News Stay informed about the latest enterprise technology news and product updates.

Security Blog Log: Are certifications silly?

One blogger thinks so. Also this week: Apple is criticized over a TV ad suggesting it has no viruses and the Oracle CSO's blog lies dormant.


We've run a lot of stories in the past where experts stressed the importance of security certifications as a way to sharpen skills and get ahead in the business world. One story a few months back was about a survey that showed IT pros gaining ground in the board room after earning one or more of them.

But according to one security professional in the blogosphere, certifications are overrated.

The headline for an entry Byron Sonne contributed to San Francisco-based nCircle's VERT Daily Post blog this week sums it up: "Certifications are silly."

Sonne said he's never been a big fan of certifications for several reasons, the biggest being that he's seen "too many clowns" hired that had certifications but didn't live up to expectations.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent columns:

Burning about Firefox recruitment

Man of God, man of ID theft

Yahoo's click-fraud problem


"What exactly does a piece of paper mean anyway?" he asked. "To me, it means you're good at passing tests, and that's about it." Too often, he said, people hide behind their certifications. And sooner or later, their overall lack of ability is revealed.

When he was a contractor working on a job for Compaq/HP at the UHN hospitals in downtown Toronto, Sonne said, they hired another contractor who was a Microsoft Certified Systems Engineer (MCSE). It was a "very heterogeneous" environment with Windows, Netware and Unix, he said, adding, "We sat the guy down at a console. He browsed the network, and the next question he asked was, 'What domain are your Novell servers in?' Needless to say, he didn't last long."

Therein lies the problem, Sonne said: Certifications are about as far from holistic as possible.

"They train you for specific tasks and that's it," he said. "But that just doesn't work. The world and technology is an incredibly fluid place. In my opinion, we don't need to teach people technical skills as much as we need to teach people how to learn."

He went on to say that certifications make people lazy; both the applicants and the folks that hire them.

"There's just too much nuance when it comes to technical positions [and] the personalities of people vary too widely … people become boxes in search of checkmarks," he said. "You will lose good people just because someone lesser had one more arbitrary box with a checkmark in it."

Not everyone responding to his blog entry agreed. One person said, "Broad generalization such as 'Certifications make people lazy' are silly, not certifications."

But another respondent shared Sonne's view, saying, "IT certifications are a joke. If you want a real professional certification, try Professional Engineer or the BAR."

An ad Apple will regret?
In the spring update to its Top 20 vulnerabilities list, the SANS Institute concluded the Mac's reputation as a bullet-proof operating system was "in tatters" because of a recent string of security holes and malicious exploits, including a zero-day flaw.

Dave Winer backed that perception in his Scripting News blog this week, going off on Apple Computer Inc. over a series of TV ads, one of which suggests Apple computers don't suffer from viruses.

In light of recent history, Winer said, "The ad about viruses is just plain STUPID. Man, are they asking for it. What happens when users who bought Macs thinking they couldn't get viruses all of a sudden are getting them? The Federal Trade Commission is going to love that. Can you spell Class Action Lawsuit?"

That criticism aside, he praised the overall quality of the ads as "great, incredibly irreverent and cleverly produced."

Oracle CSO should update blog
As I noted in a recent column, Oracle CSO Mary Ann Davidson started a blog a couple months ago. But she hasn't updated it since it was launched March 13.

In light of building criticism over the database giant's patching process, Davidson may want to consider updating the blog more often; using it to address many of those patching concerns.

Microsoft still takes its share of hits over security holes, but in the past year many customers have applauded the software giant for at least doing a better job at communicating security issues; using its own blog, among other things.

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.