FCW Insider

Blog archive

FCW Insider: In defense of security certifications

As noted in a blog post yesterday, some FCW readers are skeptical about the value of security certifications.

A bill recently introduced in the Senate would require contractors to license and certify anyone providing cybersecurity-related services to a federal agency. The skeptics believe that Certified Information Systems Security Professional (CISSP) and other certifications are misleading, because they do not reflect an employee's work experience (read the article and all its comments here).

Several more readers echoed those sentiments after reading yesterday's blog post. However, I want to highlight one comment that offers a different perspective:

It's pretty easy to rant about qualification and whether the CISSP (target of opportunity) is worth while; simply put, you can have all the quals and certs plus the 5 years experience currently required for CISSP or another cert (SANS too) but if you're not working in a team environment with other subject matter experts, you're bound to miss something. Certs, quals and experience do not prevent mistakes but at least they've studied and documented their experience. The government is doing what government does: establishing a baseline...a standard. Are there better measures? Possibly, but we (IA professionals) have to start somewhere.

Posted by John Stein Monroe on Apr 07, 2009 at 12:14 PM

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Thu, Oct 1, 2009 Rookie Kansas

The federal government has standards for security established by the CNSS. Wouldn't these be the proper standards for certification instead of CISSP? I'm just a rookie so pardon my ignorance on the topic. I do understand that experience is a key qualifier for any profession but the federal situation is quite confusing across the varying departments and agencies. Experience in confusion on the standards does not qualify someone to ensure our systems and information are assured or secured. Looking for help to better understand.

Wed, Apr 8, 2009 ryan San Antonio

I will say this again, if these certifications had more to do with the way DoD does cybersecurity, fine; but, they don't. These are commercial organizations. DoD should have their own cybersecurity certification school for techies and for security managers, which runs the curriculum alongs the lines of DoD 5200-series and 8500- series manuals and the DISA STIGs; and, if you pass that test of your knowledge of how DoD does cybersecurity, you get a DoD certification as well as an Additonal Skill Identifier in your records.

Wed, Apr 8, 2009 Secgeek Washington, DC

Folks, if you are hiring someone based on the fact that he/she has a CISSP you are simply incompetent and should relinquish your job to someone else. On the other hand if you are going to carefully review the following and properly interview the person then the CISSP becomes just part of the overall picture What is the person's education qualifications in IT and IT Security? (Degrees, special programs, certs, etc.) Work experience - does the person have the proper experience for the position? Did you allocate sufficient time to interview the person 1hr+ depending on the level of the position. Did you ask the person the right detailed questions which can clearly show that he/she knows what they are talking about? Asking people good detailed conceptual questions is best; if the interviewee can only throw out acronyms and is not capable of rationalizing his/her answers then that's not the person you are looking for. Bottom line it takes time and effort to find a good employee and make sure he/she fits in; shortchanging the process will not work. A professional would also have more then just one cert by the way. A CISA is a great complement to the CISSP and an ISSAP, ISSMP, CISM would show more advantage design/management knowledge. Some of the GIAC are excellent indicators of technical expertise but not without the relevant work experience.

Wed, Apr 8, 2009 IAENGINEER D.C.

IA now has bachelors,masters and PHd university curriculm which includes the CISSP curriculm content. Work experience and team effort are the best way to go. The degree path is far better in touching on reality then just cramming for a 6 hour test.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group