FCW Insider

Blog archive

FCW Insider: In defense of security certifications

As noted in a blog post yesterday, some FCW readers are skeptical about the value of security certifications.

A bill recently introduced in the Senate would require contractors to license and certify anyone providing cybersecurity-related services to a federal agency. The skeptics believe that Certified Information Systems Security Professional (CISSP) and other certifications are misleading, because they do not reflect an employee's work experience (read the article and all its comments here).

Several more readers echoed those sentiments after reading yesterday's blog post. However, I want to highlight one comment that offers a different perspective:

It's pretty easy to rant about qualification and whether the CISSP (target of opportunity) is worth while; simply put, you can have all the quals and certs plus the 5 years experience currently required for CISSP or another cert (SANS too) but if you're not working in a team environment with other subject matter experts, you're bound to miss something. Certs, quals and experience do not prevent mistakes but at least they've studied and documented their experience. The government is doing what government does: establishing a baseline...a standard. Are there better measures? Possibly, but we (IA professionals) have to start somewhere.

Posted by John S. Monroe on Apr 07, 2009 at 12:14 PM


Reader comments

Thu, Oct 1, 2009 Rookie Kansas

The federal government has standards for security established by the CNSS. Wouldn't these be the proper standards for certification instead of CISSP? I'm just a rookie so pardon my ignorance on the topic. I do understand that experience is a key qualifier for any profession but the federal situation is quite confusing across the varying departments and agencies. Experience in confusion on the standards does not qualify someone to ensure our systems and information are assured or secured. Looking for help to better understand.

Wed, Apr 8, 2009 ryan San Antonio

I will say this again, if these certifications had more to do with the way DoD does cybersecurity, fine; but, they don't. These are commercial organizations. DoD should have their own cybersecurity certification school for techies and for security managers, which runs the curriculum alongs the lines of DoD 5200-series and 8500- series manuals and the DISA STIGs; and, if you pass that test of your knowledge of how DoD does cybersecurity, you get a DoD certification as well as an Additonal Skill Identifier in your records.

Wed, Apr 8, 2009 Secgeek Washington, DC

Folks, if you are hiring someone based on the fact that he/she has a CISSP you are simply incompetent and should relinquish your job to someone else. On the other hand if you are going to carefully review the following and properly interview the person then the CISSP becomes just part of the overall picture What is the person's education qualifications in IT and IT Security? (Degrees, special programs, certs, etc.) Work experience - does the person have the proper experience for the position? Did you allocate sufficient time to interview the person 1hr+ depending on the level of the position. Did you ask the person the right detailed questions which can clearly show that he/she knows what they are talking about? Asking people good detailed conceptual questions is best; if the interviewee can only throw out acronyms and is not capable of rationalizing his/her answers then that's not the person you are looking for. Bottom line it takes time and effort to find a good employee and make sure he/she fits in; shortchanging the process will not work. A professional would also have more then just one cert by the way. A CISA is a great complement to the CISSP and an ISSAP, ISSMP, CISM would show more advantage design/management knowledge. Some of the GIAC are excellent indicators of technical expertise but not without the relevant work experience.

Wed, Apr 8, 2009 IAENGINEER D.C.

IA now has bachelors,masters and PHd university curriculm which includes the CISSP curriculm content. Work experience and team effort are the best way to go. The degree path is far better in touching on reality then just cramming for a 6 hour test.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above