Last Updated on December 5, 2015 by Dave Farquhar
I overheard a couple of people talking a few weeks ago, and one said, flat out, “Certifications are a scam!”
As one who has two security certifications (Security+ and CISSP), I disagree. Now that I’ve had my first post-CISSP professional review, I disagree even more strongly.
I won’t give a blow-by-blow account of that review, because that’s unprofessional. But there were two things my reviewers noted on the review that are important.
One thing they said was that I keep up with the industry, even using my breaks to do so. That’s something I’ve always done to some extent, but virtually all certifications today require continuing professional education in one form or another. That forces you to stay current, which is important. Fifteen years ago when I was starting my career, Java was touted as a secure computing platform. Today, Java is a security joke. Five years ago, Adobe PDF files were considered the safest way to share information. Today, they’re considered one of the most insecure and dangerous. Some things never change–like never putting a permit all rule at the end of your firewall configuration, and never typing rm -rf / on a Unix system–but sometimes best practices have a way of becoming worst practices.
Having one or more certifications that force continuing education enforces that discipline of staying current.
Another thing they said was that I’m an experienced IT professional who draws on all my available experience on a regular basis. That comes straight from my CISSP. While I know CISSPs who are in their late 20s and didn’t even have the required five years of professional experience when they passed–and had to bide time as an associate until they had put their time in–I drew on every moment of professional experience I had when I was answering that test. To an extent, I guess I did that even when I was studying for the test, because it helped me remember stuff, but as I sat for the test in that Chicago hotel conference room, faced with problems I’d never seen before, all I could do was run through my memory of problems I had solved, and try to use that experience to solve the problem at hand.
To some extent I’ve always done that, but those five hours in Chicago really reinforced that approach. It was the first time I’d had to employ the approach to solve a large number of problems in a very short period of time, and the first time I had such a tangible reinforcement of it. Six weeks later I got a piece of paper validating the approach, and I got to keep my job.
Yes, there are bootcamps that just teach you how to take a test. I have my doubts that any week-long bootcamp on its own can teach you to pass the CISSP. I started studying for it in 2010, and that felt like barely enough. But at any rate, an experienced IT professional can tell the difference between a “paper” certification and someone who can live and breathe it. So even if a pretender manages to take the test and pass it, a good interviewer should be able to weed them out. Here’s a hint: Ask for war stories. Listen to the stories for indications of how the candidate approached the problem and how he or ended up solving it.
No stories? Unless you’re paying an entry-level salary and have entry-level expectations, keep making phone calls. Wimpy stories? Same deal.
Getting certified isn’t easy, and it isn’t cheap, but there are tangible benefits to both the employee and the employer as well. Just because it’s expensive doesn’t mean it’s a scam.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.