words under pressure.

Gregor Campbell is an information security consultant working in both the government and private sectors in the UK

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security  •  Public Sector  •  Security Training and Education  •  Wireless and Mobile Security



paramveer says:

19 February 2013
Information Security Industry has developed manifolds now. CISSP certification helps HRD department for recruitment point of view that there is some evidence that a person has knowledge in the field. Information Security is also a vast field as any other subject. CISSP is known as Inch deep and mile wide and for further knowledge concentrations and experience are required. Even the perfect has the scope for perfection and PDCA(Plan Do Check Act) cycle run again and again. There are 10 domains in CISSP and to gain expertise in a single domain can take a person's considerable time of his life. Now what quality a company / recruiter / person is looking depends on their outlook. Here I can certainly say about the author that atleast he is looking for a very very fine quality knowledge and experience. I do respect such people.

chris_jenn says:

31 January 2013
I would agree with the authors supposition that just because you have a CISSP (and I do) that you may not be a competent security practitioner by that virtue alone. I would posit that the bar for the CISSP is set high and the increase in CISSP holders are due to the increasing popularity of the career field. Driving that is the huge need in industry for security professionals and more universities offering and IA type education.
As rightly stated in the article, the author is skeptical of the one week boot camps due to the lack of teaching concepts to any depth but rather storing surface level facts into short term memory. Remember the CISSP has a continuing education requirement, but if there is one criticism of the cert is that virtually anything is accepted as continuing education. It all boils down to the person. If the cert holder is really a “shelf stocker” then they’ll find the easiest route to satisfy the requirement to gain and maintain the CISSP. I would hope (and in my experience have seen) that most folks holding the CISSP are professionals and work hard to understand the concepts and don’t avoid the hard subjects with regards to maintaining the cert as well.
The CISSP is of great value to industry but it alone is not an ‘end all be all’ however, it is a great starting point.

psprague says:

09 January 2013
I disagree. The CISSP is comprised of difficult scenario based questions that test your ability to solve problems and not simple recall memorized facts.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×