Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Face-Off: Schneier and Ranum debate security certifications

Are security certifications valuable?

Bruce Schneier

Point I've long been hostile to certifications--I've met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I've come to believe that, while certifications aren't perfect, they're a decent way for a security professional to learn some of the things he's going to know, and a potential employer to assess whether a job candidate has the security expertise he's going to need to know.

What's changed? Both the job requirements and the certification programs.

Anyone can invent a security system that he himself cannot break. I've said this so often that Cory Doctorow has named it "Schneier's Law": When someone hands you a security system and says, "I believe this is secure," the first thing you have to ask is, "Who the hell are you? Show me what you've broken to demonstrate that your assertion of the system's security means something."

That kind of expertise can't be found in a certification. It's a combination of an innate feel for security, extensive knowledge of the academic security literature, extensive experience in existing security systems, and practice. When I've hired people to design and evaluate security systems, I've paid no attention to certifications. They are meaningless; I need a different set of skills and abilities.

But most organizations don't need to hire that kind of person. Network security has become standardized; organizations need a practitioner, not a researcher. This is good because there is so much demand for these practitioners that there aren't enough researchers to go around. Certification programs are good at churning out practitioners.

And over the years, certification programs have gotten better. They really do teach knowledge that security practitioners need. I might not want a graduate designing a security protocol or evaluating a cryptosystem, but certifications are fine for any of the handful of network security jobs a large organization needs.

At my company, we encourage our security analysts to take certification courses. We find that it's the most cost-effective way to give them the skills they need to do ever-more-complex jobs.

Of course, none of this is perfect. I still meet bad security practitioners with certifications, and I still know excellent security professionals without any.

In the end, certifications are like profiling. They work, but they're sloppy. Just because someone has a particular certification doesn't mean that he has the security expertise you're looking for (in other words, there are false positives). And just because someone doesn't have a security certification doesn't mean that he doesn't have the required security expertise (false negatives). But we use them for the same reason we profile: We don't have the time, patience, or ability to test for what we're looking for explicitly.

Profiling based on security certifications is the easiest way for an organization to make a good hiring decision, and the easiest way for an organization to train its existing employees. And honestly, that's usually good enough.

Marcus Ranum, HMM, CDO*

CounterPoint Certifications are great if you're lazy and ignorant and want to stay that way. If you're a hiring manager and you're too lazy to review a candidate's résumé, understand its contents and perform the difficult task of thinking whether his qualifications fit your needs, just hire the guy with the alphabet soup after his name.

Rather than coming up with thoughtful questions for interviewing a candidate to see if his accomplishments show that his abilities match your requirements, you can just rely on the certification and be blissfully happy.

Or, perhaps you're hiring to fill a position that you don't understand--you need a rocket scientist and you aren't one--just hire the candidate with the "CRS" after his name. After all, that's the premise of a certification: It helps you determine how to hire someone to do a job you don't understand.

Bruce is right that certifications become attractive when the supply/demand/expertise curve starts to break down in a particular area. The real question to me is how badly it would have to break down before I got so helpless that I'd just rely on a certification.

How many of you would hire a general contractor to build your new home just based on the fact that he has a certification? Would you (as I would) ask friends for recommendations, and then make a point of checking examples of his work? I might make sure my contractor had insurance, but when it comes to deciding who I'm going to risk my money on, all that matters are solid references and a track record of getting a good job done on time. If the contractor I wanted to hire was too busy, I'd ask him for a reference, and I'd check out the candidate especially closely. There's a reason that people rely on the "old boy network"--it works.

More importantly, when you're relying on the "old boy network" it's much more likely that the person recommending someone for the job is going to understand the person's qualifications for that particular job. Modern technology moves so fast that obsolescence of knowledge is a real issue.

For example, if someone wanted to hire me to lock down an ULTRIX 3.1d system, I'm eminently qualified. But I'd be at a loss when presented with today's confusing plethora of Linux "distros"--I'd need months of studying and experimenting before I'd be ready to work on one of them. But if I had a certification, maybe someone would hire me by mistake, thinking I was qualified, and then I could do that retraining on the company's nickel. If someone asked one of my peers who they'd recommend for a Linux project, I'm sure my name wouldn't come up. But if the job called for a "senior curmudgeon," well, that would be another story entirely.

More information from

Navigate the maze of security certifications with this guide.

Develop your security skills at your own pace with our on-demand Security Schools.

Pass the CISSP exam with help from Shon Harris, author of CISSP All-in-One Exam Guide.

The bottom line is that, regardless of whether a candidate is certified, a smart interviewer needs to know enough to judge if a candidate is the right person for the job. In fact, a smart employer is always going to check references and evaluate a candidate based on past accomplishments--only one of which may be successfully cramming for an exam.

Please send your comments on this column to

Coming in September: Is there such a thing as strategic software?

Article 16 of 18

Dig Deeper on Security industry certifications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All