Even as recently as three years ago, if job ads mentioned qualifications at all, they'd say something like "CISSP an advantage." That is, a qualification would be nice, but not essential.
Increasingly, however, we now see "CISSP (or CISM) preferred" or even "CISSP (or CISM) essential" featuring in advertisements for jobs.
Companies (and agencies) may not always know exactly what these qualifications signify, or what they prove, but they have begun to realise that they do at least offer a benchmark of expertise.
In other words, if you go for a job and don't have a piece of paper to back up your, possibly extensive, experience you reduce your chances of even getting to the first interview.
That is one of the reasons why, since I started in infosec, I have been keen to acquire certifications to supplement my experience.
I've done the CISSP from (ISC)2, the CISA and CISM from ISACA, and completed the MSc Security course at Royal Holloway College. Also, since I became involved in business continuity, I've kept up my membership on the Business Continuity Institute, and I'm also a member of the British Computer Society.
Some of the things I had to learn to pass the exams, such as encryption or network design, don't figure too much in my everyday work these days, but the fact that I have the certification shows I understand them.
But how far should we go to get qualifications? I see that some people are currently proposing the establishment of an Institute of Information Security Professionals. I know at least two of the members in each of the working groups. They are all people I know and respect for their knowledge and experience.
My first thought is that I should join, but I need to be sure it will be worthwhile.
My first worry is purely financial. Maintaining my certifications along with my membership of different bodies is already costing me the best part of a £1,000 a year, so I will need to see some clear benefit from joining the IISP.
But we do need professionalism in this industry. The job is becoming more and more complicated, and we need to show we have the knowledge and experience to do the job.
A company hiring an accountant will expect applicants to be properly qualified and certified by a recognised body. Information security is just as important a job, and needs to have a similar level of assurance in the form of recognised qualifications.
I'll look closely at the IISP, as all infosec professionals should, but in the meantime, I would advise anyone to get a CISM or CISSP, and think about a degree.
You're going to need it.