I've worked with some classic "merit badge collectors" over the years. Dr. Larry Lotsaletters, as we called him, was perhaps the worst offender. He included six acronyms in his e-mail signature, but nobody knew what they signified. To me, Larry's Ph.D. was sufficient evidence of accomplishment. But he didn't budge when I gently suggested that listing all those certifications in every e-mail smacked of pretentiousness.
Executives don't care about certifications.. Acting professionally, providing them with useful information, and being trustworthy is what builds respect and status.
In recent months, we've seen an explosion in infosecurity and IS audit certifications. In addition to old standbys such as CISSP, CISA and GIAC, there's now TICSA, SECURITY+, CIW, CISM and so on. According to Certification Magazine, there are at least 30 vendor-neutral security credentials. I don't have a problem with the certifications themselves, but rather with the whole culture of merit badge collecting.
Lately, there seems to be more interest in acronym acquisition than knowledge acquisition. We're looking for short-term fixes instead of long-term change. We're approaching certifications as a selfish exercise instead of an opportunity to mature the practice of information security, forgetting that the purpose of certification programs is to improve the profession and individual together.
Vendor-specific programs aside, it's unfortunate that the purpose of professional certifications is so poorly understood. They fulfill three primary functions:
- Certifications define minimum requirements for being able to function at a professional level. They set a knowledge baseline, both for scope and depth, and establish standards for ethical behavior and level of experience.
- Certifications encourage practitioners to mold themselves to a defined pattern of knowledge, experience and conduct. They motivate the acquisition of knowledge, and they discourage inappropriate behavior. Those who are just beginning a career in the field--no matter how well trained or clever--are put on notice that they can't be considered experts until they have actually spent several years working in the field on a daily basis.
- Finally, certifications provide employers with a greater level of trust that individuals actually are qualified.
Surprisingly, the last of these is the least important. Executives don't care about certifications. They find extra-wide business cards a cause for suspicion. It isn't acronyms that impress them. Acting professionally, providing them with useful information, and being trustworthy is what builds respect and status.
It's the other two functions where certifications truly become significant.
Our immature profession lacks the necessary understanding of professional ethics. It's not that we're unethical--our failing is in not emphasizing our profession's responsibility to protect society to the degree that more mature career areas do, such as engineering and medicine. Certification holders agree to a code of ethics, and when they violate them, they are subject to judgment by an ethics board. Sponsoring organizations do take this seriously, and they revoke credentials when presented with compelling evidence of inappropriate behavior.
What we consider to be best practice is still evolving. Certification programs are an important mechanism in establishing the generally accepted principles and vocabulary of a profession. A successful program is one that has a significant influence over the way people do their jobs. So instead of studying for another cert, consider that you might gain a deeper level of knowledge by providing training and mentoring to people who aren't certified at all yet. Instead of asking, "What cert should I get next?" I challenge you instead to ask, "How can I help?"
The way to build respect for our profession is not to concentrate on the externalities, but to build from the inside out, continuing to professionalize ourselves by growing individually and as a body.
About the author:
Jay Heiser, CISSP, works for a large European bank in London. His most recent book is Computer Forensics: Incident Response Essentials (Addison-Wesley, 2001).