I’ve got a Bachelors Degree in Information Systems Management, my Certified Information Security Systems Professional (CISSP) certification, the SANS GIAC Systems and Network Auditor (GSNA) certificate and I used to be a CCNA. I spent two years getting my B.S. by attending night courses, the CISSP took me 6 months of constant study, the GSNA required a week’s worth of intense instructor lead study, and I spent the better part of a school year taking the official Cisco course work at the local junior college before taking the test. And with the exception of the CCNA, the time I spent earning my degree and getting my certifications was aimed strictly at filling in a check box on an HR person’s list rather than learning something. Not to say I didn’t learn something in studying for each, but my goal was fulfilling a job requirement instead of education.
I have mixed feelings about certifications in the IT and security professions; certifications show that someone has the minimum knowledge required to pass a particular test. It shows they understand their profession well enough to know what certificates are going to be required to get a job in their field. It shows that the person is dedicated enough to their profession to take and pass these tests. But what it doesn’t show is real-world knowledge of security.
Obviously I’m not opposed to certifications, since I hold several myself. But I’ve never liked the fact that many people think certification and skills are the same thing. The fact that having the right certification can mean a significantly higher level of pay for professionals who otherwise are of the same skill level only further complicates the situation. It encourages people to accumulate as many different certifications as possible to help bolster their income, something I’m as guilty of as anyone else.
I remember the early days of the Microsoft Certified Systems Engineer and “paper MCSE’s” who had passed all the tests, but could barely remember how to change a password when they got their first job in the real world. I often hear accusations that the CISSP is heading in the same direction, despite increased efforts by the ISC2 to validate candidates and verify levels of experience. But I think both of these miss the real point of certification; they show that someone has spent the time and effort to pass a test, not that they have the skills required to work in the real world. After all, no one expects a kid fresh out of college to know everything about their chosen career, so why should a certificate be any different?