I recently stumbled upon an article claiming, quite strongly, that security certifications are worthless and causing more harm than good. This struck a cord with me because I became Security+ certified last year and recently got my CSSLP. Did I just waste my time and money on these certifications?
This is certainly not the first time this topic has been brought up. This has been a debate in the IT industry for quite some time. Some fall on the side of the author of the above article, some feel that certifications are valuable.
The above article states that technical skills and experience are the real measure of a security professional’s effectiveness and not passing a test. The gist of the article is that hiring based on certifications will lead companies in the wrong direction by causing them to hire incompetent professionals who don’t have the real skills necessary.
My Thoughts on Certifications
Personally, I’ve always had a balanced view of certifications. Do I feel that they are a complete waste of money? No, I don’t feel that they are worthless.
Does that mean that all certifications are created equal? Not necessarily. There are definitely certifications that I would deem as wastes or at the very least unnecessary for an IT professional. Let’s look at some examples.
I generally hold in higher esteem information security certifications. I feel that security can be a tough field and it is important to have a base of knowledge. Certifications provide some validation of your knowledge from someone other than your assertion that you know what you are talking about.
That certainly is not a silver bullet. Someone could definitely study for a test and pass it without having any real idea of how to do the job.
In my opinion, there truly is no substitute for experience. The fact is, however, that most HR departments won’t even look at you without some kind of certification.
That’s why I like certifications that have an experience requirement with them. All of the (ISC)2 certifications require a certain amount of experience. This means that you can’t use the CISSP or CSSLP, etc designations until you fulfill the experience requirement.
This shows that the intent of the certification is to show that you have applied the concepts in a professional environment and not just passed an exam.
On the other hand, I don’t put much stock in vendor specific or programming language certifications. Programming language tests tend to concentrate largely on syntax which really means nothing at the end of the day. A developer can Google syntax anytime. It doesn’t mean he/she can develop clean, modular code that doesn’t break easily.
Vendor products are always changing, so I don’t see much need in certifying oneself in a certain version of a vendor product. If you went through the trouble of getting certified in Windows Server 2000 or 2003, how much is that helping you now?
You end up retaking exams over and over again just to keep up with new versions. It is an endless race that I see as a waste of money.
What might be the most egregious to me is the Scrum industry pushing certifications on IT professionals. I can’t think of anything more useless than being certified as a “scrum developer” or a certified “scrum master”.
These are not distinct skills that need to be certified. If you write code using scrum or kanban or whatever, it is still writing code. Java or C# don’t change because you are a “scrum developer”.
A scrum master may have some duties specific to scrum but many companies basically treat them as project managers.
These are the certifications I see as being just for making money. Some companies may require them, but I doubt many hiring managers or peers of the certified people regard them with any more respect than someone not certified.
What My Certifications Have Done for Me
While not every certification is worthwhile, I feel that some do provide value. I’ve gained a feel for the certifications that I feel are worthwhile and the certification bodies that employers find valuable.
I’ve chosen the Security+ and CSSLP because I feel that CompTIA and (ISC)2 are reputable organizations that really are trying to accomplish something good.
I feel that my certifications have done two things for me. First, they have given me a baseline of knowledge about security on a deeper level than I previously had.
After spending six years in software development, I felt I needed the knowledge that studying for the Security+ gave.
Second, due to my experience in software development, I felt that security certifications could help to validate my security knowledge. I see it as a third party telling others: “Yes, Justin knows enough about security for us to certify him”.
I feel this can add some credence to my activities, such as this very blog.
I felt that there is no need to get certified in a programming language as my experience speaks for itself. The certifications I took were to help me to make the transition into the security field.
Does this mean my work is done? Definitely not. I see these certifications as the start of my journey, and not the end.
If anything, studying for certifications has shown me where my more specific interests lie. That has helped me to embrace application security and then gain the CSSLP to show my knowledge in secure software.
Now I can use the knowledge of where my passion lies to continue to educate myself in application security. I’ve taken a specific interest in learning how security can be done in a DevOps environment. I’ll post the results of my research here.
Balance is Best
When it comes to certifications, a balanced viewpoint is best. There are some certifications that are largely worthless or simply don’t make sense. Some just create an endless cycle of becoming certified in the newest version of a vendor product.
On the other hand, some provide a baseline of knowledge that can reveal what your passions are and point you into a new career direction.
That is what my certifications have done for me.