I’m pleased that my fellow blogger, Stuart King, takes pride in his new qualification as one of the first full members of the Institute of Information Security Professionals (IISP). It’s certainly a good thing to encourage security practitioners to aim for professional recognition. And as a founding director I have a soft spot for the Institute.
But I do worry about the continuing focus on qualifications rather than education. In my view we’re not tackling the real problem. Qualifications don’t make people better at their jobs. The key requirement is training. And there’s simply not enough of that.
Security professionals should be encouraged to attain an MSc or post graduate diploma. That’s the minimum standard appropriate to the work, and the target I set for Royal Mail Group practitioners. Obtaining qualifications on the basis of experience is a less demanding route. It might solve a management problem but it doesn’t improve the quality of the work.