Security Certifications are Useless, Right?

Written by

At the recent RSA Conference USA 2017, Firemon completed a survey whose results were interesting and are summarized below:

  1. 70% of respondents would rather have smarter people than better products.
  2. 93% thought experience is more important than qualifications.
  3. 72% said it did not matter if their staff were graduates.

That’s great news, right? Toss the degrees in the trash! Burn the CISSP certificate! It’s an egalitarian world out there, and you’ll be hired only based on the extent of your knowledge.

Not so fast, young lad and lady. Let’s discuss this for a moment.

How many security jobs have you seen recently that said “CISSP not required, we don’t care what level of education you’ve attained, we just care that you’re super smart at security”? Probably not that many. This is because there are hundreds, nay, thousands of applicants for entry and mid-level positions in security.

MOST companies use degrees and certifications as a filtering mechanism, because there simply isn’t the time to interview every person that applies for a job. With that filtering mechanism, what happens is that sometimes babies get thrown out with the bathwater. However most of the time, they get a decent selection with that filter.

Fine, you say – but Wendy Nather announced she was giving up her CISSP certification, you say, why can’t I? Because you’re not Wendy Nather. Instead of talking in circles, perhaps we should now discuss when certifications (or, by extension degrees) are useful, and when they’re not.

Executive positions

If you’re applying for an executive position, you probably have years of experience. At that point, it makes little difference if you have one certification or seven (or none) - you’ll be judged on your accomplishments at your prior role.

My rule of thumb is that after ten years of experience, you can toss your degree and certifications out the window (unless you happen to end up meeting someone from your alma mater), because they’re irrelevant to your future success. This is a classic case of ‘do as I say, not as I do, because I still maintain four certifications and I have 20 years of experience’. But check back with me after this year, I’ll let at least a couple lapse.

I don’t think my certifications are useless – they show that I have a broad knowledge of security and I was motivated enough to go take an exam and prove it. That’s quite similar to having a college degree – it doesn’t mean you’re a good worker, it just means you had the tenacity to get through four years of structured study and take exams to prove it.

When I’m hiring for an executive position, I am much more interested in whether the prospect has kept up with the times, for instance: (a) have they published in industry magazines or presented at conferences? (b) do their achievements at their job have to do with relevant and topical risk mitigation?, and (c) can they leverage their overall security knowledge when questioned about unfamiliar topics or scenarios? Let’s call this the Wendy Nather scenario.

Mid-level positions

This is the awkward in-between role where it’s really difficult to decide how to proceed. Are you experienced enough that you can let your achievements speak for themselves? Or does the “prestige” of a certification make it worth your while to get one if you don’t already have one? The answer is “Yes”. Mid-career is where you want to hedge your bets until you get to the executive level.

Between four and ten years of experience, you’re starting to be judged and measured on your achievements and experience, but not so exclusively that having or maintaining a certification won’t help you. I recommend that mid-career professionals keep a security certification that they already have, and consider getting a strong one if they do not.

The later in your mid-career you are, the less important it is to get or maintain a certification, and clearly, as you move into the executive ranks, it becomes irrelevant.

Entry-level positions

To me, the decision here is obvious. If you don’t have a certification, get one that’s practical for use in the field. There are a lot of nonsense certifications out there, but I really like some of the SANS GIAC ones, which are quite practical in nature.

I also like the CISSP, because it’s the granddaddy of them all – it’s broad, it’s well accepted, and despite its problems, it’s still the most accepted security certification in the industry today. If you have to have just one, get the CISSP.

Entry level positions are the positions most recruited for, and there is a lot of competition for them. This means that companies are much more likely to have filtering criteria such as degrees, number of years of work experience, and certifications. You only give yourself an advantage by having a certification that’s widely accepted in the industry.

Yet there’s a caveat here. A CISSP requires certain years of work experience, making you wonder if this is a chicken or egg situation. Not really – for true entry level positions, you’re right, you cannot get a CISSP without having some security experience. I would advise early entry-level staff to work towards a certification as they gain experience. For advanced entry level positions (two to five years into a security career), you absolutely should get certified to make yourself stand out from others.

Surveys are just surveys. People often answer them with where they wish reality would be; or what they think the “right” answer is. A simple comparison of the survey results against job postings will show you that people might say they prefer experience over qualifications, but they’ll still ask for both in a job posting. As a security professional, here’s the best advice I can give you:

  • New to the field: Work on a certification.
  • Some experience in the field: If you have a certification, maintain it. If you don’t, get one.
  • Mid-level: If you have a certification, maintain it. If you don’t, and you’re closer to the executive ranks than the entry level ranks, don’t get one; if the reverse, do get one.
  • Executive: Don’t worry about getting or maintaining a certification.

In all cases, build an independent body of achievements that includes: contributions to the security community, presentations at conferences, publications in journals, and work-related thought leadership that will serve as a far better barometer of your expertise than a piece of paper ever will.

What’s hot on Infosecurity Magazine?