Saturday, April 11, 2009

The Value of Certifications

If you want some entertaining, look at the arguments against certifications in the information security field. I can completely understand someone not wanting to pursue a certification, but the open hostility they generate, including the classic information security certification, the CISSP. People belligerent in many cases against those who achieve them as well.

The arguments usually boil down to whether you would hire someone who has experience or someone with a certification. While this might be a valid question, it is a very incomplete one. It leaves out those with both, as well as avoiding any serious discussion of those with different strengths in each.

I am an interesting example of this. I have been in software development for over 20 years, though I only came into information security full time 3 years ago. I knew many of the core principles and topics, but I did not have a comprehensive foundation. Studying for the SANS/GIAC certifications I have achieved so far (GSEC, GCFW, GCIH, GPCI) has helped me not only get good training, but reinforce the principles in the training.

Do the certifications prove anything by themselves? Of course not, but they were quite useful and showed that I did master the material to at least some extent. They don't prove I would be an expert on everything, but they show that I do know at least a few things.

While I am usually quite confident in my own skills and abilities, I am not dumb enough to think I know everything. I try to let my actions prove my knowledge and abilities, rather than relying on something "on paper" to do that.

I am quite proud of having gotten a Computer Science degree from Illinois and I have used that in interviews, but even that is just an outward item that must be backed up by my own performance.

I will write more later, but I thought this was worth noting.


No comments: