Do paper qualifications really prove anything?

Everyone knows that you've got to have a CISSP to work in information security. Or some similar certification, anyway.

Figures show that if you have one of these certifications, you can boost your earning power and get the best jobs. The qualifications have become a benchmark in security, and hardly anyone now questions their value.

(ISC)2, the organisation that administers the CISSP programme, reckons there are 30,000 holders of the title worldwide, with 1,000 of them in the UK. Rival organisation Isaca claims a similar take-up for its CISA and CISM certifications.

But what do these certifications really prove? Do they guarantee any prospective employer that you are a talented, hard-working and effective professional? Some people have their doubts.

The subject was raised at an event run by SC Magazine last month in California, where Jon Gossels, the founder of consultancy System Experts, fired a broadside at what he called "an explosion of low-value certifications". He had identified 78, and questioned whether some of them had any value at all.

He even called the CISSP certification "a mile wide and an inch thick", meaning that the curriculum is far-reaching, but does not test any deep knowledge. Any exam that relies on multiple-test questions, he argued, could not test for "intelligence, judgment or work ethic."

This might come as no surprise to many readers. True professionals understand the strengths and limitations of a certification programme. It tests for a broad base of knowledge and provides a mechanism for continuing professional education, which is good. But it cannot test for many of the skills the modern professional needs, such as diplomacy and the ability to explain security to senior management.

The trouble is that, for many companies, the starting point for any recruitment exercise is the HR department or, for consultants, the purchasing department. People in these roles are not experts in security, so they work to a series of checklists. Increasingly, they look for CISSP as a minimum requirement for any security-related job.

Nothing wrong with that? Consider the example provided by our US columnist Peter Stephenson, who has more than 30 years in information security. As an experiment, he recently applied for a series of jobs. In all applications, he mentioned his long experience, but in some he inserted "CISSP" and in others he left it out. The applications with no CISSP got a blunt refusal; the others got an enthusiastic invitation to come to an interview.

If recruitment is going to be that blinkered, we risk losing highly qualified and experienced people. It's a bit like refusing to see Albert Einstein because he doesn't have a GCSE in maths.

Send your views about certifications to scfeedback@haynet.com.

Ron Condon is editor-in-chief of SC Magazine