Why does the government require CISSP or Security+?

Last Updated on September 5, 2019 by Dave Farquhar

Why does the government require CISSP or Security+ for certain jobs? While requiring people to pass a test can cause problems, I’ve seen it solve bigger problems.

Certification tests establish a baseline set of knowledge that a person filling a role has mastered. It provides a standard, repeatable, and objective third-party measure of a person’s qualifications, even if it’s possible to game the system.

Requiring certifications prevents nepotism

why does the government require CISSP or Security+?
Why does the government require CISSP or Security+? Because it guarantees exposure to a standard body of knowledge. And in my experience, people with the same or very similar certifications tend to work well together.

I won’t name names for obvious reasons, but I once worked in a government office where someone had attained a position without meeting the requirements. Her dad had connections, so she got the job. Once she got the job, she gathered dirt on people. That got her promoted.

She ended up working in an IT security office. She was not qualified for the job. One time when a system was giving a coworker trouble, she asked if he’d made sure the monitor was on. And she was very proud of herself for coming up with this suggestion. Rumor had it she hadn’t even finished high school, but there she was, in a job that required a master’s degree.

Once that agency started requiring certifications, it solved that problem. They had to move her somewhere else, since she had no hope of passing Security+, let alone CISSP or CISM.

Later in my career, I mentored a junior-level guy who was immensely talented. But he also had issues, including ethical issues. The difficulty he would have getting a security clearance should keep him out of government. I certainly hope it would. But requiring a certification provides another safety net, since the certification requires the holder to maintain a certain level of personal integrity.

But lots of smart people in security aren’t certified!

It’s true, there are people in the security field who aren’t certified. I know a guy who was the CISO of a Fortune 50 company who didn’t have any certifications at all, and he was rather proud of that fact. I also know it caused the company problems from time to time. Other companies were reluctant to do business with a company whose CISO didn’t even have Security+.

I know he doesn’t want any career advice from me, but I think he should break down and get at least one certification. Would anything on the test be news to him? I hope not. But not making your employer apologize for hiring you is always a good thing.

What does a certification prove?

Critics of certifications say that all a certification proves is that you can memorize enough facts long enough to pass a test. And a company I used to work for determined that you could become a CISSP by memorizing approximately 3,000 things. That place was a CISSP factory for a number of years, and I may have been one of their last. But even knowing those 3,000 things, when I took the test, there were plenty of things on it that weren’t in those questions. Knowing those 3,000 things might get you 70% of the answers, but I had to draw on a decade and a half of experience to answer the rest.

A mediocre CISSP memorizes a bunch of stuff, attends a trade show or two per year and takes the quizzes in the back of the organizational magazine to fulfill the continuing education requirements.

Sifting out the mediocre CISSPs and hiring the good ones is what the interview process should be for. For any job opening there should be at least two qualified candidates. The interviewer’s job is to find the better of the two.

I had considerable experience when I started studying for the CISSP. But I quickly learned not all of my experience was good experience. I had to unlearn and re-learn IT management structure, and who the proper IT decisionmakers are in a company. When you interview a CISSP, you know you’re talking to a person who’s been exposed to and tested on these things.

Why the government requires CISSP or Security+, concluded

By requiring Security+, and the CE version at that, or an equivalent for jobs at a certain level and CISSP or CISM for higher level jobs, the government has some control over what they get when they fill GS roles and roles on contracts. And I’ve found in my experience that people with the same certifications frequently work well together, because they share a common understanding about the systems they’re working on.

Requiring certifications means the government turns away people it might not necessarily need to turn away. It’s a trade-off. Working for the government generally means a certain amount of stability, in exchange for making a bit less money. If you want that stability, you’re going to need to be able to play by the rules, and part of that is getting the required certification.

If you want to be lone wolf and go without a certification, there are places that will hire you. They’ll probably pay you more too, once you prove yourself.

If you found this post informative or helpful, please share it!