Microsoft Certified Master program – Is This The Answer to Certification Woes?

In the past few years, many people – myself included – have expressed a desire to see the quality of the Microsoft certification program improved.  Even though there have been some positive changes in the MCP program during the past few years, it still lacks the repute (and frankly, market value) many of us hope for.  On that topic, I was interested to read in Greg Low’s blog earlier this week that there is a new Microsoft Certified Master certification program for SQL Server 2008.

According to Greg’s post and the information on the official website, this track is a rigorous 3-week program (that’s three straight calendar weeks, not three work weeks) that blends instruction, labs, and exams to provide a comprehensive evaluation of candidates for the Microsoft Certified Master: SQL Server 2008 certification.

This program is not for the faint of heart or wallet – long days and the extended schedule make a brutal learning schedule, and the $18,500 price tag (plus travel, lodging, etc) set this certification apart for only a select few.  There is a formal application process, and candidates must meet a number of criteria to qualify; a minimum of 5 years experience along with the MCITP admin and developer certifications are the most notable prerequisites.  The application fee alone is $125 and is, of course, nonrefundable.

We asked for a better, more thorough certification process.  Is the Microsoft Certified Master certification the answer?  No, at least not by itself.

Let me first say that this new certification is a great idea.  Those who need or desire to set themselves apart as the top 1% of the top 1% will be well served.  I can think of a few people I know whose knowledge, experience, and occupation would be well suited to justify this kind of investment, but I can count those people on one hand.  Most people can convince their employers, or can justify spending from their own pockets, a few hundred, perhaps even a thousand dollars every few years to maintain current certifications.  However, many employers have to be given the hard sell to send their staff to one week of training at $2-4k per week, never mind the $18k plus expenses (along with three weeks away from work) for this new offering from Redmond.  There are probably a few independent contractors who could cost justify this, but for the other 99.9% of us, it would be impossible to amortize such an investment of time and money, especially considering that we’ll see a new product every three years.

There is still a large underserved population within the SQL Server community who want for more than the off-the-shelf MCTS/MCITP certification offers, but are unable to rationalize spending the kind of time and money required for the new Master certification.  I would like to see something in between these two extremes:  a certification process requiring an application process and certain experience benchmarks, along with more practical examinations and at least one personal interview.  In my mind, this is a process that could be completed in three or four days, administered regionally rather than solely in Redmond, and farmed out if necessary – at least partially – to existing test providers.

I know this would take some time to implement, and even cutting-edge companies such as Microsoft take some time to change direction like this.  The answer may come from a party other than Microsoft – perhaps even PASS as Andy Warren suggested recently.

Comments for or against are welcome…. Let me know what you think.

Does regulation make data any safer?

Working with healthcare organizations, I am constantly aware of the restrictions my staff and I must abide by according to HIPAA constraints.  It’s not really rocket science; as far as data security goes, HIPAA mandates what logically should already be in place.  Any organization that takes data security seriously will already have safeguard on the storage and transmission of data, fully tested backup and recovery procedures, comprehensive access control, and auditing tools.  I’m quite sure that most people feel safer at night knowing their sensitive medical records are safer because of HIPAA.  But it is really safer?

Like most government regulations, HIPAA dictates what should or must be done without indicating how it must be done.  There are certain key items, including uniquely identifiable user IDs and auditing, that are specifically identified as “Required” by HIPAA, but the standards for these mechanisms is not further defined.  For many other elements, entities governed by HIPAA are required to take measures that are “reasonable and appropriate”, leaving much room for interpretation.  And it’s that gray area that makes me question the effectiveness of regulation as a whole.

For me, reasonable and appropriate security measures include a need-to-know policy for data access, encryption at every leg of in-transit data, a fully anonymized data set (no live data) for testing and training, and desktop access procedures to prevent inadvertent unauthorized access.  However, because regulations are largely subject to interpretation, one cannot be absolutely sure that these measures are being taken to safeguard sensitive data.  I have worked with a number of vendors who properly insist upon abiding by the best-practice implementation, but there are still many shops – and even some large organizations – that only do the bare minimum to avoid fines from the feds.  I know of one large software vendor which has a standard practice of rolling out their entire live environment, complete with sensitive personal information, to the training and testing environments where auditing is minimal if not completely absent.  I dealt with a small shop recently that was receiving most of their data on a standard unencrypted FTP server.  Interestingly enough, when I challenged their technical person that the FTP server was not secure, she told me “No, it’s pretty secure here.”  Pretty secure?  What, secure as in it’s locked up in your server room?  And though it’s difficult to prove or audit, I suspect that the exchange of sensitive information is done via e-mail much more often than people acknowledge.

Fortunately, in all of the cases I’ve found in which I found a potential vulnerability, I was able to strongarm the parties involved by waving the HIPAA security rule flag – even though there may not have technically been a violation of regulations, the suggestion that a high-profile breach was possible was enough of an argument to force a procedure change.  Still, when I think about all of the places over the years where I may have left sensitive data, I can’t help but wonder how seriously those places are in terms of security?  Are they as stringent about security as I am, or do they have the kind of lackadaisical attitude about data protection that keeps people like me up at night?

I’m curious – since most of my regulatory experience revolves around HIPAA, I’d like to hear from those who regularly deal with SOX or similar legislation.