Information Security, just as with most professions, has more than its fair share of debates. Some turn ugly fast, depending on who is doing the debating and what the topic is. I want to talk a little about certifications, and hopefully provide some insight into whether they really matter or not.
Personally, I think certification does matter and that it has value when properly managed by the governing body. The problem we run into is that certificates are often poorly managed and only used as a way to generate revenue. Too many times people who are not qualified take the tests and pass them, thus becoming certified. Of course, we also all know those who don’t hold a single certification, yet are seen as real “Rock Stars” of security and IT.
The question is: what matters to those who are hiring? What is it that the managers are really looking for when they scan through job applications? This is not about what Human Resources puts in a requirements list, or what the “industry” says is needed, but what really holds value to a company.
Now, at this point, many of you are going to say that it’s skills that really matter, not certifications. If that's true, then why are certifications often required? Why is so much value put on them, and why do more and more certifications appear every year?
Why do they matter? Why is it that so many companies require them? I don’t think the argument that certification “validates skills” holds water any longer. All too often you come across those who have gone to a boot camp, or crammed for a test and passed it, but really don’t understand the technology or whatever the certification is supposed to measure. This leaves you with a certified applicant who lacks the skills needed to back the certification up. This isn’t the fault of the individual, so much as it is of the governing body for allowing it to happen. Such bodies encourage it, chosing to focus on marketing the certification instead of ensuring there is real value to having it in the first place.
I look for several things when looking for someone to fill a role on my team, including job experience, personal experience, personality, character, ethics, certification, education, and skills (some are more important than others, depending on the role to be filled). I can also afford to bring in someone weak on skills when the rest of the team is strong. This gives the new person a chance to learn, the rest of the team a chance to mentor, and me a chance to help shape someone into a first class security professional.
Many people don’t take anything into account other than skills and/or certification. I think when that happens they're missing out on key qualities that can turn a good team into a great team and make the difference between a good employee and a great one.
Things like character, ethics, personality, and personal experience can really add value to a team. Not to mention that these things often tell us a little about what to expect when times get tough. Is that team member going to hold up well under pressure? Are they going to do the right thing when faced with an opportunity to be dishonest? Are they going to own up to their mistakes and shortcomings? Or are they going to make excuses and blame others? If you have a team full of people you can’t count on to “do the right thing” at the right time, then you have a team that will fail you.
Another thing that I look for in a team member is how they earned their certification. Did they work in the industry for a couple of years and then pursue it, or did they go to class and take a test with little or no experience? Maybe they don’t have the experience because of the old “can’t get a job without experience” catch-22. That isn’t such a big deal to me if, in the pursuit of their certification, they took the time to read and learn as opposed to rushing into it via boot camp. If they spent several months studying and talking to people in forums, industry affiliations, and practiced via CBT offerings and such, then that shows me they are interested in learning -- not just attaining certified status.
Something else that tells me a great deal about the person is the reason they chose a certain certification. Did they choose it because it was hot at that particular moment, or maybe because they thought it would get them a good deal more money? Have they considered their long term plans? How does this certification fit into those plans? It may not fit, and that is fine.
When it comes down to it, a certification alone means very little to me. How someone achieved it and what they have done with it tells me much more. I care more about who they are than what a piece of paper says about them.
Andy Willingham is the Information Security Officer with the Metropolitan Atlanta Rapid Transit Authority (MARTA). He has been in technology for over 12 years with the last seven focused on security. Willingham has a passion for security and, more importantly, making a difference in how security practitioners do their jobs and how the rest of the world views security.
You can read more of his writings on his blog at www.andyitguy.com.
[Note: This article is an updated opinion on the realities of certification in Information Security and IT as a whole. The original article is located here. The Tech Herald welcomes articles and opinion submissions on a limited basis. While not all will be published, each will be read and subject to use with citation at a future date. -- Steve Ragan, Security Editor]