I've long been hostile to certifications -- I've met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I've come to believe that, while certifications aren't perfect, they're a decent way for a security professional to learn some of the things he's going to know, and a potential employer to assess whether a job candidate has the security expertise he's going to need to know.
What's changed? Both the job requirements and the certification programs.
Anyone can invent a security system that he himself cannot break. I've said this so often that Cory Doctorow has named it "Schneier's Law": When someone hands you a security system and says, "I believe this is secure," the first thing you have to ask is, "Who the hell are you?" Show me what you've broken to demonstrate that your assertion of the system's security means something.
That kind of expertise can't be found in a certification. It's a combination of an innate feel for security, extensive knowledge of the academic security literature, extensive experience in existing security systems, and practice. When I've hired people to design and evaluate security systems, I've paid no attention to certifications. They are meaningless; I need a different set of skills and abilities.
But most organizations don't need to hire that kind of person. Network security has become standardized; organizations need a practitioner, not a researcher. This is good because there is so much demand for these practitioners that there aren't enough researchers to go around. Certification programs are good at churning out practitioners.
And over the years, certification programs have gotten better. They really do teach knowledge that security practitioners need. I might not want a graduate designing a security protocol or evaluating a cryptosystem, but certs are fine for any of the handful of network security jobs a large organization needs.
At my company, we encourage our security analysts to take certification courses. We find that it's the most cost-effective way to give them the skills they need to do ever-more-complex jobs.
Of course, none of this is perfect. I still meet bad security practitioners with certifications, and I still know excellent security professionals without any.
In the end, certifications are like profiling. They work , but they're sloppy. Just because someone has a particular certification doesn't mean that he has the security expertise you're looking for (in other words, there are false positives). And just because someone doesn't have a security certification doesn't mean that he doesn't have the required security expertise (false negatives). But we use them for the same reason we profile: We don't have the time, patience, or ability to test for what we're looking for explicitly.
Profiling based on security certifications is the easiest way for an organization to make a good hiring decision, and the easiest way for an organization to train its existing employees. And honestly, that's usually good enough.
This essay originally appeared as a point-counterpoint with Marcus Ranum in the July 2006 issue of Information Security Magazine. (You have to fill out an annoying survey to read Marcus's counterpoint, but 1) you can lie, and 2) it's worth it.)
EDITED TO ADD (7/21): A Guide to Information Security Certifications.
EDITED TO ADD (9/11): Here's Marcus's column.
Posted on July 20, 2006 at 7:20 AM • 63 Comments