Back when I was the resident security management expert over at TechTarget (a position since occupied by Mort), it was amazing how many questions I got about the value of certifications. Mort confirms nothing has changed.

Alex Hutton’s great posts on the new ISACA CRISC certification (Part 1 & Part 2) got me thinking that it’s probably time to revisit the topic, especially given how the difficult economy has impacted job search techniques. So the question remains for practitioners: are these certifications worth your time and money?

Let’s back up a bit and talk about the fundamental motivators for having any number of certifications.

  1. Skills: A belief exists that security certifications reflect the competence of the professional. The sponsoring organizations continue to do their job of convincing folks that someone with a CISSP (or any other cert) is better than someone who doesn’t have one.
  2. Jobs: Lots of folks believe that being certified in certain technologies makes them more appealing to potential employers.
  3. Money: Certifications also result in higher average salaries and more attractive career paths. According to the folks who sell the certifications, anyway.
  4. Ego: Let’s be honest here. We all know a professional student or three. These folks give you their business cards and it’s a surprise they have space for their address, with all the acronyms after their name. Certifications make these folks feel important.

So let’s pick apart each of these myths one by one and discuss.


Sorry, but this one is a resounding NFW. Most of the best security professionals I know don’t have a certification. Or they’ve let it lapse. They are simply too busy to stop what they are doing to take the test. That’s not to say that anyone with the cert isn’t good, but I don’t see a strong relationship between skills and certs.

Another issue is that many of the certification curricula get long in the tooth after a few years. Today’s required skills are quite different than a few years ago because the attack vectors have changed. Unfortunately most of the certifications have not.

Finally, to Alex’s point in the links above, lots of new certifications are appearing, especially given the myths described below. Do your homework and make sure the curriculum makes sense based on your skills, interest, and success criteria.


The first justification for going to class and taking the test usually comes down to employment. Folks think that a CISSP, GIAC, or CISM will land them the perfect job. Especially now that there are 100 resumes for every open position, a lot of folks believe the paper will differentiate them.

The sad fact is that far too many organizations do set minimum qualifications for an open position, which then get enforced by the HR automatons. But I’d wonder if that kind of company is somewhere you’d like to work. Can it be a perfect job environment if they won’t talk to you if you don’t have a CISSP?

So getting the paper will not get you the job, but it may disqualify you from interviewing.


The certification bodies go way out of their way to do salary surveys to prove their paper is worth 10-15% over not having it. I’m skeptical of surveys on a good day. If you’re in an existing job, in this kind of economy, your organization has no real need or incentive to give you more money for the certification.

There has also clearly been wage deflation in the security space. Companies believe they can get similar (if not better) talent for less money, so it’s hard for me to see how a certification is going to drive your value up.


There is something to be said for ego. The importance of confidence in a job search cannot be minimized. It’s one of those intangibles that usually swings decisions in your direction. If the paper makes you feel like Superman, go get the paper. Just don’t get into a scrap with an armed dude. You are not bulletproof, I assure you.

The Right Answer: Stop Looking for Jobs

Most of the great performers don’t look for jobs. They know all the headhunters, they network, they are visible in their communities, and they know about all the jobs coming available – usually before they are available. Jobs come and find them.

So how do you do that? Well, show your kung fu on an ongoing basis. Participate in the security community. Go to conferences. Join Twitter and follow the various loudmouths to get involved in the conversation. Start a blog and say something interesting.

That’s right, there is something to this social networking thing. A recommendation from one of the well-known security folks will say a lot more about you than a piece of paper you got from spending a week in a fancy hotel.

The senior security folks you want to work for don’t care about paper. They care about skills. That’s the kind of place I want to work. But hey, that’s just me.