Open source software security

Is Security Certification Worth it?

30 November -0001

A host of computer security certification exist, covering quite a range of topics. At some point in every security professionals career they look at certification and begin to weigh their value. I have given my own take on certification some thought and come up with the following recommendations based on my own experience.

Certification hinges on two things, the test and the certifying body. Certification, in the end, stands as independent verification that you passed a test. The test criteria and the respectability of the certifying body determine the value of the test to others.

Personally, when I interview someone I don't give a second look at the certifications they have. I look for experience that proves the assertions the certifications make. Proving you can apply knowledge that a certification tests is much more difficult than just getting a certification.

I have to applaud the CEPT because it has a practical portion that is unstructured, that forces you to apply your knowledge. If all certifications had this sort of component fewer people would be certified but certification would be worth a lot more.

That said, in the end I think demonstrable knowledge and skill are much more important than a certification, but then again I'm not working in a big box corporation. For large organizations, the HR departments will insist on some sort of rubber stamp they can use to weed out candidates. So if that sort of job is your goal, certifications are great.

Certifications are also good if you're freelance or doing consulting. Having certifications stand in good stead for references (which are probably better). However, having lots of certifications will make your client feel more confident about you, and allows them to justify their investment in your services to their superiors. Like the saying goes, nobody ever got fired for choosing the Gartner pick.

Outside of consulting and big corporations though, in that other murky realm inhabited by your peers, a certification is going to be worth the paper it's printed on. Other security professionals, especially those who are familiar with certifications, view certifications with quite a bit of skepticism. Proving to this audience that you know your stuff will require quite a bit more. In this arena I would say a published article is worth a lot more than a certification. Working on an open source project, producing white papers, publishing exploits and the like will go a lot farther to prove your credibility than producing a certification that shows you memorized the answers to a hundred multiple choice questions.

Of course, going to a hiring officer at a large company and saying "I published the remote root compromise of servers running foobar 1.2" will probably just get you a blank look. On the flip side, if you do something like that, someone might just come looking for you with a job offer. I never heard of anyone trolling the CISSP registrations looking to hire their next rock star though...