Everyone likes a badge - especially if it's a badge of honour. Many of us brandish the CISSP badge. I don't - perhaps I should. My reasons for not doing so are many, but all centre around the simple fact that many people I know who wear this particular badge are, in intellectual terms, on a par with single-cell animals. I could say the same for the CISM qualification - there are individuals who hold this qualification who I wouldn't trust to dress themselves correctly.
I've always regarded any qualification you can scrape through via a week-long 'boot-camp' course to be suspect. Boot camps boost short term memory - what's learnt in this manner normally fades quickly. Even with refresher courses, I think these and similar qualifications lend themselves to one simple capability - a decent memory. I'm very aware that many (indeed most) holders of these badges are upright, solid and reliable professionals. The badge is not, in my opinion, proof of that - it's what these people do and the changes they manage that are important. Give me experience and proven competence over a badge like these anytime.
How then do you test if someone is competent without spending some length of time working with them? The answer is not simple. Testing competence cannot be done via a multiple choice tickbox. It can only come via the thorough examination of evidence, and asking the person claiming competence some direct and tricky questions. The problem is, the person asking the questions, and judging the responses, has to be an expert - someone who is him or herself time-served and competent.
I've always been a keen student on initiatives to 'professionalise the profession', mostly because they are a source of deep amusement to me. However, the UK Government is now seeking to certify Information Assurance specialists using a number of Certification Bodies, or CBs. The CBs are the APM Group, the British Computer Society and the Institute of Information Security Professionals.
The APM Group is the first CB to go live (June 2012) having satisfied CESG (the UK Government body that deals with Information Assurance matters) that their assessment process is appropriate. What pleases me about their approach is that they use experts who themselves are certified. They have an assessment process that includes review of CVs, review of an Evidence Form that draws out experience and capability - backed up by interviews that test the evidence. You can't get that from a tickbox.
It looks as if the UK Government will, at some point, demand that many people involved in government Information Assurance get certified or be denied the chance to practice. If the certification is as rigorous as seems to be the case of the APM Group approach, we might find ourselves having a model process for professional assurance of ourselves. I'd sooner deal with someone who's been proved to be competent over someone who's proved he can remember a list of words.
No comments:
Post a Comment