The debate rages on year after year. Are certifications worth it? Pick any certification you like and type into Google “Is XXX certification worth it”. Half the answers you find will tell you that this particular certification is the Holy Grail of learning and the other half will tell you it is a waste of your time. My position is that both extremes are wrong. Let’s address each.
First, the ‘certifications are worthless’ argument. This usually stems from someone who has encountered a person with a given certification whose knowledge was beneath what it should have been. My response to this is simply to ask: are there any incompetent medical doctors? Of course there are….but if I have a heart problem I would prefer to take my chances with an M.D. than my plumber. My point is that all credentials have some incompetent people. That does not diminish the value of the credential, it merely shows that human beings are flawed and the processes we create are imperfect.
The other side of this argument is to cite someone with no certifications who is brilliantly talented. I agree such people exist. In fact a few years ago I had a student in one of my penetration testing classes that fit this description. He was a Unix admin by profession. Now let me preface my comments on this individual by stating that I have authored two Linux books and was on the team that created the Linux+ certification. So I have some familiarity with Linux. This student had no certifications and no degree. But he was a veritable encyclopedia of Linux/Unix knowledge. His knowledge of shell commands and scripts was impressive. Just between you and I, he knew Unix and Linux far better than I do.
However, if you are hiring a Unix/Linux admin, would your first pick for an interview be someone with zero formal training, no degree, no certifications? Employers (whether they are looking for an employee or a temporary consultant) have to weed through a monumental stack of applications. One way is to set some minimum certification/education requirement. Certifications provide some starting point.
I would also submit that it is difficult to earn a certification and not learn something. You may or may not retain as much as you should, but it is hard to study for a test, the CISSP for example, and come away with no knowledge. And if a person picks up a few related certifications (let’s say CISSP, CCNA-Security, and OWASP pen testing) then it seems certain they must know something. Whether they know enough is a matter to be decided in the interview process.
However, a certification is also not the Holy Grail. You have to realize a certification is like any other credential: it indicates the holder has passed a minimum set of standards. Just like the aforementioned medical degree. An M.D. does not mean you are a brilliant doctor, destined for a Nobel prize in medicine. It simply indicates that you met minimum standards. You might be a good doctor or you might not.
What about experience? Of course experience is important. That is even recognized by many certification vendors. The CISSP requires a few years of experience. They recognize that formal learning is best when coupled with hands on experience. However, experience alone is not enough either. I routinely teach a CISSP class, and all of my students are experienced. And every class I see the same thing. Students are very skilled in those areas they have directly worked on…and often know little or nothing of areas they have not. Experience will give you a great deal of knowledge of only those areas you work with every day. Training and education will give you a breadth of knowledge and perhaps details you have not considered before.
So back to our original question. Should you certify? I say yes, but with care. Before you seek a certification make sure you have clear goals (beyond simply getting another piece of paper to hang on your wall). What is it you wish to learn? Don’t focus on just passing the test, but really learn the material. But have a realistic expectation of what the certification means. A CISSP, for example, does not make you an expert on security. It does mean you have a broad based understanding of security.
Now in full disclosure, I have to admit I am pro certification. I have 32 certifications currently and am working on two more. I have also worked on the creation or revision of several certifications (and am working on one now). So I may have a bit of a bias.