(ISC)2 Blog

Over on Security-Basics, one of the SecurityFocus mailing lists, a question about security certifications and their value in the job market has part-resurrected a long-running debate about the value of "paper" qualifications in security compared to that of "solid experience". I say part-resurrected because so far, no-one has come out on this occasion to say that certifications like CISSP or an appropriate degree are worth the paper they're written on. Including me, I'm afraid. Having done so several times before without making a dent in the prejudices of the anti-certification lobby, I thought it might be more useful (and more than usually appropriate) to record my thoughts on the topic a little more permanently here. Of course, these are my personal opinions and that I don't in any sense speak for (ISC)2.

Unfortunately, a number of myths have attached themselves to some of the best known certifications, including CISSP, but before I address them, I want to get a couple of things straight.

• Is experience worth anything in the security job market? Well, it's never done me any harm...  On-the-job experience is a good indicator of ability to succeed in the next job, even if that job isn't necessarily much like the one that precedes it. Let's not forget, though, that not all experience is good experience: if you learn bad practices from bad teachers on the job, that doesn't augur well for your relationship with your next employer, and sound selection procedures should pick up such potential problems.
• Can you be an entirely competent security professional without having a certification? Of course you can. However, a recognized sound qualification does have obvious advantages in the job market, though I don't happen to think that's the only good reason to get one (or more).
• Do prospective employers and agencies use certifications as filtering criteria in a way that prioritizes inappropriate qualifications over appropriate experience? I imagine so: human resource management is not scientifically precise at the best of times, and shortlists are not always compiled by people who understand the technical requirements of a role. In fact, I'd have said that a sound selection process for a significant security role would normally entail giving due weight to practical experience and "paper qualifications", as well as many other factors that we needn't discuss here. Note that "due weight" isn't necessarily the same as "equal weight": the appropriate proportion will differ widely from job to job.
• Can you hold a recognized certification and be an incompetent security professional? I'm afraid so. Though that's easier with some certifications, especially those that are entirely exam-based, than with others.

The more you've achieved in your chosen field, the better your chances of progress, in general. There are many ways of demonstrating achievement and competence, though: for example, good references and a verifiable track record, the ability to share experience with others, published research and commentary, recognition by your peers, admission to professional bodies, and commitment to improve skills (for example, through further training) whether or not it results in extending the list of acronyms in your formal signature.

All that said, the myth has grown up that all job selection is based on a purely binary selection (experience versus paper qualification), and that CISSP, like other reputable certifications, is a purely "paper", exam-based qualification. Oddly, I've seen this myth propagated by people who claim to hold a CISSP. Of course, the qualification does involve a (fairly exhaustive) test of knowledge by multiple choice questionnaire, and it's feasible for someone with no practical experience to gain enough theoretical knowledge to pass the exam. However, that isn't enough to enter the exam, let alone gain the certification. You also need five years (four under very limited circumstances) of relevant full-time security work experience, to be endorsed by a member of (ISC)2 in good standing, and so on. Not to mention the not inconsiderable CPE requirements for keeping your skills honed after certification. (Another annoying myth suggests that once you're certified, you don't have to do anything to maintain your good standing except pay your yearly subscription. If only...) Note, by the way, that these requirements have got tougher over recent years, and quite rightly too.

Another myth I've seen fairly recently is that the CISSP exam prioritizes "management-friendly" (i.e. cheap) solutions over "secure" solutions in its answers schema. I'm not privy to current (ISC)2 scoring methodology, but this strikes me as being the stuff of pure urban legend, based on the premise that all managers are bean-counters and all security professionals are hands-on white-hat hackers. In fact, the idea that security and economics aren't connected ignores basic tenets of risk assessment and cost/benefit analysis, so that one doesn't really fly either.

Unfortunately, it seems that there is a popular resistance of to the idea that security professionalism is compatible with awareness of business practices and drivers. Actually, I think the psychological mechanisms at work here are for more complex than that, and I hope to come back to that topic sooner rather than later.