March 29, 2005

Security Signals - Certifications for Experts

Some people swear by them. Others think they are just paper. What are they really? I am minded to the Stigler observation, that, paraphrased, all certifications are eventually taken over by their stakeholders. Here is a Register article that bemoans one such certification dropping its practical test, and reducing it to boot camp / brain dump status.

I have no certifications, and I can declare myself clearly on this: it would be uneconomic for my own knowledge to obtain one. Frankly, it is always better to study something you know little of (like an MBA) than something you already know a lot of (like how to build a payment system, the pinnacle of security problems because unlike other areas, you are guaranteed to have real threats) .

I recently looked at CISSP (as described in the above article). With some hope, I downloaded their PDF, after tentatively signing my life away because of their fear of revealing their deepest security secrets to some potential future student. Yet what was in the PDF was ... less than in any reasonable half-dozen articles in any net rag with security in their name. Worse, the PDF finishes with a 2 or 3 page list of references with no organisation and no hope of anyone reading or even finding more than a few of them.

So in contrast to what today's article suggests, CISSP is already set up to be a funnel for revenue purposes. When a certification draws you in to purchase the expensive training materials then you know that they are on the road to degree mills, simply because they now no longer have a single security goal. Now they have a revenue incentive ... It's only a matter of time before they forget their original purpose.

Which all leads to the other side of the coin - if an employer is impressed by your certification, then that employer hasn't exactly thought it through. Not so impressive in return; do you really want to do security work for an organisation that has already reduced their security process to one of borrowing other organisations's best practices? (Which leads to the rather difficult question of how to identify an organisation that thinks for itself in security matters. Another difficult problem in security signalling!)

So what does an employer do to find out if someone knows any security? How does an _individual_ signal to the world that he or she knows something about the subject? Another question, another day!

Posted by iang at March 29, 2005 11:29 AM | TrackBack

PADI: "Put another dollar in"

CISSP is nice because it gave me some insight into "how they think". Specifically, it gives a pretty broad overview of a lot of security management-related topics and terminology--knowledge "hooks" into the various fields, if you will.

The cert is just a piece of paper. It's only for planks if you actually put it on your business cards or something cretinous like that.

Posted by: JMS at March 29, 2005 12:25 PM

Some certifications might be giving a first impression on the job market. It's like a professional reference: it distinguishes you for the selection process. Any decent employer does not merely look at the certification but will test the candidate's performance. However, a certification like the CISSP, the CISM or the CISA give an indication that the holder has a certain idea about security management, security topics or infosec audit. Nothing more, but otoh nothing less, either.

Posted by: Axel at March 30, 2005 11:30 AM

I was going to write basically the same thing as Axel on this one. Certifications add values two ways. First, as Axel already pointed out, they are useful in the hiring process. For a job candidate, they increase the odds that the applicant's CV will make it past the keyword scanners and actually be seen by a human being.

Secondly, a certification demonstrate the long-term professional interests and opinions of a candidate. Think of them as the professional equivilent of political party membership. If someone posesses a CISSP, CISM or CISA certification, that implies that they have a long-term interest in Security Management. If they earn an CCSE (Isn't that the cisco-specific security cert?), many of the SANS certifications, etc., then that implies a long-term interest in Network Security.

On the other hand, if someone posesses all of those certifications, then that usually implies to me as a hiring manager that the candidate is interested in earning certifications ;-) .

As always, the success or failure of the candidate will depend as much on their temperment, ability to get along with their co-workers and the overall corporate environment than on their ability to pass a certification exam.

Posted by: Chandler Howell at March 30, 2005 11:49 AM

Axel and Chandler stated exactly what I would have said as well. I am a CISO in the health care industry and I passed my CISSP cert in February. Professional growth and continuing education gains the respect of your peers and will only benefit you moving forward.

I tend to look at experience, attitude and departmental fit prior to considering the indivuduals acronyms that are longer than my arm in most cases. If I can get a good match for my first requirements and get a CISSP or CISM/CISA, I have found a potential strong candidate.

Always remember that just because you have security certifications, this does NOT make you an Information Security Professional. I have fired two CISSP's in the last 3 years due to innapropriate activities (blackhat) and poor attitudes.

Rob Foster, CISSP

Posted by: Rob Foster at March 30, 2005 12:39 PM

"do you really want to do security work for an organisation that has already reduced their security process to one of borrowing other organisations's best practices?"

Since the alternative is working for a company that tries to reinvent the wheel, yes. Since other organizations have undoubtedly taken practices from their peers and enhanced them, yes. Since peer organizations have similar risks and have already developed procedures to handle them, yes.

This idea of thinking every company is unique is nonsense. The bell-shaped curve of normal distributions still prevails. Why do you borrow "best practices"? Because they're field-proven and they probably will work for you, or at least get you a major way to your goal.

Why are certifications preferred? Because they establish a baseline over people that have not bothered to certify. Would you hire an auditor who wasn't a CPA? I wouldn't.

Everytime I read about someone whining about this certification or that, I look to see if they list that credential after their name. If they don't, I wonder if it really means that they tried to pass and failed. If they do list the credential, then I will read their comments as coming from someone who has been there and done that.


Posted by: Ray Pesek at March 30, 2005 09:58 PM

I don't have a CISSP, nor do I have any other security certification. My current employer has offered to pay for me to get one (bootcamp and testing) and even give me a bonus if I complete it. There's zero chance I'll bother (unless they raise the bonus substantially ;>) because I believe that it has become an inverse signal. I've been working in the industry for ~10 years and most of the companies I would care to work for (and the people I'd like to work with) know that the certification is pretty empty and view people who advertise it as a little clueless. It's fine if you're hiring benchwarmers for a company like Pricewaterhouse but few experts bother with it. The CISSP is nothing like a CPA.

Posted by: Jonathan Wilkins at April 14, 2005 01:35 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.