FCW Insider

Blog archive

FCW Insider: What's the point of security certs?

We have heard from a number of readers who see little value in requiring cybersecurity workers to have security-related industry certifications.

They were responding to our report about a Senate bill that would require contractors to license and certify anyone providing cybersecurity-related services to a federal agency (you can read the story here).

Several of these readers are not impressed specifically with Certified Information Systems Security Professional (CISSP) certifications. But certification, in general, is a bit of a red herring they said, because it does not reflect work experience, which is more valuable than test experience.

So we can't help but wonder: What is the point of certification? How can federal agencies ensure that their cybersecurity staffers, and their contractors' staff, have the right skill sets?

Meanwhile, here are excerpts from the comments we've received.

* I've been certified since 2003 and have contact with many "certified" folks who have no experience with actual skills on the job. The cost of getting certified is high for both individuals and companies, yet the government still wants to award to the low bidder. Companies can't afford to spend a lot of money and not get a return on their investment in the people. It is also very difficult to retain trained 'professionals' no matter if they are trained while under government sponsorship or by their company. There is a lot of job hopping to increase salaries without remaining long enough to actually learn/perfect skills or truly contribute to the agency's mission.

* If they are going to have certifications, then it should be a mix of the software vendors' certs, i.e. Microsoft, Cisco, Vmware, and then maybe a security cert. It's clear the government doesn't understand technology best practices. Which is why, military included, we get hacked by countries like China, N. Korea etc.

* Not another one. I have three masters, MIS,FWU, ISS- EMU, Nation Security, Navy War College, PMP-GW, Boot Camp, ISC2, 25 years of IT/ISS experience...yet not qualified. It is all about the $$$$$. This is a monopoly and employees should protest about this. I have fired more CISSPs. Passing a test means nothing. Before you know it, you won't need degrees, just paper certification.

* This sounds like the DOD Information Assurance initiative, which is nothing more than a memorization effort in order to pass a test that on average has little to do with what a person does on a daily basis. Vendors selling these classes are getting rich and taxpayers don't see any measurable benefit to it. It just looks good on a resume to have these certifications. Doesn't make anyone smarter if they do not have experience to begin with.

* Great. Another worthless paper certification. And I include CISSP in that. Took me 45 minutes to parse the exam questions for the correct answers to pass that test then ISC2 wanted "maintenance" fees throughout the 3 year certification period. Those fees were not disclosed when I got the CISSP cert. Now I have to pay the "overdue" fees to re-certify since the 3 years ended. WTF? ISC2 is just about the money and they are going to exploit this one for all it's worth.

Posted by John S. Monroe on Apr 06, 2009 at 12:14 PM


Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Fri, Apr 24, 2009 Kevin Washington, DC

As stated previously, a certification alone should not be the criteria used to determine a candidates fitness for a position. The certification process needs to be elevated to the same degree as for doctors, lawyers, etc. Then tie the certification directly to experience. There also should be schools that have information security, information assurance (IA), etc degrees that can be used as the basis for a security certification. Those who obtained a degree in computer science or other related area, won't be able to go back and trade that degree for one in IA, but maybe there could be an option that allows prior, direct experience and a degree to be used as an "add-on" degree, so the individual will have an IA degree that will be the last 1/3 of the experience, certification and degree triad. Those 3 should be looked at for fitness for a job, with all 3 having equal weight.

Mon, Apr 13, 2009 GM South Florida

Certifications have value, without question, but how to maintain them when determined by a self fullfilling organization has no value. By stating that work related activity does not qualify for 'CPEs" is questionable. Personally I have not had time, company support or extra income to afford CPE programs. However, year in and year out I work directly with companies on IT security programs, projects, assessments and breaches. None of this qualifies but one may propose that this blood on the street work related activity is much more real, more tangible than academic content and current. So again, the certifications are of definite value and should be required; it is how one can maintain them that shoud be questioned.

Mon, Apr 13, 2009 Scott

For the commenter who posted the "45 minute and passed the CISSP" remark. Yeah Right! So on average you spent about 5 seconds to read the question and 4 answers and then transpose the correct answer to the answer sheet? Please! Your incompetence shows! You are probably upset because you actually spent the full six hours and barely passed after multiple tries - a much more likely scenario. I have met both certified and non-certified individuals who were inexperienced. It is up to the hiring manager to look at the resume and the certs and come up with the right questions to determine if the individual is qualified. A lot of the employees I have worked with the certified folks usually fell into one of 2 camps. Those who were required to get the cert (and held a grudge for being have to be made to do it) and those who wanted to better themselves to advance. So if I were a hiring manager I would find out which camp the interviewee was in and hire the ones who showed initiative to get certified.

Wed, Apr 8, 2009 Doug Calgary

The original post and comments provide a number of excellent points regarding certifications as well as degrees. I do believe that there are a number of other points to consider in the defense of certification as well as against certifications.

First, one has to realize that in many companies, the Human Resource departments can be overwhelmed with applicants for positions. As a result many of them use key work searches to determine whether or not a resume should actually be read or forwarded to the bit-bucket in the sky. Is it possible that an experienced knowledgeable individual gets overlooked? Yes, but the HR groups, like other will accept methodologies that reduce their workload as much as possible. This I know from personal experience and only after I had certifications was I called in for interviews.

Second, having a certification does not imply knowledge or experience. This is especially true when organizations give experience credits for attending school or having other certifications in lieu of experience. After graduating from University I was informed by a hiring manager that my Engineering degree meant very little to them. What the degree told them was that I was capable of learning and persistence to achieve a goal. During the years I have discovered the truth in the statement. I have known a number of individuals with certifications and when listening to them or reading their work, I seriously wonder how they ever achieved their certification in the first place.

Finally, I will admit that many of the certifications are solely another method of collecting revenue for an organization. This is especially true with organizations that require you to re-certify every two or three years. Do these companies honestly believe that the training and experience suddenly disappears from one’s head once their time period expires? The recertification is there only to ensure that they collect revenue and that you are aware of a new feature that they have introduced in the past year.

Certifications that allow you to retain your designation through continuing professional education credits (CPEs) go a long way to avoid the money grab listed in the previous paragraph. This is very similar to other professional organizations like, lawyers, doctors, accountants, engineers, etc. that have professional dues. But unlike doctors, or lawyers, individuals can still work after losing their designation which is not right. There has to be a degree of responsibility with the designation as well as severe repercussions for not behaing in a professional manner.
Thank you.

Wed, Apr 8, 2009 anonymous Washington DC

I hear this a lot, that paper certifications are a waste of time, and that you have to 'retrain' CISSPs that you hire (or eventually fire). I think the big gap is the hiring process itself. Why are you hiring someone with no demonstrable skills? Sure their resume says "10 years IA experience" "ISSO" or "Security Architect", did you actually check a reference or two? What sort of technical interview are you conducting? Arguably the CISSP tries to bridge the gap by requiring vouched-for work experience and continuing education. It's not perfect, but at least you know that something is happening in that person's head to earn their CPEs. True there is a lot of job-hopping here in contractor world, but finding well-qualified and experienced people is not hard, you just need to know how to look.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above