Never Judge an Information Security Professional Solely by their Security Certifications

Recently I attended a gathering where a litigation lawyer was giving a presentation and made the statement, “The defendant’s information security officer did not have any type of security certification, such as a CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager), which demonstrated lack of qualification for her position, and negligence on the part of the hospital system that had hired her to fill that position.”

Hmm; that was a pretty bold statement. And one with which I do not agree. I know a lot of brilliant information security professionals without certifications who are some of the greatest experts in their specific areas of work.

This incident motivated me to do a little research to see how many folks who are in information security leadership roles have an information security certification; in particular a CISSP or a CISM, since the lawyer had called those out specifically. And, since this was a case in the U.S. healthcare space, I decided to narrow my scope to the U.S.

It was fairly easy to find the number of folks who hold these certifications within the U.S.

  • According to (ISC)2 there are currently 65,364 CISSPs in the United states and minor outlying islands.
  • According to ISACA there are currently 9,995 CISMs in the United States.

The trickier part was determining the total number of folks who fill information security positions. This was more challenging because, 1) there is not one specific title given to those in such roles, 2) there are many different types of information security positions, and 3) many folks responsible for information security are also responsible for other things, so you cannot determine by their title alone if they are responsible for information security.

So, who has possibly the only set of fairly comprehensive statistics for information security professionals in the U.S.? The U.S. Department of Labor (DoL). The challenge was determining which of the DoL’s limited titles would be the best to use. Here are the information security and compliance related titles and number of associated individuals filling them for which the DoL provided statistics, the most recent from May, 2014:

This totals 327,150 in the U.S with these information security titles.

So, when using the numbers of total CISSPs and CISMs in the U.S. provided above with this total this results in:

  • 20% of information security and/or compliance officers that have CISSP certifications
  • 3% of information security and/or compliance officers that have CISM certifications

Since the lawyer was talking about a CISO at a hospital system, she probably fell into one of these two categories.

But, wait. There were also 184,740 Medical Records and Health Information Technicians and 330,360 Computer and Information Systems Managers, within which there are likely many additional folks who perform information security activities who have CISSP and/or CISM certifications. So, taking them out of the previous calculation, that would leave even lower percentages of information security officers who have CISSP and/or CISM certifications.

Does this mean that the vast majority of CISOs are unqualified and that the organizations they work for are negligent by having them fill that role? No, of course not.

Let’s consider something else: 209 of my approximately 2,600 LinkedIn contacts have CISO in their title. Checking the first 10 listed, I found that 4 of them had either a CISSP and/or a CISM certification. However, based upon the length of their careers, and accomplishments, I would say all ten were more than qualified, and had some significant expertise. I realize this is a very unscientific way of determining if people who are uncertified CISOs are incompetent. However, the numbers and stats are enough to say to the lawyer making the bold statement, “Your statement is unfounded, and statistics show otherwise.”

Lesson:

Just because an information security professional doesn’t have a security certification, such as a CISM or a CISSP, it does not mean they are unqualified for an information security leadership role. While certifications are one type of qualifier to consider, organizations…and litigation lawyers…also need to consider the information security professional’s experience, demonstrated expertise and accomplishments.

In short, never judge an information security professional solely by their security certifications, or lack thereof.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Tags: , , , , , , , , , , , , , , , ,

Leave a Reply