Cybersecurity Certifications

Security Certifications Are Just the Beginning

We’ve all seen these signature blocks;

[Name], CISSP, CISM, CISA, QSA, CRISC, CGEIT, PCIP, ISO LA, ITIL, Prince II, blah, blah….

These acronyms belong in two places; your LinkedIn [and equivalent] profile, and your CV/Resume/Bio. They have no place in your email signatures, nor on your business cards.

It’s not like we studied for a number of YEARS to get a MSc, or PhD. We read a book, and passed a multiple choice exam. We didn’t even have to know how to IMPLEMENT what we learned, we just had to memorise and regurgitate. Most questions end up being a 50/50 guess anyway if you don’t actually know the right answer.

I’m not saying certifications are totally meaningless, they are a great beginningΒ for those trying to break into the cybersecurity industry, but once in, it’s your experience that needs to do the talking for you. Or better yet, the clients you helped do the talking for you. Your certifications show that you have some commitment, and who knows, maybe you’ll even learn a couple of things that are useful. But these things don’t help you much when you’re face-to-face with a real client asking for your guidance, and all you can do is read from a book.

Learning anything new is messy. You’re clumsy at first, you make LOTS of mistakes, and you may begin to doubt yourself. But get past that first client, the one who you helped …eventually, the one who actually thanked you afterwards, and THAT’S when your learning really starts. You EARNED that, and it’s not a feeling you’ll ever get from an acronym or a book.

With security, there are no certification that really get to the fundamental point, the meaning behind all of this. I guess CISSP gets the closest because its 10 Common Bodies of Knowledge (CBKs) cover things from Risk Management to Business Continuity, but no-one really cares about that stuff at senior leadership level, it’s just detail.

What’s important is STAYING in business, growing, going international, going public, shareholders and so on, and not one certification out there helps you explain to the CEO how IT and IT security can help get them there. No certification ever will, it’s something you have to learn for yourself, and something that will change with every client with whom you work.

There are no certifications for, or shortcuts to, being a consultant who ‘gets it’.

I have likened security to insurance, but that’s not really fair. Selling security is like selling insurance, but in the end insurance is just risk mitigation, security is business enablement. Security is not the goal, and it’s easy to get caught up in the moment and forget why we are really there in the first place.

So, as for your signature blocks, far better I think is to have the number of years you’ve been in cybersecurity, and the number of clients you’ve helped. Something like;

David Froud

Years In Cybersecurity: 17, Clients Helped: Hundreds

Think it’ll catch on? πŸ™‚

[If you liked this article, please share! Want more like it, subscribe!]