There have been a lot of interesting reactions to the Equifax data breach. One of the most interesting for me is the criticism of the Equifax CISO’s lack of technical or cyber security education. She does have Bachelor’s and Master’s degrees in music composition as well as a resume that shows a work history at several companies also in the finance industry. This situation illustrates the challenge we all face in identifying qualified candidates.
It is only recently that Information Security degrees have become available from universities. Most people rely on “certifications” to vet qualified candidates. The Certified Information Systems Security Professional (CISSP), Global Information Assurance Certification (GIAC), Certified in Risk and Information Systems Control (CRISC) and Certified Information Security Manager (CISM) certifications are common in cyber Security job descriptions. But what is the true value of such certifications?
Certifications are issued by for-profit companies whose business model is to generate revenue by issuing certificates. On the one hand, they need to ensure a minimum “quality” of their certification holders so potential customers value the brand and are willing to pay the certification fees. On the other hand, they are encouraged to sign up as many customers as possible so the “quality bar” cannot be set too high. Once a certification brand is valued enough, there develops an education system to assist candidates to achieve the certification. You will often see “Boot Camps” that promise to fill your mind with all of the knowledge to pass the certification exam in one week. I think we can all agree that one week is insufficient to develop competency in any discipline.
For more to continue http://snip.ly/reins