Can Your Career Outgrow Your Cybersecurity Certifications?

In Security Certifications Are Just the Beginning, I tried to explain that collecting cybersecurity certifications at the beginning of your career actually makes sense. However, it’s always your experience that will eventually be the difference between success and mediocrity.

Then, in So You Want to be a Cybersecurity Professional?, I qualified that even at the start of a career, certifications are only a small part of what you need to make a positive impact. Once again, it’s only the experience you gain by doing the work that gets you where you want to be. There are no shortcuts, especially on the ‘technology track’.

I have very recently had reason to reflect on the other end of the career spectrum. Not at the end of a career obviously, but at its height. Are the ubiquitous CISSPs, CISAs, CRISCs and so on certifications of the cybersecurity world actually worth it? Do they add anything significant. Can your career actually outgrow any use you may have had for them?

My current reflection actually germinated a few years ago when I spent an inordinate amount of time ‘collecting’ my Continuing Professional Education (CPE) hours. I spent way too long going over my calendar, email, and other sources to gather this information just to enter it FOUR times; one for each certification. I think I’ve done this every year for the past 4.

Now I’m being audited by a certification body. While I fully accept the reason for this, it means I not only have to gather another year’s worth of CPEs, I now  have to dig out a load of ADDITIONAL information for the previous year’s entries!

Given the nature of my business, I simply don’t have the time. More fairly, I took a serious look at the benefits I get from these certification and have now chosen not to MAKE the time. Basically, there are no benefits that I can see. At least there are no benefits that outweigh a day or more of my billable time.

Benefits need to be tangible to the self-employed. My employer is not paying for me to maintain these certs, this is out of my pocket.  So from my perspective, if you contact me regarding a contract of some sort, and request a list of my generic cybersecurity certifications, I can only assume one or more of the following;

  1. You are a recruiter trying to match acronyms to a job description;
  2. You are a company looking for a cybersecurity expert but have no idea of the right questions to ask; and/or
  3. You have no idea who I am (no arrogance here, cybersecurity is still a surprisingly small community).

In theory, you should aim to be immune to all of the above. If your CV/resume, LinkedIn profile, and/or reputation etc. speak for themselves, it’s your previous accomplishments that will set you apart. If you are still relying on certifications to get you in the door, then there’s a very good chance you should be focusing more on personal PR than studying for your next acronym.

For example, I have been in business for myself for 4 years and still have no website or sales function. The contacts that I have made over the course of my career keep me fully occupied. That suggests to me that the cybersecurity community in general means a hell of a lot more than any association. My peers help me every day.

This is something you have to earn. Not by being liked [thank God], but by being a genuine ‘practitioner’. Certifications can never give you this credibility.

But, I am NOT saying every certification can be replaced, some you have to have to perform a function (like ISO 27001 LA). It’s the ones you get from just reading a book, or receive for free as long you pay the annual fee (I was literally given CRISC for example). Do I really need to maintain a cert that I didn’t even earn?

In their defence, there is a lot more to these certification bodies than just the acronyms, and I have never taken advantage of these extracurriculars. Once again, I am just not prepared to make the time when I have clients paying for my time.

If only the CPEs could be earned by doing your job! Every new client, every new scenario, every new regulation you learn ON the job should absolutely count. I spend at least 3 hours a week writing this blog, but none of that time counts either.

Who knows, maybe this is a terrible mistake, but it’s with a certain sense of relief that I’m letting my certifications die.

[If you liked this article, please share! Want more like it, subscribe!]

6 thoughts on “Can Your Career Outgrow Your Cybersecurity Certifications?

  1. Completely agree, once again, with your comments, David. Unfortunately, most employers are looking for individuals with the cert and the experience, eventhough the cert does not prove the proficiency of the individual (and in some cases, not even the experience shown in the CV/resume truly proves this). When you interview a candidate, you combine a set of questions to prove the individual’s experience, a set of questions to address their soft skills (which cannot be trained in many cases, either you have them or you don’t), coupled with scenario questions to see the individual’s attitude and ability to be flexible, adaptable and consultative/collaborative… and maybe, just maybe, you might have the right candidate.

    Just my 1/2 cent,
    Rafael Rosado

  2. After about 25 years years in infosec – I was forced to get a CISM/CISSP to remain a QSA.
    Sweated over studying for CISM but made absolutely no headway in improving scores in the practice exams – and scored in the top 20% of the global candidates for that exam.
    Sat CISSP just in case the CISM fell through, but honestly the course material was same old, same old
    Has it made a difference in my work?
    Yeah – I can talk about risk assessments better.
    Are my clients better off – no, because they have all the negative issues this blog highlights so eruditely

    • Many thanks for your comments Lyalc.

      First the SSC allows you to replace proven consulting skills with an acronym, now it mandates an acronym to demonstrate practical knowledge. It’s as though no-one at the SSC has ever sat in front of a client a provided real-world guidance.

      I have been very critical of the SSC, the PCI DSS, and the card brands for a long time. Everything they do seems designed to prove my point.

      I will never be a QSA again! 🙂


  3. David… once a QSA, always a QSA…. jajaja… just kidding bro. I am no longer a QSA and don’t miss being one either. ROCs? I HATE THEM WITH A PASSION…. having to write a 300-500 novel is not my idea of a career booster.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.