"People think it means you're expert in everything, but we don't sell it that way," says Hord Tipton, executive director of (ISC)2, which manages the Certified Information Systems Security Professional certification.
A recent report from the Center for Strategic and International Studies warns that cybersecurity certifications create "a false sense of security" and are used too often to demonstrate "expertise in documenting compliance" rather than real skills.
Some certification programs overemphasize how to do well on multiple-choice tests. "Some people are really good at taking an exam, but that's only one piece of it," says Vernon Ross, director of talent and organizational capability for IT with Lockheed Martin.
The CSIS report argues that mandated certification and licensing requirements aren't enough and recommends another approach: creation of an independent board of cybersecurity examiners akin to the National Board of Medical examiners.
Several of the CSIS report authors have created such an organization, the nonprofit National Board of Information Security Examiners, led by Mike Assante, former cybersecurity executive at Idaho National Labs and North American Electric Reliability Corp. However, some observers warn of a potential conflict of interest, given the CSIS tie.
Assante (who isn't one of the report authors) says the newly formed board doesn't aim to compete with existing certifications, but to employ more advanced "performance-based" testing than is used elsewhere. That might include hands-on tests and simulated environments.