That was the idea, at least. As more companies adopted the model, pressure increased for enterprise software and network clients to adopt vendor-certified implementation processes and people. At the same time, test mills expanded from the already-lucrative college and graduate school exam-prep market into the realm of professional IT certifications -- and churned out waves of certificate holders with no experience. Adding a third axis were a few vendor-independent organizations, making much noise about their certifications denoting distinguished experts rather than just competence. Reality, as usual, was somewhere in the middle.

Microsoft and other vendors started to bind their certifications to products, and then to specific versions of those projects. (Novell, interestingly, went against the grain when it acquired UnixWare in 1993, broadening and renaming the CNE designation to Certified Novell Engineer.) While this is great for short-term projects where a product revision cycle is longer than the average tenure of an entry-level employee or temp, it reduces relevance for clients seeking to make a long-term investment in qualified persons -- i.e. hiring.

Worse, some of the independent certifications expanded too quickly and, in my own experience, quality fell through the floor. The Global Information Assurance Certification () series offered by the SANS Institute got off to a good start in a few technical areas, but when I sat for the GIAC Information Security Officer () certification exams (there were two), they had numerous repeated questions, spelling and grammatical errors and other indications of lax review and immaturity. The paper I wrote for the certification -- which SANS later posted to its "most popular security resources" page -- was returned with erroneous edits and off-base comments. Never have I been so annoyed about passing an exam.

The Certified Information Systems Security Professional () exam administered by the International Information Systems Security Certification Consortium () was clearly better prepared, edited and reviewed, even in its first iteration. When I went through the process, some of the ISC2 test preparation materials and even the guidance during the exam were labeled "Beta" or "Version 0.9."

No annoyance there, even without knowledge of the newness of the program, because there was a clear sense of respect for applied knowledge over rote behavior. The book upon which much of the CISSP program was based, "Information Systems Security: A Pracitioner's Reference" written by Phil Fites and Martin Kratz with its rather dated 15 domains of security, is still a useful and insightful tome. (It's long out of print, but can be found .)