There are few topics capable of generating as much debate in the field of IT security as certifications: they’re great, they’re useless, generalist, product specific… Proponents and detractors put forward quite valid arguments when it comes to defending and questioning the real value of security certifications.
Let’s imagine for a moment that we have a helmet that allows us, at the push of a button, to become either a fanboy of certifications or their staunchest enemy. Helmet in hand (well, head on, safety first) let’s go over some arguments for or against security certifications.
Pros
- They are useful for getting interviews. One of the main problems that HR personnel have in selecting candidates for a profile is knowing who might be a good candidate (IT security recruitment has its own story, and deserves an article on its own). Security certifications come in handy because they provide them with the buzzwords they need to discriminate candidates. Having or not having the right certifications can indicate in many cases the step to the next phase of a selection process.
- They are personal. They go with you under your arm when you change jobs and are (as long as you maintain them, which we will talk about later) forever. Companies tend to like certifications, so it is a good argument when negotiating salaries.
- They show motivation. You can enter to work in IT security from many profiles (developer, system administrator, network administrator, etc.) In the same way, you can enter because you are really passionate about security or simply because it is a field that is now fashionable and therefore there is a lot of work and / or is well paid. Security certifications shows to some extent that somebody is “serious” about security, and that they want to develop their career in this area. Dedication and motivation in our field count. A lot.
- Your company likes them. Many public tenders have a scoring section related to the quality of the personnel that will execute the project. Since 95% of the personnel will be engineers or similar, two ways to assess the quality of the personnel are their years of experience… and the security certifications they possess. Also, for marketing purposes, if a company can say to have N-hundred certifications, it’s good for their ego, which doesn’t hurt either.
- You learn new things. No one comes out of the career as an expert in computer security. No matter how much we take courses and train ourselves, there are always particular aspects or topics that will escape us. Preparing for a security certification (almost always related to a specific field) forces us to go deeper into that field, strengthening concepts and improving our knowledge of the subject.
- You learn new jargon. Many certifications cover concepts that are not purely technical, but that help you understand the security business. Knowing what auditors understand as “risk appetite“, or IT service managers as “change management” broadens our vision of the business and helps us understand it better.
- Self-improvement. Thinking that you are in control of a subject is all well and good. Passing an objective test that shows you have mastered it is much better.
Cons
- Its real value is debatable. Somebody could say that obtaining a certification is similar to studying a book and passing an exam, not necessarily meaning that you have the depth of knowledge implicit in the certification.
- The cost is high. Most certifications are expensive. Sitting for the exam usually starts at €500. Add to that the certification study material and the (sometimes optional) certification preparation courses.
- The exams are not really the best. Although there are exceptions, virtually all certification exams are composed of multiple choice questions (with questionable answers in many cases), leaving out exercises and case studies that can really demonstrate the examinee’s knowledge. And best of luck you if you choose to take the exam in other language but English, since translating an already per se complicated question in English to another language and making it keep the spirit of the question is sometimes impossible.
- Maintaining certification is a pain. Once certification is achieved, in many cases it requires that the certified person periodically reports the famous CPE (Continuing Professional Education), activities that are expected to the person to keep up to date in the field of certification. The CPEs seem a priori a good idea since they force the certified to be periodically recycled, but the reality is that in many cases, it ends being a mostly bureaucratic procedure.
- If you don’t have certifications, you’re no good. A twisted logic effect can occur that leads one to think that “if you have certifications you’re good, if you don’t have them you’re bad“, when there are top-level professionals who don’t have a single certification.
Tips
If you are thinking about getting certified, here are a few tips:
- Decide if you need to get certified. A certification has its benefits, but it has its cost (both in money and preparation time). Learn about certification and how it can help you improve your knowledge and professional profile.
- Find out if it is a certification that is in high demand. A good technique is to search Infojobs, Monster or any other equivalent to get an idea of how in demand it is.
- Read all the small print. Specially regarding access requirements (in some cases you must have previous certifiable experience), if it is mandatory to take a preparatory course and what you have to do to keep it. It is also important to know when and where the exams can be taken (some certifications have fixed dates and can only be taken in big capitals, while others can be taken all year round in authorized centers in almost all communities).
- Consider if you are prepared. A certification is, after all, an exam, so you have to be well prepared. And since sitting for the exam costs money, evaluate if you have the necessary knowledge to pass it the first time.
- Try to get your company to pay for it. In the end the certification is good for your company, and it counts as training, so try to convince your boss to pay for it (in some consulting firms, curiously, they pay you but almost force you to take one certification a year until you have the X’s decided as optimal). Another option is that they allow you time to prepare for it within your working day (in some companies they even set up study groups).
- Get good study material. Many certifications have official guides, or books that bring together the syllabus and explain it in a coherent and complete way. Find out which study material is the best for each certification.
- Beware of dumps. Since almost all exams are multiple-choice questions, and in many cases questions are reused, it is possible to find dumps (compilations of questions from other years and/or tests) on the Internet. Some Internet sites claim to have “all the questions” of the year, so that you only have to study the answers and thus pass the exam (sic). Be careful with these dumps, because the questions change every year and in many cases the answers are wrong.
- Plan ahead. A certification ends up being like a race. Decide how much training you need, and fit it into your daily schedule. Cramming 20 topics into a weekend is not the best way to pass.
- If you pass, get the paperwork done as soon as possible. If you pass the exam, the work is not over. You have to do all the administrative paperwork (accrediting years of experience, attaching photocopies of degrees, collecting signatures from bosses, etc…). The sooner you do it, the sooner you will get it out of the way, and you will avoid possible problems (such as having to ask a former boss for a signature, something that may not always easy depending how was your former relationship).
Conclusion
In my personal opinion, security certifications provide value… but they could provide more. Exams with a higher practical content (although there are some that do have it, they are the exception) and with a modern and updated syllabus year by year would probably increase their difficulty (both to do it and to correct it), but would make them better valued by the community.
And of course, the general application of common sense (also known to be the least common of the senses) and a good dose of humility is necessary. Having a mail signature with two lines of charges plus another line of certifications does not automatically make you the “king of the mambo” (best of the best). And if you introduce yourself in certain circles as “John Doe Cert1, Cert2, Cert3” you are taking tickets to make a fool of yourself.
In the same way, even if you are an “L33T Haxxor” who denies certifications, it is not acceptable to call “corporate bitch” to someone who does have them.
Whether we are for or against security certifications, there is no denying that they are an aspect to take into account in the current reality of computer security. The best we can do is… live with it.
Full disclosure: The author holds CISA, CISM, CISSP, CHFI, CCSK and ITILv3f certifications (Editor’s Note: at the time of writing in 2015).