The Certification Myth

By Mike Rothman

Back when I was the resident security management expert over at TechTarget (a position since occupied by Mort), it was amazing how many questions I got about the value of certifications. Mort confirms nothing has changed.

Alex Hutton’s great posts on the new ISACA CRISC certification (Part 1 & Part 2) got me thinking that it’s probably time to revisit the topic, especially given how the difficult economy has impacted job search techniques. So the question remains for practitioners: are these certifications worth your time and money?

Let’s back up a bit and talk about the fundamental motivators for having any number of certifications.

  1. Skills: A belief exists that security certifications reflect the competence of the professional. The sponsoring organizations continue to do their job of convincing folks that someone with a CISSP (or any other cert) is better than someone who doesn’t have one.
  2. Jobs: Lots of folks believe that being certified in certain technologies makes them more appealing to potential employers.
  3. Money: Certifications also result in higher average salaries and more attractive career paths. According to the folks who sell the certifications, anyway.
  4. Ego: Let’s be honest here. We all know a professional student or three. These folks give you their business cards and it’s a surprise they have space for their address, with all the acronyms after their name. Certifications make these folks feel important.

So let’s pick apart each of these myths one by one and discuss.


Sorry, but this one is a resounding NFW. Most of the best security professionals I know don’t have a certification. Or they’ve let it lapse. They are simply too busy to stop what they are doing to take the test. That’s not to say that anyone with the cert isn’t good, but I don’t see a strong relationship between skills and certs.

Another issue is that many of the certification curricula get long in the tooth after a few years. Today’s required skills are quite different than a few years ago because the attack vectors have changed. Unfortunately most of the certifications have not.

Finally, to Alex’s point in the links above, lots of new certifications are appearing, especially given the myths described below. Do your homework and make sure the curriculum makes sense based on your skills, interest, and success criteria.


The first justification for going to class and taking the test usually comes down to employment. Folks think that a CISSP, GIAC, or CISM will land them the perfect job. Especially now that there are 100 resumes for every open position, a lot of folks believe the paper will differentiate them.

The sad fact is that far too many organizations do set minimum qualifications for an open position, which then get enforced by the HR automatons. But I’d wonder if that kind of company is somewhere you’d like to work. Can it be a perfect job environment if they won’t talk to you if you don’t have a CISSP?

So getting the paper will not get you the job, but it may disqualify you from interviewing.


The certification bodies go way out of their way to do salary surveys to prove their paper is worth 10-15% over not having it. I’m skeptical of surveys on a good day. If you’re in an existing job, in this kind of economy, your organization has no real need or incentive to give you more money for the certification.

There has also clearly been wage deflation in the security space. Companies believe they can get similar (if not better) talent for less money, so it’s hard for me to see how a certification is going to drive your value up.


There is something to be said for ego. The importance of confidence in a job search cannot be minimized. It’s one of those intangibles that usually swings decisions in your direction. If the paper makes you feel like Superman, go get the paper. Just don’t get into a scrap with an armed dude. You are not bulletproof, I assure you.

The Right Answer: Stop Looking for Jobs

Most of the great performers don’t look for jobs. They know all the headhunters, they network, they are visible in their communities, and they know about all the jobs coming available – usually before they are available. Jobs come and find them.

So how do you do that? Well, show your kung fu on an ongoing basis. Participate in the security community. Go to conferences. Join Twitter and follow the various loudmouths to get involved in the conversation. Start a blog and say something interesting.

That’s right, there is something to this social networking thing. A recommendation from one of the well-known security folks will say a lot more about you than a piece of paper you got from spending a week in a fancy hotel.

The senior security folks you want to work for don’t care about paper. They care about skills. That’s the kind of place I want to work. But hey, that’s just me.

No Related Posts

I was hired by a very large (big Three) auto mfg back in 1991, when I left the USN and I was asked if I had a college degree. I said “yes” and provided the proof and asked why the degree was required for an IT helpdesk position. I was told that the 4 year degree showed, patience, persistence, self-discipline, self-reliance, etc… especially since I obtained my degree while I was on active duty in the US military.

Couldn’t this same thing be said about certifications? I’ve been in several consulting positions recently that required specific certifications to be considered for the position. I don’t believe that certificates without real-world experience add much value, but if you combine the real-world experience and the certifications, it certainly cannot hurt. Just my humble opinion…

By Art Zasadny

I agree with your post, certifications should not have that importance however you are missing a point, when you are a freshman from college who starts on the security field working for a company that recently is taking serious security, you have a lot of pressure when trying to get involved the whole company and often they want you to have a certification or they just don

By Gama


I think this is an interesting post and makes a lot of good points. However, it is a slightly biased view and taken from the top end of the professional spectrum and (to me) seems like it takes the standpoint that everyone is either a top end professional who doesnt(shouldnt) need certs or just lazy. Which, I feel, isn’t the case. The suitablity and efficacy of certs is being measured solely from the point of view of long-estabilished security stalwarts. Obviously, you’re in the minority (as luminaries/experts) or everyone would be blogging / being head-hunted and your blog would be negated in the grand scheme of things as everyone would know everything anyway (which I love/admire BTW). I say this not as a direct critism, but as my perspective as a relative newbie can see the need for such things. A lot of professionals require the general core fundamentals of something like CISSP to increase their knowledge (even if they’re a keen autodidact and spend a lot of time trawling blogs / RFCs / White papers)as there are always areas of weakness or that one hasn’t had hands-on experience of in their roles.

Therefore, my point is that for experienced career professionals who’re driven and clearly experts, perhaps certs seem trivial and a waste of time as you have built a reputation and know the industry well. While you often discuss certs in general terms with similar level peers, who credulously nod and post to great aplomb with the view that, if you’re not at that level, you’re lazy (often seems the tone of posts). I feel that for early or mid-level professionals certs are a way of building a formal knowledge of the basics for serveral reasons…

1.) No established reputation
2.) Cant get interviews without specific certs
3.) Shows aptitude for learning and development
4.) Proves at least a basic skill-set

The industry isnt just the people at the top!

By Lawrence

What I find most interesting is that if you actually attend blackhat / defcon and other security conferences and speak to the individuals that show and create the exploits, you find most of them do not have a certification.  I have asked a few what they think about certifications and they laugh. 
They have no fear going up against a ‘certified’ individual.

I believe the problem is that most individuals in executive positions in large companies do not understand security at the level they need to. So they go to the internet and learn that if I hire someone with certification A.B.C.D., then I know I am more secure, and if something goes wrong it isn’t my fault, after all I hired the A.B.C.D. certified person.

By Michael Dundas

On the point of jobs, this is the main reason folks get them, and it doesn’t just equate to the HR drones.  I have seen a correlation between billable rate for a consultant and certifications, especially (but not exclusively) in the gov’t sector. 

And as for the HR drones, I’d say that you are more likely to be denied an opportunity because of a lack of certifications than because of having one. 

It may not be ideal, but they are a common vocabulary that people understand, and if for only that reason, they have merit.  The person who goes to a bootcamp and breezes through the certification devalues themselves more than they do the cert.

By ds

I would agree with most if not all of your comments.  That being said one thing you said was that many “security professionals” don’t want to take the time to study and take a test.  I agree.  The good ones have more to do that could have a significant impact. 

Then there are those that are self-promoting pontificating morons.  When the last major contribution was years ago and they use their blogs to stir controversy it makes me wonder if the “super-stars” are hurting more than helping. 

Take for example the Google/China/APT issue.  There are a few that have latched on to it to do self promotion.  The same happened with virtualization/cloud topic.

I know/have met some of the “super stars” and I was extremely under-whelmed.  Sometimes the difficult questions would get asked and all the replies are ‘BS’ or something along the lines of “you should read my book” (which I have heard multiple times from a specific super-star)

So certifications are only as good as the paper they are printed on, but many of the self-promotion comes down to popularity contests. 

There are some ‘super-stars’ that I would hire for their quality of work and some that I think should be tossed out of the profession with torch and pitch-fork.

By Jesse G. Lands

Nice post Mike, and I agree 100%.

Some of us have been kicking around the infosec space long enough to remember when the Consortium came into being, and when a large number of CISSPs had been grandfathered in. I still own several copies of the original Common Body of Knowledge as authored by Philip Fites and Martin P.J. Kratz circa 1996, and recall vividly how closed the community was if you weren’t already inside…

That is, before CISSP became a revenue vehicle; do a little research on the history of it and you’ll find quotes like this one from Hal Tipton:

“When we get a thousand or so certified people and there’s a pool of people available, we’ll see more headhunters and HR people insisting on CISSP as a qualification.”

The bottom line is that I have to thank (ISC)2 for helping me to form my opinion on the value of certifications early on—that, as you point out, I was much more interested in a recommendation from someone I respected and trusted than I was in demonstrated ability to pass a multiple choice test. That premise holds true today more than ever, when there is a small community of top tier talent, and an ever growing pool of people who can in essence buy a wall full of certifications via secondary market Bootcamps and “guaranteed to pass” programs.

As you touch on in ‘Ego’, if the cert is somehow validating for you personally, then go for it. As for me, I never did get my CISSP, and I have without doubt been denied interview opportunities based on that over the years, but not having it has never prevented me from working in the industry, from working at companies that I truly wanted to, or from forming relationships of mutual respect with some incredibly skilled practitioners.

By Raymond Carney

@ Mike Rothman

I’ve been around since before PCI with VISA CISP, while at a major online auction website. It could have gone down differently from my perspective. The standard is still very weak and has significant bias, especially product/vendor -type bias.

My questions weren’t really about this.

The alternative for a lot of Chinese state-sponsored hackers is that they retain jobs in many other countries, including the US. We’ve all seen the horrifying numbers of how many state-sponsored Chinese adversaries graduated from US institutions with PhDs in CompSci. They number in the hundreds, if I remember correctly. Your “rice paddy” comment is some sort of racist joke, right?

In the US, the best and brightest are working in the criminal sector—sometimes “recruited” into the Secret Service, FBI, or State-LE agencies (as I alluded to earlier). I don’t think they created a certification for these types yet. CUSSE maybe?

People can pass audits with compensating controls. Let’s get our heads on straight and do the right things! We need to MAKE it different. We need change. Let’s kick the old guard out and let some fresh minds and ideas take a look at our industry as it stands today.

In my personal belief, OWASP is the poster child for this new movement, along with some of the work coming out of the Center for Internet Security. There’s no certs in those orgs. No local chapter dues. No requirements.

OSI networking from the International Standards Organization and Novell IPX/SPX Networking (along with IBM SNA, AppleTalk, DECNet, and many others) were the future of computing in the 1980s. Thanks to Gopher, the World Wide Web, and the hard work from thousands of individuals who helped build the ARPANet until it became the Internet of the early 1990s—TCP/IP networking (based on rough standards and running code) became the champion that allowed computing and networking to be taken to the next level.

OWASP is a mirror of the IETF in today’s security industry. Let’s champion the right standards; the right resources. I don’t have a problem leaving (ISC)2, SANS, etc in the dust—do you?

By Andre Gironda

@dre, I’d posit that PCI did as much for security as any other “organization” out there. It’s all come together to set the stage for folks to at least pay lip service to security. The real issue, as I see it, is that most organizations want to do the bare minimum to pass the audit and/or contain the attack, and don’t think strategically about security as a key foundation for their business.

And that’s for a simple reason: Because it’s not. Not right now anyway. Security is overhead and that means folks will try to do the bare minimum for as long as they can get away with it.

To be clear, the economic model in the US is different than China. The best and brightest take Gov hacking jobs there because the alternative is working in rice paddies. In the US, the best and brightest make a lot more money working in the private sector. You can’t begrudge that. It’s simple economics.

Relative to criminals, that’s part and parcel of a free market economy. Yes, it’s sad that we are compelled to spend time and money on certification and audits, at the expense of securing things - but money flows along the path of least resistance.

And right now that means passing the audit, where the economic ramifications are more tangible than a data breach that always happens to the other guys.

As a very wise investor told me once. It is what it is. Hoping it’s different isn’t going to make it different. That wisdom can be used in pretty much all aspects of everything.

By Mike Rothman

I usually throw up some strange straw-man and other kinds of confusing arguments like in my first post.

But for this one, I’ll get right to the point:

Does anyone know if China{|UK|AU|NZ|Russia|Taiwan|France} has a military directive similar to Department of Defense Directive 8570, thus requiring CISSP and/or GIAC certifications in various information assurance roles?

Does anyone disagree that China has information superiority compared to the US, and potentially due in part to the existence of DoDD 8570? If China only hires the best (and not just the brown-nosers), then this would stand to achieve them a significant advantage, right?

Could it be that instead of (ISC)2 legitimizing the CSO/CISO role in popular organizations… that it could instead of been an ENTIRELY different organization or sets of organizations????

For example: The Russian Business Network (RBN). Or other online criminals of all types. Romanians, St. Kittians, adversaries hiding under the guise of legitimate organizations in Costa Rica, Belize, et al.

Or perhaps (in the case of most/all of the payment industry breaches), double-agents posing as Secret Service{|FBI|State-LE|etc} informants?

My only question is—who’s more criminal—industry “leaders” who take money out of the pockets of up-and-coming wanna-be’s and strained organizations—or the more straightforward and well-known organized crime rings?

By Andre Gironda

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.