Information Security Certifications: Badges of Dishonor

Gregor Campbell questions the value of a CISSP
Gregor Campbell questions the value of a CISSP

For years there’s been talk of ‘professionalizing the profession’ – adding the kudos and polish that separates the righteous from the also-rans. The desire to do so is very strong, and has created an additional industry dedicated to the development of dodgy badges and certification. Everyone likes a badge – especially if it’s a badge of honor.

There are badges in information assurance and security that are deemed honorable. Many of us brandish the CISSP badge. In some organizations it is a requirement for certain roles, and I’m certainly aware of recruitment agencies that insist on it. I am not CISSP-qualified – perhaps I should be. My reasons for not being so are many, but they all center around the simple fact that many people I know who wear this particular badge are not capable and competent information security practitioners.

The number of active CISSP holders is soon likely to pass 100,000. In my direct experience, I think this number is a telling one; I believe the bar is lowering. I’ve always regarded any qualification you can scrape through via a week-long ‘boot-camp’ course to be suspect. Boot camps fill short-term memory. That which is learned in this manner normally fades just as quickly. Even with refresher courses, I think these and similar qualifications lend themselves to one simple capability: a decent memory linked to factual regurgitation.

I’m very aware that many (indeed most) holders of these badges are upright, solid and reliable professionals. The badge is not, in my opinion, proof of that. It’s what these people do and the changes they manage that are important. Give me experience and proven competence over a fading badge anytime.

How then do you test if someone is competent and capable without spending some length of time working with them? The answer is not simple. Testing competence cannot be done via a multiple-choice tickbox. It can only come by the thorough examination of evidence, and asking the person claiming competence some direct and tricky questions. The problem is the person asking the questions, and judging the responses, has to be an expert – someone who is themselves time-served and competent.

I’ve always been a keen student on initiatives to ‘professionalize the profession’, mostly because they are a source of deep amusement to me. Many web searches reveal that information security ‘competence’ is still seen as understanding facts about technical subjects, and not how to deal with security incidents when they occur, nor how to manage a team of near-savant technical specialists.

There are many areas that seek to measure and certify competence. Leadership is one area of management that is often singled out as worthy of measurement, as is strategic thinking. However, the UK government is now seeking to certify information assurance specialists using a number of certification bodies, or CBs. The CBs are the APM Group, the British Computer Society and the IISP, CREST and Royal Holloway Consortium.

The APM Group was the first CB to go live (June 2012) having satisfied CESG (the UK Government body that deals with information assurance matters) that their assessment process is appropriate. What impresses me about their approach is that they use experts who themselves are certified. They have an assessment process that includes review of CVs and an Evidence Form that draws out experience and capability, backed up by interviews that test the evidence. You can’t get that from a tickbox.

It looks as if the UK government will, at some point, demand that many people involved in government information assurance get appropriately certified or be denied the chance to practice. If the certification is as rigorous as the APM Group approach seems to be, then we might find ourselves having a model process for the professional assurance of our industry.

This scheme is currently looking solely at the UK government information assurance world. There’s no doubt that someone soon will seek to take this to a wider audience, and it will come of age once it’s internationally accepted. There’s a problem, however: this process takes time, and for most of the world, it wasn’t invented ‘at home’. The standard that is now ISO 27000 (1 & 2) struggled for broad international recognition when it was British Standard (BS) 7799. It needed the ISO badge, despite that fact that it changed little during the transition to ISO to be accepted internationally.

True competency-based certification is the way ahead. We need to test knowledge, skills, experience, capability and true understanding. I’d sooner deal with someone who’s been proven competent over someone who’s proven they can remember a list of words under pressure.

Gregor Campbell is an information security consultant working in both the government and private sectors in the UK

What’s hot on Infosecurity Magazine?