Certifications

Can Your Career Outgrow Your Cybersecurity Certifications?

In Security Certifications Are Just the Beginning, I tried to explain that collecting cybersecurity certifications at the beginning of your career actually makes sense. However, it’s always your experience that will eventually be the difference between success and mediocrity.

Then, in So You Want to be a Cybersecurity Professional?, I qualified that even at the start of a career, certifications are only a small part of what you need to make a positive impact. Once again, it’s only the experience you gain by doing the work that gets you where you want to be. There are no shortcuts, especially on the ‘technology track’.

I have very recently had reason to reflect on the other end of the career spectrum. Not at the end of a career obviously, but at its height. Are the ubiquitous CISSPs, CISAs, CRISCs and so on certifications of the cybersecurity world actually worth it? Do they add anything significant. Can your career actually outgrow any use you may have had for them?

My current reflection actually germinated a few years ago when I spent an inordinate amount of time ‘collecting’ my Continuing Professional Education (CPE) hours. I spent way too long going over my calendar, email, and other sources to gather this information just to enter it FOUR times; one for each certification. I think I’ve done this every year for the past 4.

Now I’m being audited by a certification body. While I fully accept the reason for this, it means I not only have to gather another year’s worth of CPEs, I now  have to dig out a load of ADDITIONAL information for the previous year’s entries!

Given the nature of my business, I simply don’t have the time. More fairly, I took a serious look at the benefits I get from these certification and have now chosen not to MAKE the time. Basically, there are no benefits that I can see. At least there are no benefits that outweigh a day or more of my billable time.

Benefits need to be tangible to the self-employed. My employer is not paying for me to maintain these certs, this is out of my pocket.  So from my perspective, if you contact me regarding a contract of some sort, and request a list of my generic cybersecurity certifications, I can only assume one or more of the following;

  1. You are a recruiter trying to match acronyms to a job description;
    o
  2. You are a company looking for a cybersecurity expert but have no idea of the right questions to ask; and/or
    o
  3. You have no idea who I am (no arrogance here, cybersecurity is still a surprisingly small community).

In theory, you should aim to be immune to all of the above. If your CV/resume, LinkedIn profile, and/or reputation etc. speak for themselves, it’s your previous accomplishments that will set you apart. If you are still relying on certifications to get you in the door, then there’s a very good chance you should be focusing more on personal PR than studying for your next acronym.

For example, I have been in business for myself for 4 years and still have no website or sales function. The contacts that I have made over the course of my career keep me fully occupied. That suggests to me that the cybersecurity community in general means a hell of a lot more than any association. My peers help me every day.

This is something you have to earn. Not by being liked [thank God], but by being a genuine ‘practitioner’. Certifications can never give you this credibility.

But, I am NOT saying every certification can be replaced, some you have to have to perform a function (like ISO 27001 LA). It’s the ones you get from just reading a book, or receive for free as long you pay the annual fee (I was literally given CRISC for example). Do I really need to maintain a cert that I didn’t even earn?

In their defence, there is a lot more to these certification bodies than just the acronyms, and I have never taken advantage of these extracurriculars. Once again, I am just not prepared to make the time when I have clients paying for my time.

If only the CPEs could be earned by doing your job! Every new client, every new scenario, every new regulation you learn ON the job should absolutely count. I spend at least 3 hours a week writing this blog, but none of that time counts either.

Who knows, maybe this is a terrible mistake, but it’s with a certain sense of relief that I’m letting my certifications die.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Certifications

Security Certifications Are Just the Beginning

We’ve all seen these signature blocks;

[Name], CISSP, CISM, CISA, QSA, CRISC, CGEIT, PCIP, ISO LA, ITIL, Prince II, blah, blah….

These acronyms belong in two places; your LinkedIn [and equivalent] profile, and your CV/Resume/Bio. They have no place in your email signatures, nor on your business cards.

It’s not like we studied for a number of YEARS to get a MSc, or PhD. We read a book, and passed a multiple choice exam. We didn’t even have to know how to IMPLEMENT what we learned, we just had to memorise and regurgitate. Most questions end up being a 50/50 guess anyway if you don’t actually know the right answer.

I’m not saying certifications are totally meaningless, they are a great beginning for those trying to break into the cybersecurity industry, but once in, it’s your experience that needs to do the talking for you. Or better yet, the clients you helped do the talking for you. Your certifications show that you have some commitment, and who knows, maybe you’ll even learn a couple of things that are useful. But these things don’t help you much when you’re face-to-face with a real client asking for your guidance, and all you can do is read from a book.

Learning anything new is messy. You’re clumsy at first, you make LOTS of mistakes, and you may begin to doubt yourself. But get past that first client, the one who you helped …eventually, the one who actually thanked you afterwards, and THAT’S when your learning really starts. You EARNED that, and it’s not a feeling you’ll ever get from an acronym or a book.

With security, there are no certification that really get to the fundamental point, the meaning behind all of this. I guess CISSP gets the closest because its 10 Common Bodies of Knowledge (CBKs) cover things from Risk Management to Business Continuity, but no-one really cares about that stuff at senior leadership level, it’s just detail.

What’s important is STAYING in business, growing, going international, going public, shareholders and so on, and not one certification out there helps you explain to the CEO how IT and IT security can help get them there. No certification ever will, it’s something you have to learn for yourself, and something that will change with every client with whom you work.

There are no certifications for, or shortcuts to, being a consultant who ‘gets it’.

I have likened security to insurance, but that’s not really fair. Selling security is like selling insurance, but in the end insurance is just risk mitigation, security is business enablement. Security is not the goal, and it’s easy to get caught up in the moment and forget why we are really there in the first place.

So, as for your signature blocks, far better I think is to have the number of years you’ve been in cybersecurity, and the number of clients you’ve helped. Something like;

David Froud

Years In Cybersecurity: 17, Clients Helped: Hundreds

Think it’ll catch on? 🙂

[If you liked this article, please share! Want more like it, subscribe!]