To Certify or Not To Certify….that is the question

The debate rages on year after year. Are certifications worth it? Pick any certification you like and type into Google “Is XXX certification worth it”. Half the answers you find will tell you that this particular certification is the Holy Grail of learning and the other half will tell you it is a waste of your time. My position is that both extremes are wrong. Let’s address each.

First, the ‘certifications are worthless’ argument. This usually stems from someone who has encountered a person with a given certification whose knowledge was beneath what it should have been. My response to this is simply to ask: are there any incompetent medical doctors? Of course there are….but if I have a heart problem I would prefer to take my chances with an M.D. than my plumber. My point is that all credentials have some incompetent people. That does not diminish the value of the credential, it merely shows that human beings are flawed and the processes we create are imperfect.

The other side of this argument is to cite someone with no certifications who is brilliantly talented. I agree such people exist. In fact a few years ago I had a student in one of my penetration testing classes that fit this description. He was a Unix admin by profession. Now let me preface my comments on this individual by stating that I have authored two Linux books and was on the team that created the Linux+ certification. So I have some familiarity with Linux. This student had no certifications and no degree. But he was a veritable encyclopedia of Linux/Unix knowledge. His knowledge of shell commands and scripts was impressive. Just between you and I, he knew Unix and Linux far better than I do.

However, if you are hiring a Unix/Linux admin, would your first pick for an interview be someone with zero formal training, no degree, no certifications? Employers (whether they are looking for an employee or a temporary consultant) have to weed through a monumental stack of applications. One way is to set some minimum certification/education requirement.  Certifications provide some starting point.

I would also submit that it is difficult to earn a certification and not learn something. You may or may not retain as much as you should, but it is hard to study for a test, the CISSP for example, and come away with no knowledge. And if a person picks up a few related certifications (let’s say CISSP, CCNA-Security, and OWASP pen testing) then it seems certain they must know something. Whether they know enough is a matter to be decided in the interview process.

However, a certification is also not the Holy Grail. You have to realize a certification is like any other credential: it indicates the holder has passed a minimum set of standards. Just like the aforementioned medical degree. An M.D. does not mean you are a brilliant doctor, destined for a Nobel prize in medicine. It simply indicates that you met minimum standards. You might be a good doctor or you might not.

What about experience? Of course experience is important. That is even recognized by many certification vendors. The CISSP requires a few years of experience. They recognize that formal learning is best when coupled with hands on experience. However, experience alone is not enough either. I routinely teach a CISSP class, and all of my students are experienced. And every class I see the same thing. Students are very skilled in those areas they have directly worked on…and often know little or nothing of areas they have not. Experience will give you a great deal of knowledge of only those areas you work with every day. Training and education will give you a breadth of knowledge and perhaps details you have not considered before.


So back to our original question. Should you certify? I say yes, but with care. Before you seek a certification make sure you have clear goals (beyond simply getting another piece of paper to hang on your wall).   What is it you wish to learn? Don’t focus on just passing the test, but really learn the material.  But have a realistic expectation of what the certification means.  A CISSP, for example, does not make you an expert on security.  It does mean you have a broad based understanding of security.

Now in full disclosure, I have to admit I am pro certification. I have 32 certifications currently and am working on two more. I have also worked on the creation or revision of several certifications (and am working on one now). So I may have a bit of a bias.


See this article on LinkedIn


About the Author:

I am a computer scientist, inventor, consultant, and author. I have over 20 years of professional experience in the IT industry, over 15 years teaching/training, and over 11 years in litigation support/expert witness work including 39 cases and testimony at trial, depositions, and hearings. I have authored 19 published books (including our on security, three on forensics, and one on cryptography), have 6 patented inventions, have been a guest speaker at multiple locations including the Harvard Computer Society, Columbia Chapter of the ACM, Southern Methodist University Computer Science and Engineering Colloquium, University Texas at Dallas ACM chapter, Hacker Halted security conference, Takedown security conference, ISC2 Security Congress, Hackon India, and multiple other locations. I have conducted training and provided consulting for major companies, law enforcement agencies (local, state and federal), and various government agencies as well as friendly foreign governments. I conduct research in cryptography, forensics, and related topics. I also consult on computer security and forensics.