In the information security field, there is a myth that you need certification to survive as a professional. Don’t believe me? Browse through the infosec job ads, and you will see the following in most of the descriptions:
“Technical security certifications are a plus, e.g. SANS, CISSP. Security certifications, including CISSP and EC-Council, are preferred.”
FREE Ebook: The Security Industry´s Dirty Little Secret
I do not deny the importance of these certifications as one of the key tools for employers when it comes to evaluating the qualifications of prospective employees. However, different groups of people view certifications differently, perspectives which can be categorized into three major groups.
In the first group is the majority. Most of the human resource managers here do not see the true value of security certifications. For them, security certification is merely a factor which can improve job efficiency, or which can lead to a job offer at all. For example, if there are 100 persons applying for the same job, certification becomes useful as a means of filtering the application pool. Those who have no certifications are usually the first to be filtered out. Whether that it is fair is not readily apparent.
There is another group of people who are proud of their security certifications. Once they have passed an exam, they can’t wait to share the news with their friends. “Yeah, I am certified!” But then what happens? Are you in a position to demand a better salary? Can you begin looking for a new job? Have you become a tried and true infosec professional now that you’ve read the CISSP book by Shon Harris and passed the exam? No. None of this has happened. You still need to demonstrate your professionalism to prove the true value of your certificate. This is a process that spans careers, and it all begins with the receipt of your certificate.
The last group is made up of those who totally reject security certifications. Most of them are highly technically skilled professionals who have confidence that they could pass the exams. However, they refuse to take the exams because they see certifications as nothing but market ploys. Moreover, they may have had negative experiences working with people who are certified but who failed to perform well in the trenches. The people in this group should ultimately lead the charge to change the industry landscape. They should consider acquiring the certifications in order to increase the significance of doing so.
Today, people see security certifications as tools that can help them get better jobs and higher pay checks. We have forgotten the true value of security certifications. These certifications represent our industry knowledge and should therefore act as a reliable indicator of our professionalism. To get to that place, let’s work together and prove that security certification is more than just a piece of paper.
By Ong Yew Chuan, Information Security Enthusiast
Bio: An information security enthusiast, Ong has 3 years of experience working in a Managed Security Services (MSS) company. He now works as a researcher in one of the public universities in Malaysia, where he focuses on security and social networks. Ong holds several professional information security certificates, including ECSA, CEH, CHFI and ITIL. Find him on Twitter (twitter.com/YCOng) and LinkedIn (my.linkedin.com/in/ongyewchuan).