It is impossible to listen to a podcast or follow a Twitter feed without hearing jabs, jokes, and downright slanderous language about the various certifications in the information security field.
What are the problems with the certifications, and what is the problem with our industry that we feel the need to denigrate our entire profession to the point of dilution? I may be speaking very liberally by referring to information security as a profession, as the recent findings of the National Academy of Sciences has dictated otherwise. The study concluded that cybersecurity is an "occupation," not a profession.
What are the problems with certifications like CISSP or CompTIA Security+ and others? Many folks will argue that the certification indicates that the person was capable of passing the test at one time, and little more. Others will say that the folks with the certifications stand around in the datacenter with their arms crossed while the "real" workers do the work. Is this necessarily true? I would have to disagree. These negative comments can hold validity in some cases, but not all. In fact, these comments can be said of any professional organization for which an examining body exists.
To a further extreme, similar criticisms with equal venom can be made about every occupation, profession, trade, or even exalted pursuits such as musician or artist. For example, what does an orchestra conductor do other than a bunch of arm-waving while the rest of the musicians do the work? Even within law enforcement circles, there is a mentality that working at the federal level is where the “real” law enforcement professionals exist, and the local police, or a small town police department aren’t doing real police work. Would you honestly be capable of saying that to any police officer in Newtown, Conn.?
Think you're smart? Prove it!
Certifications offer a benchmark through which the average person can be given a level of assurance that the person purporting to do a job is qualified. Are there uncertified professionals who are equally, if not more capable than those with certifications? As in any industry, of course there are. But how is the average person supposed to make that distinction?
The problem with certification bashing is that it creates a cascading series of events that does little to help any of us in the industry, and it damages the industry as a whole. Too many people practice poor security in the first place. These people need security services and they don't know where to turn for good advice. When they finally take the steps to seek advice, they are met with a firestorm of negative commentary within the industry. So, while we are busy bashing each other about how useless the certifications are, the people who need our services retreat back into their land of complacency because of our disunity.
Years ago, Microsoft promoted a certification campaign using the phrase "Think you’re smart? Prove it." While this type of "in your face" marketing has gone away, there is something to be said for that approach. Does the certification offer definitive proof of expertise? Perhaps not. But does it help in the absence of other information. It certainly does.
Tech specialists vs. generalists
Another possible explanation for the bashing is due to the fact that there are too many certifications available for any single one to hold more validity over another? I do not think so. A better reason is that certifications stems from the vast landscape of technology. A programmer is not the same as a hardware engineer, or a network engineer, and within each of these disciplines, there are varying aspects of expertise. You would not necessarily want your scrum master writing code, or your firewall technician troubleshooting a printer malfunction. This would be like asking your pulmonologist about your arthritis. Specialists have a laser-focused area of expertise. This is necessary in a broad landscape.
Are there such things as generalists? Absolutely. My general practitioner knows exactly when to refer me to a specialist. Does that make the general practitioner a bad doctor? Not at all, but I suppose the specialists could say that the general practitioners stand around with their arms crossed. However, I never hear specialists in other professions speak that way about the general practitioners, so why do we do it in InfoSec?
The idea that a certification means that a person was capable of passing the test at one time is a sad statement, as it indicates stagnation in one of the least stagnant of professions. No one who worked with packet filtering firewalls has stayed in that era. The progress of the industry simply will not allow it. Most certifications require either upgrade tests or continuing professional education credits to keep the certification in good standing. This is the same method in use by other professions, such as attorneys, doctors, and accounts.
What can we do to help ourselves? First, we have to act as a community. There definitely are charlatans out there, and maybe places like attrition.org are useful in bringing them to light. But is a public flogging truly the solution? The InfoSec community is small, and it is fairly easy to engage in a private discourse with someone with whom you disagree. We should work together as a community so that we can mature as an industry. As the National Academy of Sciences Report indicates, we are a young industry. But the last thing we need to do is act like a bunch of whiny babies.
Bob Covello is a 20-year technology veteran with a passion is for security-related topics.