Wading into the certification fray.
Well, Bruce Schneier has finally weighed in on certifications. As usual, he makes a lot of sense even when I don’t totally agree with him:
In the end, certifications are like profiling. They work, but they’re sloppy. Just because someone has a particular certification doesn’t mean that he has the security expertise you’re looking for (in other words, there are false positives). And just because someone doesn’t have a security certification doesn’t mean that he doesn’t have the required security expertise (false negatives). But we use them for the same reason we profile: We don’t have the time, patience, or ability to test for what we’re looking for explicitly.
Full disclosure: as far as security practitioners go, I’m completely uncertified. I don’t have a college degree, I don’t have any professional certs—hell, I’ve never even had a single academic computer course in my life. (I’m not counting the time I tried to take a Fortran class in summer school, and dropped out because the teacher was trying to teach both us and the trig class next door at the same time.)
So I’ve always fought the battle to keep certs from being the sole source of profiling that Schneier describes here. He’s exactly right in his last sentence above: if you’re depending on a non-security manager or an HR flunky to screen résumés, it’s much, MUCH easier to tell them to look for a certain string of letters as a profiling aid.
But I would argue that in this field, we still don’t have a sufficient number of really, truly qualified AND certified practitioners that we can afford to exclude the “false negatives.” And I’d also argue that certifications haven’t necessarily honed in on the skillset that I’m looking for when I hire. (Maybe GIAC; I tend to rate those higher. But CISSP, notsomuch.)
Then again, I still have lots of arguments with my HR department about the preference for a college degree. Again, it’s profiling and it’s sloppiness. I could go back, do nine more credit hours and get my BA in German with a minor in history. What good would that do me at this point in my career? Absolutely none. I know a security consultant who has a degree in Chinese philosophy. I’d wager, without any hard data to back it up, that only about half of the qualified practitioners in our field have any kind of college degree that’s computer science-related. So why the fuss about certification?
In a field as young as IT security, certifications are still misleading. There aren’t any standard solutions to most of the problems we’re trying to solve. We’re all, to a large extent, still groping in the dark, and what we need to look for are good gropers, not people who are certified in particular room configurations.
In the discussion on what to look for when hiring, there are some good points made out there, Dan Morrill’s being a prime example—both in his posting and in the follow-on comments:
I am sure that people will point out that I did not include in this firewall management, or certificates like the CISSP or GIAC. Nor did I mention education like Bachelors, Masters or Doctorates in this list. And that would be correct, because I am looking at hard skills, things that people know and when the rubber meets the road, I know that they can perform a task. CISSP and even formal education are more for the HR department and the companies screening processes. This top 10 list looks at core skills and core processes where if the person has even ½ of this list down cold, I know that they can do good work, and that I do not need to worry about them unless they cannot communicate.
Then you have a WAY false positive with “Frank Kenisky IV, CISSP, CISA, CISM” (wow, he’s had extra letters after his name from BIRTH!!), who shows that peculiar combination of arrogance and insecurity that you just can’t screen out on a résumé:
Dan, these are probably the rudimentary steps to hiring an experienced individual with any of these skills sets but to specifically exclude specific certifications now says volumes that Freud would start at your miserable experience at potty training.
In the end, I’m much more of Dan’s mindset, along with Joel Spolsky’s wonderfully lucid Guerilla Guide to Interviewing:
First of all, the #1 cardinal criteria for getting hired at Fog Creek:
Smart, and
Gets Things Done.That’s it. That’s all we’re looking for. Memorize that. Recite it to yourself before you go to bed every night. Our goal is to hire people with aptitude, not a particular skill set. Any skill set that people can bring to the job will be technologically obsolete in a couple of years, anyway, so it’s better to hire people that are going to be able to learn any new technology rather than people who happen to know SQL programming right this minute.
Read Spolsky’s whole article. Learn it. Know it. Live it. THIS is the filter you should be hiring on, not the paper profiling.
If we ever get to the point where I can filter out all the uncertified applicants and still have 50 résumés on my desk from which to pick the five who are Smart and Get Things Done, then I will reconsider my opposition to profiling. Until then, sorry, Bruce—I’m with Marcus Ranum on this one.
