Older Articles: Certifiably Certified (2002)

This is from a VERY old piece that I wrote back in 2002, addressing an argument happening in an InfoSec forum about certifications: 

Odd… This never happens… Security practitioners locked in a vocal debate over the value of certification? Who would have thunk it? 馃槈

From one side, you have those that believe that certifications have little or no value to those operating in the security industry. These anti-certification pundits focus on experience as the prime attribute of a capable security professional. They see certifications as a pathetic attempt by the uninitiated to lure hiring managers into slapping down a big fat paycheck, or as a play by the certifying entities for the unearned dollars of lemmings that simply follow a trend.

On the other end of the spectrum sits the certification advocate who voices that certifications provide a common yardstick by which all security professionals across a diverse field can be measured against an industry standard. They see certifications as a common denominator separating the wheat from the chaff. They smile down their noses at those who lack the air of authenticity that comes from a rolled-up piece of parchment.

I find it so interesting to see security practitioners voice such absolutes about their position on this matter when the basic tenants of our profession clearly underscore the role of certification… You just need to step back and take another look. How many times have you been told (or even said yourself) that there is no panacea for information security? How many times have we called upon the essence of ‘defense-in-depth’ as our guiding light in a dark digital world? Who among us has learned all there is to learn about information security and can cast disparities at those still trying to find their way?

Let us apply this same series of concepts to the role of certifications as one of the myriad of responsibilities assigned to those calling themselves
professionals within this dynamic field.

Yes, demonstrated experience on the front lines, above all other things, stands the best chance of differentiating between varying levels of skill, but let’s not forget some of the other elements that compose the foundation for what I will now refer to as security “competence-in-depth”. I think you will find that there are many of us (probably a vast majority) that would much rather denote competence through a series of activities rather than a singular focus.

I see it as a lifecycle process (yet another concept that we within the security community should be intimately familiar with as a critical success factor in most of our endeavors) consisting of (in no particular order because they should all be continual processes):

路 Formal Education (school)
路 Professional Education (courses)
路 Hands-on Learning (daily exposure)
路 Experience (long-term exposure)
路 Reading (self-learning)
路 Writing (sharing your experiences)
路 Involvement (professional associations)
路 Teaching (course instruction)
路 Certification (milestones)
路 Recognition (awards)
路 Again, and
路 Again, and
路 Again

Certifications play an important role in the development of those who recognize their value as yet another opportunity to grow as a professional.

No, not everyone with a certification is qualified to do the job defined by the test objectives. You may judge the competence of a certified individual based on your own experiences and biases for or against a specified credential, but I would be more interested in seeing what kind of conversation I might have with someone who has achieved the title of a  CISSP by way of comparison to a conversation with someone who has earned the title of CCIE-Security, of CISA, or of CCP for that matter. The point here being that most certifications today focus on a specific aspect of information security (yes, even the CISSP with its ten domains is focused on security management, not technical security implementations). As a 10 year veteran of information systems and security, I would never hold a CISSP to the same level of accountability for the technical implementation of a CiscoSecure PIX firewall that I would a CCIE-Security any more than I would hold a CCIE-Security accountable for the development of a corporate information security policy framework.

The field of information security is so broad and dynamic that there is no one way for any of us to define what does and does not ‘qualify’ an individual to share with us the coveted title of information security professional (or whatever moniker you associate with your position). There must be ways to categorize levels of professionalism and competence in a way that makes sense to those of us who rely on each other to see our way clear to the other side of the common challenges we face. Judge not the certification, judge its bearer. Not just on a single criterion, but on a broad range of disciplines that will give you greater insight into the true caliber of the individual.

I for one believe that someone with the appropriate background, skills to demonstrate, a thirst for knowledge, a desire to succeed, and a drive to dominate would simply take the time to ante up and get certified as a professional responsibility. You see, I sit in the middle of the road, somewhere between the two primary poles of opposition. I see certifications and individual attitudes toward them as yet one more way to differentiate between practitioners and professionals.

Of course, that is just my opinion, I could be wrong…

P.S. And yes, I know many practitioners that are excellent security people without a certification and many certified people that I wouldn’t let touch my child’s Playschool computer. If your arguments to this message are based on this or similar arguments, please re-read the message. Certifications are A SINGLE ELEMENT of the process that defines a true security professional. This is simply my opinion… yours is just as right!

Thank you for your time and attention,


Add a Comment