I remember a time -– nearly two decades ago -– when IT certifications were held on a pedestal. Those who had them –- at least in my young eyes –- were the elite. There were only a handful of IT-related certifications, and those holding them were the few and the proud. Now look at where we are. The seemingly hundreds of certifications are held by seemingly millions of people. It's as if we're trying to attain these badges of honor so people will notice us. "Look at me! Look at me! I'm "certified" and worthy of employment!"
Well, any logically thinking IT pro (that's all of us, right?) will tell you that certifications aren't really all that. Sure, they prove that the person knows how to study, knows how to memorize a few concepts, and has good test-taking skills. I'm not saying that software and security-centric certifications such as CISSP, PMP, and the new Certified Security Software Lifecycle Professional (CSSLP) aren't difficult to pass. I am saying, however, that simply passing a certification exam doesn't necessarily prove what the person really knows and can execute in real-world scenarios. It especially doesn't prove what type of employee the person is going to be.
I've known many, many people with no experience whatsoever who have gone out and taken the biggie information security certification exam, passed it, and boom, they're now considered an "expert" just like anyone else in the field. And this is regardless of their experience and true know-how. The real kicker is that this is a certification that supposedly required three-plus years of experience before you could even sit for the exam. To me that's just wrong. It waters down the certification process and indirectly punishes those who really know their stuff.
Let's look at the business side of certifications. Are certifications a marketing ploy by so-called "non-profit" organizations to beef up their revenue? Likely so. But who cares? People are coming up with ways to make money, so more power to them. What about the flip side? Are certifications a marketing ploy used by IT professionals to get potential employers and clients to recognize them? Well, why not? There's nothing wrong with that. We humans do things for our own selfish reasons anyway. If it works for us, why question it?
When you get down to the nuts and bolts, certifications do have something to offer. I can think of several benefits right off the top of my head:
- You'll learn new material whether you believe you know all there is to know about a topic
- You'll show others that you have the wherewithal to learn new content or at least brush up on old ideas
- You'll demonstrate that you're interested in bettering yourself and may just possess the personality traits required to succeed in business
- You'll get over one -– if not all -– barriers to entry when marketing yourself to employers and clients
- Your organization can show that it takes security (or software quality or whatever topic) seriously by hiring you if you have such a certification or sponsoring your obtaining it
Even with these benefits I'm still down on what certifications stand for. They're a product of a market that's trying to define itself -- for good or for bad. That being said, I do realize that certifications are an important tool for helping each and every one of us succeed in our careers. The same can be said for degrees, continuing education courses, and so on. It's just how things work.
So, does certification really matter? Yes it does. If you want to get by and move ahead, then certifications have to be on your radar. There's just too much competition and too much at stake to at least not pursue a certification if it's going to help you in your specific circumstances.
If you choose to get certified, then make the most of it. Take the time to learn every aspect of the material rather than just focusing on whatever it takes to pass the test. Making a habit of giving everything you've got helps instill traits of leadership and success that far surpass the value of any certification you could ever obtain. By mastering the material, you'll learn more, earn more, and create an environment so you can truly enjoy what you do.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. He's still trying to pin down exactly how the certifications and degrees he has earned have benefited his career, but he knows deep down that they have. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and firstname.lastname@example.org.