Information Security Certifications
Not too many years ago there were no certifications for information security professionals. How things have changed over the years; there are now more types of certifications than one could ever have imagined. Believe it or not, I even know of one individual who has ten information security-related certifications, and he plans to pursue even more.
Information security certifications have gained considerable acceptance. Before they existed, individuals with marginal credentials and experience in information security could declare themselves information security experts without having demonstrated any competency in information security whatsoever. Certifications, while by no means perfect, now provide some level of assurance that certified individuals possess at least a baseline of skills and knowledge. Many information security positions now require at least one certification; some require more.
The content covered in certification exams is particularly critical. The Certified Information Systems Security Professional (CISSP) certification, for example, covers six core areas and four optional areas based on Generally Accepted Systems Security Principles (GASSP). The CISSP exam is one of the most difficult to pass, due mainly to the range of information the CISSP candidate must know to pass. The questions in the physical security part of the exam are particularly challenging.
The Certified Information Security Manager (CISM) certification also stands out in my mind as having unusually good content, content that is related to the skills and knowledge an information security manager (ISM) must possess to be effective. The questions in this exam are difficult in that answering them correctly requires ability to analyze, synthesize and apply concepts derived from a job analysis performed on seasoned ISMs.
The Institute of Information Security Professionals (IISP) has recently developed a new and very creative approach to professional certification based on demonstrated knowledge and skills. Potential members must write answers to questions and also be interviewed to determine their knowledge and skill level. Membership is granted only if the demonstrated level meets the criterion. .
Unfortunately, the quality of certifications in the information security field is not uniformly high. Some certifications were launched with little planning and foresight; certain certification exams are not based on the GASSP, nor was a test plan even originally created and used to guide the inclusion of test items in these exams. Some examinations are not even proctored. A few organizations have tried to cover up the deficiencies in their certifications through vigorous marketing efforts.
As the proverbial dust surrounding information security certifications settles, the CISSP and CISM certifications have taken the lead in terms of perceived substance and quality. The IISP appears to have the most promising new approach. But when all is said and done, it behooves information security professionals to obtain at least one information security-related certification. The state of the art in information security has changed to the point that calling oneself an information security professional without having passed at least one examination created by peers or without having survived a rigorous interview by peers is no longer credible.