Security professionals seeking to advance their careers often ask me whether certifications are worth it, and, if so, which ones they should pursue. The answer, of course, depends on the person and his or her goals. Plenty of people excel without a credential.
While certifications require experience in the profession and sufficient knowledge to pass a comprehensive exam, they don’t indicate what type of leader or performer you will be, how well you communicate, or the value you will be to an organization’s culture. Yet, they can be an excellent investment for the individual and his or her employer.
Last month I posted a certification question on LinkedIn, intrigued by the high engagement levels of that platform’s surveys.
I phrased the question broadly:
“What is the most powerful (recognized, useful, value-adding, influential) security certification?” The four options were Certified Fraud Examiner (CFE), Certified Protection Professional (CPP), Certified Information Systems Security Professional (CISSP), and Other, with respondents encouraged to comment. The question received 1,795 votes and 129 comments.
The results were:
- CFE 6%
- CPP 44%
- CISSP 42%
- Other 8%
The comments are more instructive than the data. I suspect that the numbers reflect my broader LinkedIn network: I have a CPP, not a CISSP or CFE, and my connections trend the same way.
Responses to the topic elicited diverse reactions. Some commenters railed against certifications. Some rallied behind certifications. Others used the forum for raillery. And speaking of rails, certifications may just be the third rail of the security profession.
Here’s a sampling of the comments:
“Certificates do not make good security practitioners any more than licenses make outstanding plumbers. Experience, adaptability, and following good security and risk management principles do. Certifications only prove that information can be retained and regurgitated.”
“I think they are all money grabs.”
“Years of training and experience outweigh any letters you can buy to put behind your name. It just puts your money in someone else’s pocket.”
“Every profession and their credentials should encourage an infinite learning journey culture…Certification is not a destination but a benchmark or standard of professionalism in any industry.”
“I have met awful doctors…poor lawyers…terrible contractors…garbage professors, and I can go on and on. Yet I don’t see folks in general criticizing these professional certification schemes.”
Many respondents noted that they would rather have an experienced professional than a person festooned with postnominals — but that is a false dichotomy. You can have both.
The debate also sparks a follow-up question: Do certifications matter for leaders? Certifications generally test management principles, reasoning ability, operational theory and practice, and general knowledge — not leadership.
But maybe that’s missing the point. A security executive who wishes to foster a culture of learning, such as by achieving a certain certification, should lead by example and be the first to get it. With its continuing education requirements, a certification demonstrates a commitment to improving, keeping current, and remaining relevant. It’s not the certification itself that reflects leadership, it’s the action of encouraging others to achieve it and setting the standard yourself.
And if professional development is so important to the executive, department or organization, shouldn’t it cover the cost of the application, study materials, exam, prep courses, recertification and continuing education credits? Actually, THAT question might be security’s third rail.