I agree that today's certifications are inadequate to test the whole picture.

I consider myself a security professional. I understand the concepts, limitations, and proper uses of technical controls (IDS, vuln scans, etc) and have coded signatures, NASL scripts, data analysis scripts, and reporting interfaces. I also understand the right way to perform assessments, conduct audits, develop corrective action plans, perform risk analyses, and facilitate root cause analyses. I have experience with the Certification and Accreditation process, I know how to develop a training and awareness program, and I know what compliance metrics are, how to calculate them, and how to use them.

A certification, however, did not teach me these things. Only experience and a hunger for knowledge can teach the wide variety of skills necessary to be a true professional. Expecting a certification to be broad enough to cover all of the required aspects is folly.

We are better off using a mix and match of less complete certs like we have today to cover a baseline, then using something less definite to move us to the next higher level. I have firewall certs, forensics certs, management certs, and tons of training in various technical and soft skills. None of them, however, ensure I'm any good at what I do. Only day-to-day work, study, and peer review can ensure that I'm competent.

Stop looking at certs to be the answer. We should require more regular actions to prove competence, like publishing papers, writing books, research, and peer review journals.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/443/34533#34533