I’ll stick with my GED, thank you very much.

However…I came across this article this morning about (practically) *mandating* that an IT security ‘professional’ be (are you ready for this) *required* to have an IT security certification. Not that I am discounting the “CISSP” certification, nor its accreditation organization, I see this as a step towards a ‘professional registration’ process.

The fact that they are mentioning ONLY ISC(2)’s certifications and no one else, leads me to believe that they are attempting to make the “CISSP” a mandatory standard without considering other certification/accreditation houses. How can they do this when agencies, such as the EPA and DOE, shot down similar (if almost *aggressive*) efforts to do the same several years ago on a similar note?

Though everyone seems to acknowledge “CISSP” as the ‘de facto’ IT security certification, I feel slighted by the fact that the CISM accreditation is still considered (by many people’s interpretation) as 2nd to the CISSP accreditation.

How is this fair? Answer: it isn’t. >((

-r

P.S. This cheapens, if not weakens, future certification efforts, perhaps ruining other more creditible accreditation firms, such as ISACA and the NSPE (just to name a few).

We use the presence of certifications to determine if a person has the fundamental knowledge required for our security analysts. The interview process determines whether the person can actually put his or her knowledge into practice. And the ability to move from academic to practical application is lacking in many people. This is not necessarily a problem with the certifcation process.

I believe certifications are a good start, but they are far from the end goal for those building a technical career.