Wednesday, September 24, 2008


It's that special time of year again at my work when we need to decide how we should spend our training budget. I'm torn between looking at training or certification. I know its a dirty word that many an InfoSec (and IT) professional look down on - certification that is - hence it got me thinking that perhaps I should talk a bit about it here.

Anyone familiar with the rough history of IT (at least in Australia) should be familiar with the basic history. I write this one more for people unfamiliar with the field.

For a long time, just prior to the dotcom boom and Y2k, IT workers were in short supply (primarily due to Y2k Compliance and businesses wanting to connect to the Internet).

Businesses were looking for them able to build and manage their networks and systems. In assessing their requirements, they looked on at the Cisco and Microsoft certifications and began hiring anyone with four letter acronym after their name.

Soon engineers were commanding high salaries for a certification that could be readily obtained for under $5k and cram studied. Some of these were people from non-IT industries who made the jump with barely a clue of where the "power" button was, let alone the finer technical skills required. A lot of them were people jumping into IT from different industries entirely, thinking IT was a real cushy job compared to their previous roles. Pretty soon these people with no prior experience other than what they learned in their certification were earning big cash while uncertified (but skilled) workers were starving.

When the dotcom bubble burst, and when the world didn't blow up on Jan 1 2000, IT was not well regarded by business. Spending was cut, people were sacked, the market flooded. Skilled workers without certs were competing against unskilled workers with the certs. It often seemed that those with the bits of paper won out in the end (further perpetuating the image that there were too many workers in IT with excessively high salaries for comparitively little knowledge or skill).

This is a gross simplification of the situation but it helps to highlight why the IT industry (note: not just infosec) is full of people who have little regard for certification. The issue is often compounded within information security - as the most technical skills required for security are rarely taught and even fewer certified. There is also the stigma of those in the industry who believe that there should not be non-technical people in the information security industry (another subject for another day).

In case anyone is wondering why my fascination around certification, I was working in IT during this period and while I was lucky, I knew of too many skilled IT professionals who were unemployed for a long time because of this very issue. As a result, this left a very lasting impression on me and I swore I'd never let this happen to me.

Back to the topic at hand...

What does certification mean?

To my thinking, it simply means that the holder has demonstrated that they hold the level of skill and knowledge required to be proficient in that area. It doesn't mean mastery of a given area, only a measure of skill. I don't think true mastery is something that can be readily certified.

What is the value of certification?

Value of certification certainly does vary and not all certifications are equal.

The value of a certification is dependent on three things (IMHO):
1) Industry recognition
Is the certifying body recognised by the information security industry? Is it comprised of existing professionals? How many members? How is it regarded by the industry? I only look at certs that come from well known, well recognised industry bodies.

2) Skill vs. Knowledge
Some certifications are little more than exam that can be crammed for. Some have practical components and others require research. Well regarded certifications - CCIE, GSE, have this. CCIEs have the dreaded lab ontop of the exam. GSEs have to sit 3 exams and do no less than two research papers before even applying for the GSE. Certifications that require you to be able to demonstrate the skill in a practical sense and not just theoretical, should hold higher weight.

3) Vendor Neutral vs Vendor Specific
Many certs are vendor neutral and do not harp on anyone specific technology or operating system but rather, rely on a strong technical understanding to obtain it. In the infrastructure side of security, you'll be hard pressed to find a certification that isn't vendor aligned. One is neither better than the other, but I usually lean towards vendor neutral unless you're working with a specific technology on a regular basis. I'm not saying vendor neutral is better than vendor specific, but you'll find you'll often learn more of the theoretical underpinnings from a vendor neutral certification.

In looking how to spend my training budget, I tend to look for certification. Not because I'm trying to add marketing spin on my resume but I look for certifications where I might actually A) learn something and B) hopefully get a piece of paper to prove it. Even more hopefully, my employer (and any prospective employers in future) will see that I can demonstrate a modicum of proficiency in a given area and I've taken the time and effort to prove it.

I am a big believer in self-directed study, but if history has shown us anything it is to always plan ahead. Having the skill is one thing, being able to demonstrate it is another, and again, having them formally recognised another thing entirely.

However I have a dilemma. And in retrospect, perhaps it comes back to my own criteria of what I look for in certification -

* Do you pursue certification if the certification you're looking at is not widely adopted/accepted/recognised?

* How do you pursue certification if the area you are looking at is new and emerging within the field?

In particular I'm interested in application security and security architecture and when it comes to formal training/certification, the options are limited and rewards seemingly dubious. Maybe I'm just better off committing more to my self directed study and presenting at a conference somewhere?

I'd love to hear from other InfoSec professionals (and IT professionals) on this subject.

No comments: