This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
Marcus Ranum, HMM, CDO*
CounterPoint Certifications are great if you're lazy and ignorant and want to stay that way. If you're a hiring manager and you're too lazy to review a candidate's résumé, understand its contents and perform the difficult task of thinking whether his qualifications fit your needs, just hire the guy with the alphabet soup after his name.
Rather than coming up with thoughtful questions for interviewing a candidate to see if his accomplishments show that his abilities match your requirements, you can just rely on the certification and be blissfully happy.
Or, perhaps you're hiring to fill a position that you don't understand--you need a rocket scientist and you aren't one--just hire the candidate with the "CRS" after his name. After all, that's the premise of a certification: It helps you determine how to hire someone to do a job you don't understand.
Bruce is right that certifications become attractive when the supply/demand/expertise curve starts to break down in a particular area. The real question to me is how badly it would have to break down before I got so helpless that I'd just rely on a certification.
How many of you would hire a general contractor to build your new home just based on the fact that he has a certification? Would you (as I would) ask friends for recommendations, and then make a point of checking examples of his work? I might make sure my contractor had insurance, but when
More importantly, when you're relying on the "old boy network" it's much more likely that the person recommending someone for the job is going to understand the person's qualifications for that particular job. Modern technology moves so fast that obsolescence of knowledge is a real issue.
For example, if someone wanted to hire me to lock down an ULTRIX 3.1d system, I'm eminently qualified. But I'd be at a loss when presented with today's confusing plethora of Linux "distros"--I'd need months of studying and experimenting before I'd be ready to work on one of them. But if I had a certification, maybe someone would hire me by mistake, thinking I was qualified, and then I could do that retraining on the company's nickel. If someone asked one of my peers who they'd recommend for a Linux project, I'm sure my name wouldn't come up. But if the job called for a "senior curmudgeon," well, that would be another story entirely.
More information from SearchSecurity.com
Navigate the maze of security certifications with this guide.
Develop your security skills at your own pace with our on-demand Security Schools.
Pass the CISSP exam with help from Shon Harris, author of CISSP All-in-One Exam Guide.
The bottom line is that, regardless of whether a candidate is certified, a smart interviewer needs to know enough to judge if a candidate is the right person for the job. In fact, a smart employer is always going to check references and evaluate a candidate based on past accomplishments--only one of which may be successfully cramming for an exam.
Please send your comments on this column to firstname.lastname@example.org
Coming in September: Is there such a thing as strategic software?
This was first published in July 2006