I’ve already written several blog entries concerning information security certifications. I do not want to keep beating a dead horse, so to speak, but certification-related issues keep surfacing to the point that I need to get a few things off of my chest. I recently read the resume’ of someone I know well. At the top of this resume’ eight information security certifications were listed. Sometime after I had read this resume’, this person told me that he planned to get yet another certification in the near future.
I often teach courses designed to prepare attendees for certification exams. Whenever I teach these courses, typically at least one attendee asks me my opinion concerning what certification that person should pursue next, once s/he has passed the upcoming exam. The first thing I ask is how many certifications that person already has. The reason is that I am seeing a trend towards earning one certification after another, something that is not necessarily advantageous to an information security professional. For one thing, it makes that person look like a “certification gadfly,” someone who devotes a good proportion of time to earning certifications and keeping up continuing professional education (CPE) credits instead of devoting the more time and effort to work. Don’t get me wrong—certifications can be useful in that they not only help professionals to learn generally accepted systems security principles (GASSP) and also specialized and more complex knowledge and skills such as implementing and maintaining firewalls and intrusion detection systems. But assuming that moderation in all things is desirable, someone who has obtained eight or nine certifications has gone over the top. I would not even consider hiring someone who has gone this far overboard.
My second question is whether that person has earned a college degree. Having spent a good part of my professional career in academic circles, I am admittedly biased in favor of professionals who have obtained at least one college degree. But I have become familiar with cases in which information security professionals have four, five or six certifications, but no college degree, and they somehow think that the certifications compensate for their not having a degree. Their thinking is downright specious. Many professional certifications are in effect equivalent to a college student completing a course by attending lectures, cramming for an exam, and then passing the exam. In most colleges and universities, getting only 67 percent of exam questions correct would at best get a student a barely passing grade, yet in most information security certifications a score of 67 percent on an exam is sufficient to bestow certification on the examinee. So someone who has earned a college degree in, say, computer science should at least in theory be given scores of certifications! Think about it. So if someone who is taking a certification course from me asks me what his/her next certification should be, and if that person does not have a college diploma, I advise that person to go back to college and earn a diploma. Earning a college degree requires persistence and determination, the kind of persistence and determination that characterizes highly effective information security professionals. Frankly, I would much rather hire a person who has a college degree and only one certification than someone who does not have a college degree, but has five or six certifications.
Finally, the certification craze in information security is not completely the fault of professionals caught up in a craze. Some organizations give bonuses to employees for each additional certification they earn. But more importantly, there are too many certifications out there. In engineering, there is one PE—professional engineer—certification, one that is very difficult to obtain, by the way. In information security, we have all kinds of organizations offering literally scores of certifications, some of which are superfluous. In some cases the content of a certification course is easy, as is the exam. Although (ISC)2 made a valiant effort to offer one standard certification back in the early 1990s, this organization, too, has succumbed to the trap of offering numerous certifications. We need an oversight organization to scrutinize, provide a publicly available evaluation of, and approve certifications, but this will never happen now because of all the money organizations are making off the certification craze. Pandora’s box has in effect been opened, never to be shut again.
So the next time you think about obtaining another certification, you just might want to think some more. Another certification may not be what you really need.