In Security Certifications Are Just the Beginning, I tried to explain that collecting cybersecurity certifications at the beginning of your career actually makes sense. However, it’s always your experience that will eventually be the difference between success and mediocrity.
Then, in So You Want to be a Cybersecurity Professional?, I qualified that even at the start of a career, certifications are only a small part of what you need to make a positive impact. Once again, it’s only the experience you gain by doing the work that gets you where you want to be. There are no shortcuts, especially on the ‘technology track’.
I have very recently had reason to reflect on the other end of the career spectrum. Not at the end of a career obviously, but at its height. Are the ubiquitous CISSPs, CISAs, CRISCs and so on certifications of the cybersecurity world actually worth it? Do they add anything significant. Can your career actually outgrow any use you may have had for them?
My current reflection actually germinated a few years ago when I spent an inordinate amount of time ‘collecting’ my Continuing Professional Education (CPE) hours. I spent way too long going over my calendar, email, and other sources to gather this information just to enter it FOUR times; one for each certification. I think I’ve done this every year for the past 4.
Now I’m being audited by a certification body. While I fully accept the reason for this, it means I not only have to gather another year’s worth of CPEs, I now have to dig out a load of ADDITIONAL information for the previous year’s entries!
Given the nature of my business, I simply don’t have the time. More fairly, I took a serious look at the benefits I get from these certification and have now chosen not to MAKE the time. Basically, there are no benefits that I can see. At least there are no benefits that outweigh a day or more of my billable time.
Benefits need to be tangible to the self-employed. My employer is not paying for me to maintain these certs, this is out of my pocket. So from my perspective, if you contact me regarding a contract of some sort, and request a list of my generic cybersecurity certifications, I can only assume one or more of the following;
- You are a recruiter trying to match acronyms to a job description;
- You are a company looking for a cybersecurity expert but have no idea of the right questions to ask; and/or
- You have no idea who I am (no arrogance here, cybersecurity is still a surprisingly small community).
In theory, you should aim to be immune to all of the above. If your CV/resume, LinkedIn profile, and/or reputation etc. speak for themselves, it’s your previous accomplishments that will set you apart. If you are still relying on certifications to get you in the door, then there’s a very good chance you should be focusing more on personal PR than studying for your next acronym.
For example, I have been in business for myself for 4 years and still have no website or sales function. The contacts that I have made over the course of my career keep me fully occupied. That suggests to me that the cybersecurity community in general means a hell of a lot more than any association. My peers help me every day.
This is something you have to earn. Not by being liked [thank God], but by being a genuine ‘practitioner’. Certifications can never give you this credibility.
But, I am NOT saying every certification can be replaced, some you have to have to perform a function (like ISO 27001 LA). It’s the ones you get from just reading a book, or receive for free as long you pay the annual fee (I was literally given CRISC for example). Do I really need to maintain a cert that I didn’t even earn?
In their defence, there is a lot more to these certification bodies than just the acronyms, and I have never taken advantage of these extracurriculars. Once again, I am just not prepared to make the time when I have clients paying for my time.
If only the CPEs could be earned by doing your job! Every new client, every new scenario, every new regulation you learn ON the job should absolutely count. I spend at least 3 hours a week writing this blog, but none of that time counts either.
Who knows, maybe this is a terrible mistake, but it’s with a certain sense of relief that I’m letting my certifications die.
[If you liked this article, please share! Want more like it, subscribe!]