Being an InfoSec Professional / Cybersecurity

Reflections on certification, part 1

In his essay, “Disabling Professions”, Ivan Illich writes, “Let us first face the fact that the bodies of specialists that now dominate the creation, adjudication and implementation of needs are a new kind of cartel….Professionals assert secret knowledge about human nature, knowledge only they have the right to dispense.”

When he wrote the essay, certifications were not common.  There were licensed electricians and plumbers but as they often worked through unions (he might also call them “guilds”) and were mostly expected to follow a building code there was some guarantee of quality.  Nor did he ever challenge the idea that professions like those of medicine and law required extensive training and therefore the claim of expertise among these professionals was genuine, if self-serving.  What he challenged was what that claim of expertise led to: a population of consumers that depended on the professional not just as a service provider but as a validator of the very act of consumption.

Which leads us to further consideration of becoming “certified”.  The mechanics of most certifications in the areas of Information Security, Governance, Risk and Controls are the same: you display mastery of a “common body of knowledge” (ISC2 give us that phrase), attest to a certain amount of experience in the field and you “keep up” by documenting on-going training or “continuous” educational “units”.  The first requirement, displaying a mastery of a body of knowledge, is most often through an exam and is controlled by the certifying organization.  The exam is the gate on the initials that, following a comma after your name, indicate that you have achieved a level of professionalism.   The certifying organization is the gate-keeper.  Certification in products from their manufacturer (MCSE for esample) are different—the gate-keeper is also the manufacturer so their curriculum has a commercial self-interest attached to it.

Certifications are not like college degrees.  Once you earn a degree, you cannot have it taken away for lack of “keeping up” with your field.  They are not like licenses in that they are not required to get paid for work in your field; and, in the case of licensure, sometimes it is against the law to “practice without a license”.  For example, you cannot legally practice medicine without a license but you can be a surgeon without being board certified.  And since certification is not required to practice in many fields, it is by no means the only way to prove competence.

So why do it?  To be certified is to have used a third party’s process to prove that you don’t just “know stuff” but that you understand it and how it fits into a framework.   Now here’s the one part where Illich’s critique is relevant.  The framework is constructed by the gate-keeper.  This does not make it good or bad, but it does mean that the likes of ISACA and ISC2 have a self-interest not just in providing certification but in establishing their credentialing programs as authoritative.   The certifications require work experience as well as mastery of content.  In this way, the organizations position the credential as a culmination of some sort.  You, newly certified professional, have arrived.  And you now have a stake in assuring that the world in which you work considers that certification to be worth something.  You, as a professional, are now dedicated to making sure that the certification retains its value.

The way you accomplish this, in large part, is to become an advocate for the body of knowledge, the framework, the specific credential itself.  Even if you wish to advocate change to the “body of knowledge”, you are encouraged to do it through the credentialing body’s process, so that the value of the credential itself is not at risk.

This is not to say that there is anything wrong with the body of knowledge or that the credential is, itself, worthless.  But we need to always consider it a starting off point, not a culmination.  The body of knowledge, the content, in particular must never be seen as a closed collection of principles and facts.

They are important, you should know them, but they do not alone make you competent.  As Frank O’Hara wrote about baseline skills (but in a different context): “that’s just common sense: if you’re going to buy a pair of pants you want them to be tight enough so everyone will want to go to bed with you.”

I would like to see credentialing programs require not just a minimum number of “ceu’s” (continuing education units) but also “ccdc’s” (continuing credential development contributions).

This is particularly important for security, of course.  Because one of the principles of security is that if your defenses are completely “by the book” then all an attacker has to do is read “the book” to find your weak spots.  Perhaps this has just been a long way of getting to a simple point: don’t get too comfortable with yourself for mastering a credential’s body of knowledge, lest you find yourself too concerned with furthering your profession’s status and lose sight of your profession’s purpose.

2 thoughts on “Reflections on certification, part 1

  1. Also important as an employer is to realize that certifications are not empirical knowledge of a subject. When you’re hiring security professionals it’s important to test the person for a personality fit as well as their knowledge in the discipline you’re hiring them into! Thought provoking article David.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.