The Internet community needs to have security skill certifications that are meaningful. Right now, there are a hodgepodge of organizations that offer certifications in a wide variety of areas. Last year there were at least 150 vendor-neutral information security certifications and 20 vendor-sponsored or vendor-specific security certifications.
The fact is, most of these certifications are for entry level skills or are product specific. Don’t get me wrong - we certainly need credentials that demonstrate that someone is competent for the same reason that we hire licensed plumbers or electricians.
What we’re missing is a uniform EXPERT level credential akin to the MD for physicians. And just like in medicine, there should be specialist security certifications to designate significant knowledge beyond the baseline MD-equivalent.
In the security industry right now, there is no way to tell if you're getting a real expert or not.
1 comment:
Martin and I are in agreement about two important factors: One, network security is not a mature field and Two, we need clear expert level credentials.
Martin’s comment about experiential learning versus formal training is interesting. Knowing that your doctor has completed an internship and residency after completing medical school is part of what gives you confidence in his/her abilities. Unfortunately, because our field is so young, we don’t have either the recognized program of studies or agreed upon experiential requirements ... but we need to get there.
It is true that MOST security practitioners have only a Bachelor’s degree or less. That fact underscores the newness of the field and the lack of advanced degree programs in Information Security. It also raises the point that most professions have a hierarchy of credentials. MOST practitioners in any field are journeymen, not experts.
While Martin is correct that we cannot yet expect Information Security to have the maturity of medicine, medicine can serve as a valuable model for a transparent, well understood hierarchy of credentials - registered nurse, nurse practitioner, MD general practitioner, MD specialist. The hope is for our industry to move to that level of clarity and acceptance.
It is not clear how we move from our current hodge-podge of mostly low level certifications to a well structured independent framework with generally accepted requirements. I’m convinced that Information Security is moving down the wrong path with the explosion of confusing, low-value credentials.
Post a Comment