By John S. Monroe
April 06, 2009
We have heard from a number of readers who see little value in requiring
cybersecurity workers to have security-related industry certifications.
They were responding to our report about a Senate bill that would
require contractors to license and certify anyone providing
cybersecurity-related services to a federal agency (you can read the
story here ).
Several of these readers are not impressed specifically with Certified
Information Systems Security Professional (CISSP) certifications. But
certification, in general, is a bit of a red herring they said, because
it does not reflect work experience, which is more valuable than test
So we can't help but wonder: What is the point of certification? How can
federal agencies ensure that their cybersecurity staffers, and their
contractors' staff, have the right skill sets?
Meanwhile, here are excerpts from the comments we've received.
* I've been certified since 2003 and have contact with many "certified"
folks who have no experience with actual skills on the job. The cost
of getting certified is high for both individuals and companies, yet
the government still wants to award to the low bidder. Companies can't
afford to spend a lot of money and not get a return on their
investment in the people. It is also very difficult to retain trained
'professionals' no matter if they are trained while under government
sponsorship or by their company. There is a lot of job hopping to
increase salaries without remaining long enough to actually
learn/perfect skills or truly contribute to the agency's mission.
Best Selling Security Books and More!