IT Security Certifications Devalued, warns IDC
580 views 
Businesses view IT security qualifications as less relevant because there are so many of them, according to research published by analyst IDC. The report says there is a danger that certifications considered of a high value today will in the future become less significant.
‘Six years ago, some 15 different security certifications were available in the marketplace,’ says the report. ‘Today the number has grown to more than 40 vendor-neutral and more than 25 specified certifications, making it difficult for employers to discern which certifications carry the greatest value.’
Phil Cracknell, president of the Information Systems Security Association (ISSA) UK director of technology assurance and advisory at Deloitte, says there are overlaps and gaps between various accreditations.
‘Some used to be highly valued but have been devalued because they are offered on a five-day boot camp,’ he said. ‘There are so many qualified people out there you can take your pick. If a qualification is your only criteria you are going about it wrong.’
Nick Coleman, interim chief executive of accreditation body the Institute of Information Security Professionals (IISP), says one overarching accreditation could embody smaller schemes.
Saying this for long time...
Half of the certifications are crap, once I held high regards for SANS certification but even they loosened up their standards to fight against CISSP's popularity. I meet a lot of CISSP's everyday and half of them have no clue about latest technology and security.
Most of these certifications are teaching you the basics and tactics used by hackers more than a year ago. Therefore, if you say I am FOOBAR certified that means you are 1 year behind the current trend and one should start the interview/conversation from there.
Most of the Blackhats, Greyhats are self taught and Whitehats shouldn't be any different.
So what's new?
This is new? This is Grade Inflation all over again. I'm 45, I have no college degree, and it's never stood in my way because I actually know my stuff. Likewise I have a CISSP, but I don't rest on those dubious laurels, I keep up with the industry.
You should no more rely on a certification alone to tell you whether someone is qualified than you should rely on looks.
On the other hand, certifications, like diplomas, are simply a component that assists judgement. I've met idiots with PhDs, but I've met a lot MORE idiots without them.
Finally, security is a state of mind. It's not about knowing the technology, it's having a certain mindset that says "Sure, tools, whatever: how are you using them?" That seems to be almost an intrinsic characteristic, a personality that challenges and questions and doubts rather than looking for optimized operational production. I've met network engineers that are better natural security techs than any number of CISSP certified people.
When I was a coder, I started using robust memory allocation and deallocation, and a nomenclature process for my variable declarations (in C), not because I had to, but because it was better practice. Incidentally I was making my code both more secure, and more easily supportable. I was less productive than the guys for whom "char *foo; int *bar;" was a way of life, however, so I got out of coding. Ten years later I had a security cert.
Some elements of security you can learn; others you have to be born to. Certs don't assure either of those, they just show you've passed some tests.
Post new comment