Is Cybersecurity a Profession?

A National Academy of Sciences panel says no:

Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too.

For example, formal education or certification could be helpful to employers looking to evaluate the skills and knowledge of a given applicant, but it takes time to develop curriculum and reach a consensus on what core knowledge and skills should be assessed in order to award any such certification. For direct examples of such a quandary, InfoSec needs only to look at the existing certification programs, and the criticisms directed that certifications such as the CISSP and C|EH.

Once a certification is issued, the previously mentioned barriers start to emerge. The standards used to award certifications will run the risk of becoming obsolete. Furthermore, workers may not have incentives to update their skills in order to remain current. Again, this issue is seen in the industry today, as some professionals chose to let their certifications lapse rather than renew them or try and collect the required CPE credits.

But the largest barrier is that some of the most talented individuals in cybersecurity are self-taught. So the requirement of formal education or training may, as mentioned, deter potential employees from entering the field at a time when they are needed the most. So while professionalization may be a useful tool in some circumstances, the report notes, it shouldn't be used as a proxy for "better."

Here's the report.

Posted on October 3, 2013 at 12:55 PM • 41 Comments

Comments

M@October 3, 2013 1:28 PM

As a cybersecurity autodidact, it's refreshing to see someone waive Formal Letters as a requirement.

TinkerOctober 3, 2013 1:57 PM

As someone with a degree in History with minors in Political Science and Arabic along with a background in the Marine Corps - I'm glad to see that there is resistance to establishing a need for formal education. A good friend in the industry recently said, "Do not go and get a new computer related degree. They don't teach much in way of security and that which they do teach is obsolete way before you can use it. Instead, create a lab, break it, fix it, and break it again."

Have a "security" mindset. Be situationally aware. Always look for vulnerabilities and exploits. Learn the tools, but don't get stuck in any one toolset. The key is the focus on SystemSec, OpSec, or the umbrella term - "Information" security. The tools that deliver the information change, but not the need for security. Always learn, always adapt.

EddOctober 3, 2013 2:04 PM

The article lead seems to be misleading. Whether or not formal education is needed for the profession, it is a profession. For some, like myself, the formal education gave a good foundation without being an end all in and of itself. However I got here, I consider myself (as does my employer) a cybersecurity professional.

J. OquendoOctober 3, 2013 2:08 PM

My issue with certifications (and I have a bunch) is that the material is very limited in time. Most of the attacks and attack vectors involved with information security change so rapidly that by the time someone becomes an "expert" and one thing, the risk/threat has shifted rendering what the experts knows as "useless."

What I have found from my own personal experience is that, blending intelligence, psychology, and military studies, has helped me more than technical training. After a while, the technical side tends to repeat, whereas the threat actors have shifted focus. It becomes easier to determine what *may* be a BIG threat, versus noise.

This type of study (M4IS2 / OSINT) is something completely foreign in any kind of "cyber" training I have seen or read about. I believe there is a lot more at stake than just learning about compromising machines, and protecting them. That whole mindset (C|EH, CISSP) comes from a herd intent on making money versus focusing on security.

Carl 'SAI' MitchellOctober 3, 2013 2:19 PM

This is part of why I'm working towards my degree in Computer Engineering even though I want to go into security. It's a degree, it's related to the field, and it gives the low-level knowledge I'll need. Security changes rapidly because attackers and defenders continually adapt, but computers don't actually fundamentally change that much. And being able to understand the engineering of a system is pretty much required to be able to find vulnerabilities in that system. It doesn't hurt that there are jobs available should something in security not come up.
But a degree in security? That would be obsolete before the curriculum would be finished.

Nick POctober 3, 2013 2:50 PM

I'm with Edd on this. The profession has issues but it is a profession. That there are certs, degrees, job postings, job positions, executive level positions, and career ITSEC people means it's also a very established profession. That title (and it's answer) seems extremely detached from reality.

tzOctober 3, 2013 2:51 PM

It is a craft or trade that requires skill, not unlike music. You can teach music theory, but can someone deaf from birth play an instrument or a blind person use color

LindaOctober 3, 2013 3:07 PM

I have an advanced degree from a major university and I specialized in computer security. I've had a related job for years. The guy in the office next to me with no background in security went to a one-week class and came back with a piece of paper stating he was now "certified". He was immediately promoted above me.

Mike the goatOctober 3, 2013 3:34 PM

Agree tz. You can easily evaluate someone's skill without requiring formal evidence of some arbitrary education. We have become a nation of over-educated idiots with post grad degrees but not a shred of competency. I think it is refreshing that there are emerging fields where formal education is not a necessity.

DanielOctober 3, 2013 3:44 PM

The reason that cybersecurity isn't a profession is because the security agencies make it impossible to create such a profession when all the training authorities fear getting into trouble with them.

"Instead, create a lab, break it, fix it, and break it again."

This is particularly idiotic advice. In today's environment that is advocating a person create a horse-and-buggy cart shop in order to learn the basics of a nuclear-powered submarines. If one wants to play how the NSA plays one has to have access to the toys the NSA has access too. The NSA isn't going to give access to their toys to just anyone because to do so would be to give up both their competitive and comparative advantage.

"Always learn, always adapt."

Being paranoid isn't a job skill, it's a mental illness.

WaelOctober 3, 2013 5:01 PM

One dictionary defines "profession" as: "a calling requiring specialized knowledge and often long and intensive academic preparation " . To be qualified as a profession, it apparently need to satisfy the requirements of the definition. Maybe it's a "trade" or a "skill"? Is that important though? If you work in the field, and get paid for it...
@Linda,

came back with a piece of paper stating he was now "certified". He was immediately promoted above me.

Time to get another piece of paper. Maybe two, then you can become his boss's boss!

TinkerOctober 3, 2013 5:24 PM

@Daniel,

I think we missed each other somewhere. My create a lab remark just meant get your hands dirty. Learn by doing. How is prac app "idiotic advice?"

Always learn, always adapt is a job skill. It's the basis of lean manufacturing, agile software development methodology, military strategy and tactics, etc.

"If one wants to play how the NSA plays one has to have access to the toys the NSA has access too." Okay. That sounds great. I'd love to get ahold of a gigantic data center in the middle of utah. I'll start a kickstarter for it right now. Cool.

Concerning low tech vs high tech (regarding your horse and buggy vs nuclear sub) perhaps you should research the US Navy's Millennium Challenge 2002 (http://en.wikipedia.org/wiki/Millennium_Challenge_2002). Interesting concepts. Low tech attacks are never a thing to underestimate.

With all of that said, I still don't know why you would disagree with the concept of security professionals needing to constantly learn, both theory / technical knowledge as well as hands on training / lab work / pen testing, etc.

Nick POctober 3, 2013 5:35 PM

@ Wael

"and often long and intensive academic preparation"

Keyword in that definition is "often." That implies that a profession doesn't always require "long and intensive academic preparation." So, even with that definition, cybersecurity isn't disqualified as a profession. ;)

WaelOctober 3, 2013 5:42 PM

@Nick P

Keyword in that definition is "often."

Whose side are you on man? Work with me ;)
You want to define "often"?
but often implies numerous repetitions and, sometimes, regularity of recurrence

Oh well, I agree -- maybe you're right... Your argument is valid, Sir.

Michael ToeckerOctober 3, 2013 7:17 PM

As a computer engineer and cyber security professional, I'd like to offer a differing view.

What I do is applied security, using experience and education in engineering, hardware and software development, electric power, and other disciplines that I learned in school and on the job. This allows me to gauge impact, measure risk, and determine what security is necessary and important and what is not.

A lot of the cyber security piece I have to learn anew every day, or figure out on my own. This is the piece where the self taught part comes into play. Cyber security changes daily, so developing a curriculum is really difficult.

But, the a lot of what's going on; applied cryptography, software design, work in radio and signals, use of FPGAs and microcontrollers, and a host of other technologies, is firmly rooted in theory that I learned in engineering.

I'm not sure exactly where I'm going, but I believe there is a significant need and usefull-ness associated with learning all the theory behind it. Maybe this is where cyber security education should focus, and then focus on how to learn and absorb quickly.

Mike

Clive RobinsonOctober 3, 2013 9:47 PM

@ Nick P, Wael,

Being a "proffesional" has in the past ment being part of a "closed shop" that has been recognised by law in a way that prevents non members from participating. The ways in to the closed shop being initialy "standing" then "qualification".

Historicaly the three main areas being "The practice of" law/medicine/accountancy.

The idea of the "closed shop" came from Guilds that were supposed to train "journeymen" via indenture as an apprentice to being a craftsman then to master crafstman.

As with any self serving closed shop those who are "in" want to keep out as many others as possible so that they can demand high renumeration for their services.

In some parts of the world even trades are regulated likewise trades that have elevated status due to accademic standing such as engineering. The argument infavour of this is quality and indemnity where what we now call "health and safety" is involved.

However you have to watch out for non proffessional "closed shops", unfortunatly most computer certification is of this ilk. Often it is easy to recognise such faux proffessions by the training lacking in fundementals.

Unfortunatly three factors have come into play to make ICT so vulnarable to this sort of idiocy,

1, Lack of measurands.
2, Human Resources failings.
3, Demand outstriping supply.

Hidden away in demand-v-supply is the issue of "rapidly evolving field of endevour", It takes 10,000 hours to become competent at any skill in real terms thats five years of ordinary employment. Technology is changing due to (faux) market forces about every 6-12 months.

To be "current" means "talking the talk" and "running with scissors". The week long "Certification Courses" teach little more than "how to pass the test" so at best "talking the talk".

The way to avoid an accident with "running with scissors" is simply to let somebody else carry them for you. The way to do this is often "Canned Solutions" you find or buy, managment do this with hireing "consultants", who generaly don't solve problems, they sell you a methodology and the tools to go with it and move on befor it's found to be the proverbial "crock of 541t".

As for the failings of Human Resources with regards the recruitment process... well as I've said before they only match "lists of requirments" given by managers and team leads, and it's only that way by "abdication of responsability" by the managers and team leads who have been forced to only recruit at the worst possible time by more senior managers and their accountants who appear to think that skilled employees are commodities that can be purchased by JIT methodology. The recruitment process becomes a numbers game, in that the more letters after your name the more skilled HR think you must be... The when your CV has dodged "filing cabinet 13", you get HR's "Psychobable tests" which are easily "gameable". Then you get the "technical questions" which are generaly as much use as selecting by "nice hand writing" or "signs of the Zodiac". This is often because the potential employer has no skill base in a new technology thus have no idea of sensible questions to ask...

But often even if an employer does have a skill base the lack of usefull metrics means that short simple questions to test competence are not available. And almost invariably those with the skill base lack "human experiance" to temper skill against the candidates social skills.

Thus those without domain skills but with social skills can talk their way in and take wages for a quater of a year or so and then having "up skilled" themselves jump to the next employer...

So many "proffessionals" actualy lack what you or I would call "proffessionalism" and the whole field of endevor gets a bad reputation as being full of chancers and charletons, such is the nature of "faux proffessions".

Nick POctober 3, 2013 10:44 PM

@ Wael

"Whose side are you on man? Work with me ;)
You want to define "often"?
but often implies numerous repetitions and, sometimes, regularity of recurrence

Oh well, I agree -- maybe you're right... Your argument is valid, Sir."

Lol. Such a good sport! :)

@ Clive Robinson

"Historicaly the three main areas being "The practice of" law/medicine/accountancy.

The idea of the "closed shop" came from Guilds that were supposed to train "journeymen" via indenture as an apprentice to being a craftsman then to master crafstman.

As with any self serving closed shop those who are "in" want to keep out as many others as possible so that they can demand high renumeration for their services."

Good point. I think another aspect of this debate that needs to be explored more is "why is formal education a necessary part of our considering something a profession?" Formal education at one point might have been the best way to make professionals out of amateurs. Today, though, we have so many books, videos and even community workshops on many subjects that much of it can be learned without formal education. Matter of fact, most good security professionals learned most of what they know on their own. So, I think rating whether something counts as a profession by a formal education requirement makes little sense.

Now, rating the ease of entering a profession by whether there is formal education available for people who learn better under teachers... that might be sensible.

FigureitoutOctober 3, 2013 10:45 PM

Being paranoid isn't a job skill, it's a mental illness.
Daniel
--Pfft, that's the kind of response I expect from a gov't employee; I saw enough of it to convince me I never want to become one. While I strongly disagree w/ what the military does at high levels, I can't argue w/ the strength of many of its members and the "can-do" attitude. They're great team members and doers. Once you stop learning you're toast.

Tinker
--The only problem w/ your advice, is securing the lab. So have your tools been manipulated w/ and give you false data and screw your research? Sometimes I'd rather sleep at the lab right by the door.

rogerhOctober 4, 2013 2:52 AM

Deeply sceptical of anyone who says 'I am a security expert' - the field is just too wide. There are the generalists who work for big glossy companies - good for simple stuff and for covering the corporate ass, then there are the specialists and individuals - but just how do they keep from going stale? Only the NSA et al can operate a truly full spectrum operation and a career - and they don't make a profit. Therein lies the problem.

I reckon the business model is fundamentally unsound - who with any sense would go into security as a specialism ? Which specialism - there are so many and they change so quickly. Worse than being a fashion designer. So you are a hotshot system admin then get a consulting job - then move into management, not too bad. But become a crypto expert - by the time you are 35 who is going to employ you - way too geeky. So certificates are not going to help anyone. But we still need security, but with such an unattractive career path good people will think 'snog, marry - nah - avoid'.

NebulusOctober 4, 2013 3:25 AM

I also believe that it is a profession, no matter what some panel says.

And I must admit that I find rather hilarious that U.S. Department of Homeland Security (through their commissioned panel) now tries to tell us what is a profession and what it isn't. That aspect alone casts a shadow on the whole argument they present.

TKSOctober 4, 2013 4:22 AM

Cybersecurity (better, any security), is a way of thinking, a mindset.

You can make some money doing it _as_ a profession, but it doesn't matter whether you got your knowledge by formal education or self-education.
Best is both together of course.

Wesley ParishOctober 4, 2013 4:35 AM

I think someone's missing a very important facet, or maybe a set of facets here - research is the process of teaching yourself something you did not know previously about something. An expert researcher is necessarily self-taught: the Wright Brothers did not have the requisite doctorates in aeronautics, as it happens.

When you have a fast-moving field such as computer security, you need someone who's given themselves permission to learn from everything and anything that's relevant. You don't want someone who's tied to a learning schedule, because events in the real world don't follow such neat schedules.

RomerOctober 4, 2013 6:23 AM

Who cares if information security meets the NAS panel's definition of a "profession"? It still has to be done, someone has to do it, and however those "someones" come by their knowledge and training is worthwhile. The question is completely academic in the most pejorative sense.

If you can learn to become a white hat on your own steam, more power to you. If you migrate from CS or EE to vulnerability research, excellent. If you're a History major who also is quite good at security compliance standards, good on you. An un-degreed whiz who's an expert on virtualization security? Great. We need all of that.

Got a few security certs? Good. A BS or MS in infosec? Excellent. 10 years of crypto expertise in the enterprise? Very good. We need any and all of those too.

Is the NAS panel trying to solve a vexing problem or to answer an important question? I'm not clear on what that is.

Muddy RoadOctober 4, 2013 8:30 AM

If the government touches cyber security certification, you know it's corrupt.

Also, corporations have already corrupted the entire educational system.

I guess I would take the self educated teeny over the heavily degree'd and in debt guy from state U.

John DoeOctober 4, 2013 9:35 AM

Like others have pointed out it all depends on what you mean by "profession". Some people think profession is a job, others look to more formal professions Lawyers, Doctors, Carpenters, Plumbers, Electricians, Accountants. Compared to those professions/trades, there is just too little to vet a cyber-security practitioner as "generally competent".

If most practitioners can't have their competence vetted and be held liable to some minimum competence level, then I think it might be fair to say cyber security isn't a profession.

However this panels decision really isn't saying much, how many actual practitioners would call anyone a "cyber security professional" or "cyber security expert". The discussion was doomed to be useless the moment they abstracted the discussion away from a measurable reality.

I damn sure wouldn't trust a random forensics guy from the FBI to do web application pen-testing on my eCommerce application. I wouldn't trust most pen-testers to do risk management for a fortune 100. Hell even within a profession I know that most pen-testers or forensic experts are tool jocky's, and that if I want to be secure I have to find some information security rock-star who transcends above the industry. Perhaps other professions are more science based, and what we do is more art based.

Isn't it completely possible that we're only selling the feeling of security to people who feel insecure? This is not to say that there is no danger in cyberspace, but its an admission that generally information security doesn't do a hell of a lot to solve that problem. (This could explain why its so damn hard to measure the value of what we do)

WaelOctober 4, 2013 9:46 AM

@ Clive Robinson,

Being a "proffesional" has in the past ment being part of a "closed shop"
Very informative -- Thanks!

@ Nick P,

Lol. Such a good sport! :)
Oh, one of the rare occasions ;)

Matt PalmerOctober 4, 2013 10:10 AM

This report is extremely wrong headed, even possibly dangerous.

Board level confidence in security is reducing. There is no clear and consensual understanding amonsgt the security community of what behaviour is or is not professionally acceptable. Some managers see security staff as an additional risk factor to manage, rather than as a trusted resource.

There are numerous professional bodies - all valuable, but operating to widely different standards. Yet people with lots of experience don't value them so don't benefit from the armour they can provide. Recruiters do not know what to look for. Managers do not know who to believe.

And we as a profession/trade/whatever, have not defined the standards to which we are prepared to be held. The 'wrong' types of security specialist - anonymous, etc - are celebrated in the media and by young people interested in security.

We need to ensure we consistently celebrate not just talent itself, but the application of that talent to positive ends. After all, would we celebrate a talented doctor who hurt his patients, or a talented accountant with a genius for tax fraud? No. So why do we allow the wider media to glamorise 'black hat' security activities (regardless of how good the actors think their motives are), and not denounce them with a stronger voice?

We also need to build more respect between different types of security practitioner and different specialisms, and communicate these differences effectively so buyers of security skills can understand the mix of talent they need to recruit to build the complex skills base of both business and technical capabilities they need.

We need two things more than anything if we are to win the trust and confidence of senior executives, policy makers and the public - consistent professionalism, and a stronger professional infrastructure that everyone can respect.

Yet given that background, part of the world’s largest employer of security specialists is telling them they are not up to being professionals.

Individually, most security people I know are very professional. Collectively however, we are not yet a profession. That is not a reason not to become one. It is a reason why we have to.

WaelOctober 4, 2013 10:39 AM

@ Matt Palmer,

Individually, most security people I know are very professional.

There is a slight difference between the usage of "profession" and "professional". You can be a professional without having a bona fide profession, example: Professional golfer, professional liar, professional thief, or professional hit man. The converse is also true. For example, one could be in a profession, and not behave "professionally", or not be good at one's job... There are other examples.

Professional: A person who is expert at his or her work

Matt PalmerOctober 4, 2013 11:02 AM

@ Wael, I agree.

Much of the debate is around individual professionalism which security is generally quite good at (in my view). Being seen as profession is a different matter.

We assume that most doctors will behave professionally, a few let the side down but overall trust is retained because there is trust in the professional infrastructure. Without a security profession as such, it only takes a few instances of bad behaviour for collective trust to be lost (or just not gained).

A profession is more than a group of experts. It's not just about certification, it's about attitude and commitment to ethical behaviour. Ultimately, whether or not we are one is not our call. Whether we aspire to be one - that's what makes this report so infuriating, it's implying that we shouldn't aspire.

AlexOctober 4, 2013 11:38 AM

I'm not quite following their logic that cybersecurity is NOT a profession -- it most certainly is, and can be very profitable.

The fact is that the best in the field are self-taught does NOT disqualify it. You'll find the same happening in any field to be honest, particular with cutting-edge research.

I've worked at various research facilities (engineering, science, and medical) over the years and the stuff we were working on wasn't anywhere in the textbooks. Not even close. Many times, the "experts" and textbooks published by them said what we were doing couldn't be done. Sometimes they theorized that we were getting the exact opposite of what we were seeing in the field.

Either way, I generally don't have much regard for academic/book-learned people. They tend to be very set in their thinking, which gets in the way and restrict the thought process. Those of us who've never been formally educated "don't know any better" when it comes to the established thinking, therefore come up with the wild and crazy ideas.

name.withheld.for.obvious.reasonsOctober 4, 2013 12:09 PM

@ Wael

Don't forget ... professional politician, especially congress critters.

WaelOctober 4, 2013 12:14 PM

@ name.withheld.for.obvious.reasons

Don't forget ... professional politician,...

Did I? Look carefully :)

Michael O'DonnellOctober 4, 2013 12:53 PM

Typo: missing word "is" in the sentence "But the largest barrier that some of the most talented..."

Robert in San DiegoOctober 4, 2013 3:58 PM

I believe Clive Robinson is accurate, although a bit harsh. For cybersecurity positions, you want someone who knows their way around both the cyber and the security worlds. Certification helps, if only because folks will know and use the vocabulary that's on the tests, but it can also hinder. Five certified employees working on security issues that are known because they've got the cookbook solutions can be beaten in efficacy by one or two who wonder "why are there USB drives all over the parking lot?" or keep up on current threats.

The other, dubious, benefit of certifications is they allow human resources people to qualify that way instead of asking for the sort of auditions they hold for potential sales and customer service people.

The Luhn RangerOctober 4, 2013 4:34 PM

@Linda:

Certification is easy. So is Photoshop. Any dork who would promote someone over you based on a one-week course will pay more attention to the frame the "certificate" is in, anyway.

Pro Tip: Pay careful attention to how you spell "Massachusetts".

RobertTOctober 4, 2013 10:31 PM

For me Professionalism in Cyber security means being respected by those I consider Cyber security professionals, simple as that. It might sound a bit circular but what else is there except for mutual respect and the knowledge of who/what to ask when I know I'm out of my depth. Hopefully mutual respect is the force that guarantees I'll get an honest answer as opposed to "an" answer that best serves the commercial interest's of of a security vendor..

Clark and SonOctober 6, 2013 6:39 AM

Seems this report has a hard time defining what 'cybersecurity' is in general. Can one say computer security or even computer operations with just as much accuracy? Is system administration a profession?

Interesting this argument has made it all the way up to an administrative/evaluation level from the general and popular back and forth about certification.

Can anyone tell me what a well working computer is supposed to do? Is it any different than a well working heart or kitchen sink?

OliverOctober 6, 2013 9:37 AM

Certificates..... schmertificates...

Those certificates are, unfortunately not the paper worth they are printed on.

Just like that famous of all....

MCSE: Must Choose Something Else

Nick POctober 6, 2013 12:43 PM

@ Oliver

I don't care too much for certs. They're mainly a moneymaking activity that tests the ability to cram for tests. However, what do you think about SANS GSE. The prerequisites in general security, intrusion analysis, etc. might have value if they're not easy to cram for. The main thing that caught my eye were these two requirements:

1. Candidate is interviewed by security professionals at SANS for them to determine if he or she is worthy of an attempt. (A bullshit detector interview? ;)

2. Candidate participates in labs featuring analysis of incidents, network recon, and hacking systems.

A person getting this would, at a minimum, be able to cram for lots of exams, bullshit a security professional, and... the good part... have demonstrated basic hands-on skills relevant to the cert. So, if they BSed their way through all of it, the last one seems like it would still require competence.

And so this cert has *some* value to me. Any without hands on activities demonstrating knowledge have no value to me.

http://www.giac.org/certification/security-expert-gse

Note: I think the requirement in No 1 doesn't exist anymore. Now, it's a test and a hands-on lab. Another thing to note is that it's still a pretty general certification as it covers many different job roles. So, I guess one organization is still certifying security generalists. ;)

Dirk PraetOctober 6, 2013 9:17 PM

@ Oliver

Certificates..... schmertificates... Those certificates are, unfortunately not the paper worth they are printed on.

That actually depends. About 10 years ago, at my then job getting ourselves certified became mandatory for a number of compliance reasons dictated by US headquarters. Despite the initial resistance of most engineers, some of us started doing it for sports to take the mick out of the entire concept and because our manager had made a pledge that he would reimburse every certification exam successfully passed. For some years, I amassed a ludicrous amount of certifications in quite some domains (Brainbench, CompTIA, M/S, Solaris, Cisco, Linux, Checkpoint, Citrix, Stonesoft etc. etc.) to the point that nobody was taking my resume serious any more. I also did some of the popular security stuff such as those of EC Council (CEH, CFHI et al) and CISSP.

In general, it's fair to say that passing most Prometric/Vue exams indeed only proves your ability to cram for tests either by studying the course ware or the exam transcenders that are readily available all over the place. It's entirely different for lab based exams such as RHCE or CCIE. There's no way you can pass those unless you know the subject matter inside-out. Go ahead and give one a try.

But even those certs that hardly prove a thing as to your real skills, are definitely worth the paper they're printed on, especially when you're new in the business. The sad thruth is that they are nowadays required at many organisations or as a company to even bid on certain projects and RFP's. You can be the absolute expert on whatever it is you're doing, but not having the right paperwork to go will often disqualify you from a job or assignment in favour of some greenhorn who did bother to sit his MCSE exams.

Over the years, I got bored with permanently following up on renewals and collecting CPE credits to maintain accreditation. It just became too time and money intensive an activity. These days, if someone asks me for a specific certification, I usually tell them that I will happily sit and pass any exam if I can charge them for it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..