Shostack + Friends Blog Archive


Certification Shmertification

So it seems that certifications are again in the press. This time over at SC Magazine. Last month, SC ran “Does testing matter?“. I say ran as opposed to ask, because really the article was a page long advertisement for the various certifications with most of the quotes being from the various organizations who sponsor them talking about how great they were. Though they do discuss some of the downsides, it comes across as an afterthought as opposed to a balanced discussion over whether they actually matter or not. Fortunately, we have folks like Martin McKeay and Rich Mogull with other viewpoints.
Six years ago or so, I got my CISSP and it has yet to make a difference to my career aside from getting one of those silly little ribbons for my badge at the RSA conference. Though at one point, my entire team had their CISSP certifications and it was great for taunting vendors. Neither really justifies the existence of the certification though.

8 comments on "Certification Shmertification"

  • sama says:

    Certifications generally show that you memorized well for an exam. I suppose that’s worth something, but it sure doesn’t mean you know what you’re doing. There are plenty of lousy lawyers and CPA’s whose existence is proof of that, never mind IT certifications.

  • Anonymous says:

    Maybe it helps drive traffic to your blog. I did a search for CISSP and your site popped up.

  • Adam says:

    I’m fucking mortified. We get hits for CISSP?

  • Anonymous says:

    Nah, it doesn’t really, I just thought it would be funny to say.

  • With few exceptions (Cisco’s CCIE comes to mind) I don’t get impressed much by certifications. Take any three serious computer geeks and combined I’m convince they can pass just about any multiple choice exams you throw at them in most of these certifications. Some are better, but they quickly devolve to cram sessions and postnominials on business cards.
    Why don’t more certifications take the practical approach and add lab components where relevant to their market? Either that or an open ended thesis-and-defence if hands-on labs are not relevant (e.g.: CISSP or any other industry-wide cert.) Of course, it’s quite a bit more work scoring these then a multiple choice exam.

  • Lazarus Long says:

    Whenever a question starts with “why don’t they,” the answer is almost always money.

  • Arthur says:

    As Lazarus points out, the answer is almost always money. The sad thing is that SANS/GIAC had a certification that required a written practical exam. Unfortunately, they got rid of that requirement, austensibly for flexibility, but I suspect people were complaining that it was too hard given the 80% failure rate, GIAC was seeing. Don Parker and Richard Bejtlich in particular were unamused at this change. See CertCities for their interview with the Peter Northcutt for the marketing aspects. Speaking of marketing, for a good laugh read GIAC’s Does Certification Matter?

  • Peter says:

    I’ve been an MCSD since 2000, and it really hasn’t made a difference getting jobs, and only helps out when the company is looking to get/keep their MS Partner program benefits.
    My current employer is bidding on a huge government RFP, and some of the key security staff will have to have CISSP among other certs.

Comments are closed.