I’m pleased that my fellow blogger, Stuart King, takes pride in his new qualification as one of the first full members of the Institute of Information Security Professionals (IISP). It’s certainly a good thing to encourage security practitioners to aim for professional recognition. And as a founding director I have a soft spot for the Institute.

But I do worry about the continuing focus on qualifications rather than education. In my view we’re not tackling the real problem. Qualifications don’t make people better at their jobs. The key requirement is training. And there’s simply not enough of that.

Security professionals should be encouraged to attain an MSc or post graduate diploma. That’s the minimum standard appropriate to the work, and the target I set for Royal Mail Group practitioners. Obtaining qualifications on the basis of experience is a less demanding route. It might solve a management problem but it doesn’t improve the quality of the work.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I don't think that's entirely fair David. The IISP have a very rigorous application process for full membership which takes account of academic qualifications as well as vocational ones, plus validating work experience. I know because I've spent all evening filling in the application form and I'm not yet half way through.

Whether an academic qualification (such as an MSc in Information Security) is more beneficial than a vocational qualification (such as a SANS Firewalls Certification) depends on the intended audience. As far as recruiters are concerned; all they seem interested in is whether candidates have a CISSP and, unless you are looking for a new job, do any of these pieces of paper really matter? Existing employers judge you on your performance in the role, not the letters after your name. You are only as good as your last appraisal!

Don't feel that I'm being cynical, I have all of the qualifications I mention above - and thoroughly enjoyed studying for them - but I can't say that any have directly advanced my career. Their greatest value has been the contacts I've made on the way. I hope the IISP will provide not another qualification, but an opportunity to build contacts with other security practitioners - because, in this game, who you know is at least as important as what you know.