This seems to a well intentioned but, misguided attempt by the Office of Management and Budget. They are attempting to establish minimum requirements for professional certification for IT workers.
Hmm.
From GCN:
“This is a change we have not faced in the IT security industry before,†he added.
The closest parallel has been in the Defense Department, which anticipated OMB’s reaction in this area. DOD’s Directive 8570 on information assurance, approved in December 2005, requires all of the department’s information assurance workers to obtain an accredited commercial certification in computer security. DOD has approved 13 certifications for the directive.
The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.
“If OMB issues a similar requirement, it’s going to throw the supply and demand curve even more out of balance,†he said.
Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification requires five years’ experience. “You don’t mint them out of college,†he said.
OK, this is where this trolley leaves the track. I have met CISSP certified folks that I would wager they’d be lucky to fight their way out of a wet paper bag. “Don’t mint them out of college” is a phrase that I’d argue. I would offer that the ISC2 should start auditing certified members. The validity of the CISSP cert is becoming diluted in the eyes of the market.
A picture is worth a thousand words.
It’s great for the mandatory HR tick box but, how many of these folks actually have the ability? Sure they can memorize some flash cards and pass a test but, are they effective? Some, not so much.
On the face of it this is a good idea.
Like all good intentions, they make great paving stones on the road to hell.
I agree that there are some CISSPs, just like there are many MCSEs, who aren’t qualified to work in a real security team. However, I don’t believe certifications were ever intended to be confirmation that a person is an expert in the related field.
We use the presence of certifications to determine if a person has the fundamental knowledge required for our security analysts. The interview process determines whether the person can actually put his or her knowledge into practice. And the ability to move from academic to practical application is lacking in many people. This is not necessarily a problem with the certifcation process.
I believe certifications are a good start, but they are far from the end goal for those building a technical career.
I thought I’d share this with everyone about a recent article published in today’s GCN magazine. This magazine is 1 of 5, representing the ‘heartbeat’ of U.S. government activities. As a ‘critical infrastructure protection’ (or ‘CIP’) researcher, I pay particularly closer attention to this and one other magaine because of the relevant articles about our Nation’s infrastructures.
However…I came across this article this morning about (practically) *mandating* that an IT security ‘professional’ be (are you ready for this) *required* to have an IT security certification. Not that I am discounting the “CISSP” certification, nor its accreditation organization, I see this as a step towards a ‘professional registration’ process.
The fact that they are mentioning ONLY ISC(2)’s certifications and no one else, leads me to believe that they are attempting to make the “CISSP” a mandatory standard without considering other certification/accreditation houses. How can they do this when agencies, such as the EPA and DOE, shot down similar (if almost *aggressive*) efforts to do the same several years ago on a similar note?
Though everyone seems to acknowledge “CISSP” as the ‘de facto’ IT security certification, I feel slighted by the fact that the CISM accreditation is still considered (by many people’s interpretation) as 2nd to the CISSP accreditation.
How is this fair? Answer: it isn’t. >((
-r
P.S. This cheapens, if not weakens, future certification efforts, perhaps ruining other more creditible accreditation firms, such as ISACA and the NSPE (just to name a few).
I’ve gone my entire IT career without getting certified, though I’ve been told by many that I’m highly certifiable… 😉
I’ll stick with my GED, thank you very much.