2013: The Year Of Security Certification Bashing2013: The Year Of Security Certification Bashing
As security professionals argued among themselves about how useless certifications are, organizations that needed security services had no place to turn for good advice.
December 26, 2013
It is impossible to listen to a podcast or follow a Twitter feed without hearing jabs, jokes, and downright slanderous language about the various certifications in the information security field.
What are the problems with the certifications, and what is the problem with our industry that we feel the need to denigrate our entire profession to the point of dilution? I may be speaking very liberally by referring to information security as a profession, as the recent findings of the National Academy of Sciences has dictated otherwise. The study concluded that cybersecurity is an "occupation," not a profession.
What are the problems with certifications like CISSP or CompTIA Security+ and others? Many folks will argue that the certification indicates that the person was capable of passing the test at one time, and little more. Others will say that the folks with the certifications stand around in the datacenter with their arms crossed while the "real" workers do the work. Is this necessarily true? I would have to disagree. These negative comments can hold validity in some cases, but not all. In fact, these comments can be said of any professional organization for which an examining body exists.
To a further extreme, similar criticisms with equal venom can be made about every occupation, profession, trade, or even exalted pursuits such as musician or artist. For example, what does an orchestra conductor do other than a bunch of arm-waving while the rest of the musicians do the work? Even within law enforcement circles, there is a mentality that working at the federal level is where the “real” law enforcement professionals exist, and the local police, or a small town police department aren’t doing real police work. Would you honestly be capable of saying that to any police officer in Newtown, Conn.?
Think you're smart? Prove it!
Certifications offer a benchmark through which the average person can be given a level of assurance that the person purporting to do a job is qualified. Are there uncertified professionals who are equally, if not more capable than those with certifications? As in any industry, of course there are. But how is the average person supposed to make that distinction?
The problem with certification bashing is that it creates a cascading series of events that does little to help any of us in the industry, and it damages the industry as a whole. Too many people practice poor security in the first place. These people need security services and they don't know where to turn for good advice. When they finally take the steps to seek advice, they are met with a firestorm of negative commentary within the industry. So, while we are busy bashing each other about how useless the certifications are, the people who need our services retreat back into their land of complacency because of our disunity.
Years ago, Microsoft promoted a certification campaign using the phrase "Think you’re smart? Prove it." While this type of "in your face" marketing has gone away, there is something to be said for that approach. Does the certification offer definitive proof of expertise? Perhaps not. But does it help in the absence of other information. It certainly does.
Tech specialists vs. generalists
Another possible explanation for the bashing is due to the fact that there are too many certifications available for any single one to hold more validity over another? I do not think so. A better reason is that certifications stems from the vast landscape of technology. A programmer is not the same as a hardware engineer, or a network engineer, and within each of these disciplines, there are varying aspects of expertise. You would not necessarily want your scrum master writing code, or your firewall technician troubleshooting a printer malfunction. This would be like asking your pulmonologist about your arthritis. Specialists have a laser-focused area of expertise. This is necessary in a broad landscape.
Are there such things as generalists? Absolutely. My general practitioner knows exactly when to refer me to a specialist. Does that make the general practitioner a bad doctor? Not at all, but I suppose the specialists could say that the general practitioners stand around with their arms crossed. However, I never hear specialists in other professions speak that way about the general practitioners, so why do we do it in InfoSec?
The idea that a certification means that a person was capable of passing the test at one time is a sad statement, as it indicates stagnation in one of the least stagnant of professions. No one who worked with packet filtering firewalls has stayed in that era. The progress of the industry simply will not allow it. Most certifications require either upgrade tests or continuing professional education credits to keep the certification in good standing. This is the same method in use by other professions, such as attorneys, doctors, and accounts.
What can we do to help ourselves? First, we have to act as a community. There definitely are charlatans out there, and maybe places like attrition.org are useful in bringing them to light. But is a public flogging truly the solution? The InfoSec community is small, and it is fairly easy to engage in a private discourse with someone with whom you disagree. We should work together as a community so that we can mature as an industry. As the National Academy of Sciences Report indicates, we are a young industry. But the last thing we need to do is act like a bunch of whiny babies.
Bob Covello is a 20-year technology veteran with a passion is for security-related topics.
About the Author(s)
Tricks to Boost Your Threat Hunting GameNov 06, 2023
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report
Build a Case for a Password Manager