There is a need for certification companies to work together to enable security professionals to better understand the benefits of them, and gain the most from them.
Speaking to SC Magazine, Amar Singh, chair of the London Chapter security group of ISACA, said that the organisers of certification companies should find a balance.
He said: “The problem with any certification is who does them, maybe there should be a CISSP course and a CISSP premium. I know someone with no knowledge of programming who got a CISSP for software development so how did they get it? There is a case of a grandfathering programme and that is where the change needs to be.
“A certification doesn't demonstrate your passion, as with no passion you're a robot. (ISC)2 and ISACA need to get together and say 'let's try to bring real value to certifications' and more value so there is a premium level of certification to demonstrate a level of passion.”
He predicted that in a few years, there will be more software security developer certifications and while he saw it as a huge opportunity to see people do a security software course, he said that certifications need to evolve to show that a person has a passion for what they are learning, as this is important to employers when they are hiring new staff.
“(ISC)2, ISACA and Sans Institute should combine as they need to work out a better way to add value, as it is a constant battle,” he said.
Commenting, Hord Tipton, executive director of (ISC)2, agreed that there is plenty of scope for the different bodies to work together to help overcome that confusion, to explain the role of certification itself and its value in the developing international information security workplace.
He said: “These bodies need to work together to support the development of official standards for skills that set the framework for public policy and formal education. It is important to recognise that certifications themselves are not the standards; they have a different, more direct role to play in the workplace, but the quality, currency and depth of internationally recognised knowledge that goes into maintaining existing certifications have a value to the varied standards effort that are required at a national or regional level.”
Tipton also said that it was important to understand the critical role that professional certification plays in the development of individuals and the profession itself, as in just 25 years, information security requirements have developed at a rapid pace, with vendor-neutral professional certifications and the support from the membership bodies that uphold them developing alongside these requirements.
“Contrary to calls for consolidation in the market, I believe we are going to see the market support more, rather than fewer, certifications, as businesses and government alike continue to recognise the breadth of the professionalisation requirement,” he said.
“It is incumbent on the certification bodies to communicate the quality of their process and content, how they remain relevant. In our case, this happens through frequent job task analyses of our membership, and how they ensure those who hold their certifications are empowered to live up to the quality that is communicated by their credential through the activities and support of the membership and the broader professional community.”
Speaking to SC Magazine, James Lyne, SANS Institute certified instructor, said that there are pros and cons to standardisation, especially as SANS is providing training modules for CISSP. “It can be a good thing, as there can be a danger of price fixing with too many standards, while cross-pollination is a good place,” he said.
“The government is providing standardisation schemes for the definition of penetration testing for example, and I really like the industry and government defining the need to find one and we need to have that, but there has got to be a competitive edge to place the best content. Some people are better suited to one style and having multiple routes is no bad thing.”