The integrity of IT certification is vitally important to everyone. IT, as an industry and a profession, is largely unregulated. There are no government standards that define the qualifications of any level of IT professional. There is no licensing process or required educational background. In essence, anyone can declare himself a "network engineer" or a "systems analyst." It's the Wild West of professions.
To tame this lawless environment and bring order to the chaos, the IT industry – hardware and software vendors and neutral third-party agencies – have set minimal standards for the qualifications that a person should possess to present himself as an expert in a particular IT field. These minimal standards are known as IT certifications. They fill a void created by the absence of a formal licensing process.
The qualifications a person must have in order to earn a certification are a combination of hands-on experience, skills and subject matter knowledge. Such qualifications can vary widely from one certification candidate to another and they are difficult to assess accurately. It's up to the issuer of a certification to set the baseline of qualifications for that particular credential and determine if someone has met the bar.
In an ideal world, a certifying agency would use a practical hands-on methodology to test an individual's knowledge and skills. Because this is cost prohibitive and logistically challenging in most cases, agencies use standardized examinations to assess candidates' qualifications. When the legitimacy of the test process is compromised – for example, when people can openly find the exams posted word for word on the Internet – the value of certification is diminished. If certification were to ever completely lose its value, the IT profession in general would suffer.
For instance, when a person says "I am a Certified Information Systems Security Professional," there are definite skill expectations associated with that title, just as society has expectations of someone with the title of doctor or attorney. An employer expects that the person with the CISSP credential can help prevent or solve computer security issues for his company. But, if the validity of the credential is suspect, the employer can't have confidence in predicting the worker's performance. Worse, what if the person's job is to secure systems that process confidential information, such as credit card transactions? A breach of security stemming from an unqualified employee's actions could cause irreparable damage to millions of people whose personal information is stolen and abused.