Cybersecurity Certifications

Security Certifications Are Just the Beginning

We’ve all seen these signature blocks;

[Name], CISSP, CISM, CISA, QSA, CRISC, CGEIT, PCIP, ISO LA, ITIL, Prince II, blah, blah….

These acronyms belong in two places; your LinkedIn [and equivalent] profile, and your CV/Resume/Bio. They have no place in your email signatures, nor on your business cards.

It’s not like we studied for a number of YEARS to get a MSc, or PhD. We read a book, and passed a multiple choice exam. We didn’t even have to know how to IMPLEMENT what we learned, we just had to memorise and regurgitate. Most questions end up being a 50/50 guess anyway if you don’t actually know the right answer.

I’m not saying certifications are totally meaningless, they are a great beginning for those trying to break into the cybersecurity industry, but once in, it’s your experience that needs to do the talking for you. Or better yet, the clients you helped do the talking for you. Your certifications show that you have some commitment, and who knows, maybe you’ll even learn a couple of things that are useful. But these things don’t help you much when you’re face-to-face with a real client asking for your guidance, and all you can do is read from a book.

Learning anything new is messy. You’re clumsy at first, you make LOTS of mistakes, and you may begin to doubt yourself. But get past that first client, the one who you helped …eventually, the one who actually thanked you afterwards, and THAT’S when your learning really starts. You EARNED that, and it’s not a feeling you’ll ever get from an acronym or a book.

With security, there are no certification that really get to the fundamental point, the meaning behind all of this. I guess CISSP gets the closest because its 10 Common Bodies of Knowledge (CBKs) cover things from Risk Management to Business Continuity, but no-one really cares about that stuff at senior leadership level, it’s just detail.

What’s important is STAYING in business, growing, going international, going public, shareholders and so on, and not one certification out there helps you explain to the CEO how IT and IT security can help get them there. No certification ever will, it’s something you have to learn for yourself, and something that will change with every client with whom you work.

There are no certifications for, or shortcuts to, being a consultant who ‘gets it’.

I have likened security to insurance, but that’s not really fair. Selling security is like selling insurance, but in the end insurance is just risk mitigation, security is business enablement. Security is not the goal, and it’s easy to get caught up in the moment and forget why we are really there in the first place.

So, as for your signature blocks, far better I think is to have the number of years you’ve been in cybersecurity, and the number of clients you’ve helped. Something like;

David Froud

Years In Cybersecurity: 17, Clients Helped: Hundreds

Think it’ll catch on? 🙂

[If you liked this article, please share! Want more like it, subscribe!]

4 thoughts on “Security Certifications Are Just the Beginning

  1. “What’s important is STAYING in business, growing, going international, going public, shareholders and so on”

    -disagree. What’s important is being able to provide a good service or product to your client. Everything else should be an outcome.

    Certifications help people demonstrate core-skills and also a commitment to ongoing professional development and are at least measured independently. They are also a reasonable base line to measure when people don’t have lots of experience, but should have some core skills.

    you must have seen pen-testers without many years experience that are still awesome. Years served != quality and without references the number of clients is irrelevant too. Same person could have been inside a big bank for a long time. 1 customer.

    • Hi CustomerService (@ISACA), many thanks for your comments.

      I can certainly understand your perspective, but I think you may have missed the point of my blog. It’s not against certifications per se, it’s against the use of ONLY credentials to demonstrate credibility.

      My statement “What’s important is STAYING in business, growing, going international, going public, shareholders and so on.” is directed at security in general. Security is not the ends, it’s only part of the MEANS to an end, and I cannot think of one for-profit business who places customer service above the bottom line. If you cannot demonstrate an ROI to the business side, security gets ignored.

      A person who works at a bank (your example) their whole career will be VERY good at providing specific services to that one specific bank, thus greatly limiting their exposure to learning opportunities. If you want those services, great, if you want a consultant who has a significant array of experience types, ‘1 customer’ will probably not suffice.

      Your point re: pen testers actually MAKES my point; that certifications don’t demonstrate ability.

      Again, I’m not against certifications, I’m against false advertising.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.