Three years ago, I sought the SANS GIAC Information Security Officer certification (then known as GISO). I was two-thirds of the way into my practical paper when the demands on my time became too great. I even paid $250 for an extension, but I never could polish off the project.
I'm one of those cert seekers the SANS Institute was talking about a few months ago when it announced it was dropping its GIAC practical requirements in favor of exclusively scenario-based testing. The idea is to boost the numbers and visibility of GIAC-credentialed professionals in the IT industry.
Even though I never accomplished my GIAC goal, I never stopped seeking certifications. In fact, during that time, there's been increased pressure within the profession to prove job worth by affixing more acronyms to your name. But there's also been an explosion in possibilities. I now feel the pressure to get a certification, but which one?
There's always the Certified Information Systems Security Professional (CISSP), which its sponsoring organization, (ISC)2, has successfully marketed as a must-have for security managers. I've reviewed sample tests and concluded this is more Trivial Pursuit than a true test of how I handle daily operations. For instance, the other weekend I was perusing a popular CISSP study text at a local bookstore and came upon a passage about dogs' loyalty and reliability, and how their senses of smell and hearing outperforms humans. What, I wondered, is the relevance to what I'm doing in cybersecurity? I looked at several other references and found virtually identical treatment--of dogs. There are other, more obscure areas of questioning with no bearing on what I do daily, and yet, these questions have helped create more than 130,000 CISSPs worldwide, brags retired (ISC)2 CEO James Duffy.
Put off by that certification, I moved on to the Certified Information Security Manager (CISM). All of the introductory statements about the CISM seem to fit neatly with what I do as a CISO, so I applied for the next test. During registration, however, I was asked for the job title that most closely describes my own. The choice of CISO, a widely used and industry-accepted title, was nowhere to be found. My choices were limited to IS security director, IS security manager or IS security staff. Apparently, ISACA (the organization that brought you COBIT) touts itself as "a recognized global leader in IT governance, control and assurance" but doesn't recognize a key governance role in the C-suite.
Now, I'm about ready to return full circle to a GIAC certification. One concern voiced by critics has been that dropping the practical requirements means more unskilled people qualifying, thus diluting the value of the GIAC certification system. Maybe, but I think the same could be said for the "book-centric" CISSP, CISM and myriad other infosecurity exams now vying for our attention and dollars.
The bottom line is that we're all just pawns in a numbers game for leading sponsor organizations and their appointed leaders, all of whom are more interested in boosting their own budgets and bragging rights than the careers of IT security professionals. And in that regard, they are failing us as an industry.