There is a similar issue with technology certifications (e.g. FIPS 140-2).
A lot of companies treat these as some kind of mystical incantations that will protect them if sufficiently invoked. Case in point: being mandated to switch from one OTP generator app to another because the latter is "FIPS-Compliant" - regardless of the fact that both generate the exact same set of OTPs.
This cargo-culting is not inherently harmful, but it leads to magical thinking and a false senses of security, as well as diverting time and energy away from more productive avenues.
I suspect that the CISSP-genre of certifications suffers from a similar pathology: intrinsically they do function as at least a partial indicator of some type of competence. The problem is when actors with a financial incentive to game the system meet up with bureaucracies: the less defined but more accurate metrics are thrown under the bus in favour of something that is easy to quantify and sell.
A lot of companies treat these as some kind of mystical incantations that will protect them if sufficiently invoked. Case in point: being mandated to switch from one OTP generator app to another because the latter is "FIPS-Compliant" - regardless of the fact that both generate the exact same set of OTPs.
This cargo-culting is not inherently harmful, but it leads to magical thinking and a false senses of security, as well as diverting time and energy away from more productive avenues.
I suspect that the CISSP-genre of certifications suffers from a similar pathology: intrinsically they do function as at least a partial indicator of some type of competence. The problem is when actors with a financial incentive to game the system meet up with bureaucracies: the less defined but more accurate metrics are thrown under the bus in favour of something that is easy to quantify and sell.