There are many insightful posts across the Internet that discuss certification. Do credentials matter? Do certifications lack value? Are industry credentials even worth pursuing? These perspectives come from individuals with a wide range of expertise, many of them highly regarded in the information security industry. Several of these claims echo a recurring theme: Just because an individual has achieved certification does not mean he/she is qualified for a position. This is a true statement that many authors have touched upon when writing about their past experiences, but it brings to light a question that plagues many considering whether to pursue a path toward certification: What is the value of certification?
What Is Certification?
The term certification can mean many things and is often confused or combined with the achievement of a certificate. A certification is a credential for an accomplishment that has been validated by a testing process and typically cannot be earned without verification of the appropriate level of experience or education. Many certifications allow an individual to add a series of acronyms after their name, indicating their qualifications. Certificates are typically given to an individual for verification of the completion of a course or proof of attendance at a training session. Some college courses and training programs work this way. To confuse things further, most certifications require a continuing education component to maintain the certification. While attaining a certification may come with a certificate, pursuing a certificate does not always grant an individual a certification.
Measure of Value
While the term value may have different meanings to different people, there is an advantage for individuals who possess certifications and contribute that knowledge to their organizations. The value to the individual includes open access to work-related tools, heightened credibility and involvement in a peer network. It also provides a ticket to entry for jobs requiring that credential. The value to the organization is multifaceted. Certifications can determine the work ethic of the proposed candidate and help aid the hiring process.
Value to the Individual
Many of the reasons certification is of value to the individual are also the same reasons certification is of value to the organization. The time and effort spent studying and formulating a plan of study directly correlate to skills necessary to manage projects, develop strategies and see projects to completion.
For many positions, requirement of a certification is a minimum bar to entry in the technology and information security industry, making this the most visible element of value to the individual. A quick review of job postings shows that an overwhelming majority of open positions, from analyst to manager, either require or highly prefer a certification appropriate for the job function. Historically, certification was only a requirement for analyst or engineering positions, but there are now many manager, director and senior-level positions that require certifications.
Many certifications require an annual educational requirement to maintain that certification. This education requirement compels the individual to fulfill these requirements by attending seminars, watching webinars or engaging in independent study. Ongoing education to support the credential adds credibility, matures the individual, and keeps them up-to-date on new knowledge and industry trends.
Along with certification comes a designation and a badge to wear proudly. This badge represents individual credibility not otherwise demonstrable. As mentioned earlier, this comes in the form of a designation placed after the certification holder’s name or on a business card. There are also electronic mechanisms used on social media sites such as LinkedIn and verification entities such as Acclaim that support the visibility of the credential.
Many certifications provide access to a peer network rich with knowledge. While the Internet is a wealth of information, access to proprietary and well-developed material is only accessible with membership, as is a continuous support peer network.
Value to the Hiring Process
The hiring process is a complex set of evaluations that take many data points about an individual applicant into consideration. Certification is merely one of those data points. As such, hiring a job candidate solely because they hold a certification circumvents the hiring process. Because the certification process is only part of an overall candidate’s qualifications, placing the incorrect emphasis on certification can lead to incorrect hires, leaving employers with a candidate who is not what they expected. While human resource managers should be diligent in the hiring process, prescreening candidates with certifications highlights individuals who took extra steps to advance their careers and can prevalidate experience.
While every certification is different, many of them have experiential requirements. Certifications such as the Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) require a minimum number of years of work experience, which are vetted through a validation process. An individual possessing these certifications has foundational skills to show a hiring manager and demonstrates a validated requisite amount of experience.
Hiring managers may resist requiring certifications when assembling minimum requirements for an open position. When defending their requirements, they often make broad statements such as, “Just because they have a CISM does not mean they can build an information security program.” If one reviews the material on the ISACA website for the CISM certification, for example, one will not find where it says the credential will guarantee the individual can build an information security program, but what it does say is that the candidate will “have an understanding of the relationship between an information security program and broader business goals and objectives.”1 Other certifications are similar, such as the CompTIA Security+ certification, “validates foundational, vendor-neutral IT security knowledge and skills.”2 This does not mean that an individual who possesses either one of these certifications would be able to take a job as a firewall administrator, but what it does mean is that the candidate is knowledgeable enough to be able to understand concepts surrounding the job practice and would likely be able to adapt with some additional system-specific training.
Certifications that require a validated minimum level of experience create a different dimension of quality when considering certified candidates. Hiring managers should be familiar with the elements of each certification applicable to positions in their organization. The certification program requirements should be used to ensure and validate hiring managers’ claims about the applicability of these certifications for various positions in the organization.
Value to the Organization
Employees who hold certifications bring value to the organization because they are well-rounded individuals who exhibit drive and persistence and can demonstrate valid qualifications. Working with and hiring employees, both with and without certifications, it becomes evident that there are four distinct qualities that set certified individuals apart from the rest. Keep in mind that just because they hold a certification does not mean that they possess these qualities and, conversely, just because an individual does not hold a certification does not mean they do not have these qualities. However, most of the time, the following qualities are demonstrated by individuals with certifications:
- They are invested in themselves—The best investment one can make is an investment in oneself. Certification provides an opportunity to grow personally and professionally.
- They can achieve goals—Whether certification is prompted by an employer mandate or personal achievement, the process shows that the certified individual can establish goals, has a certain amount of drive and is motivated by accomplishment. It takes strategy, endurance and project management skills to prepare for and pass certification testing and, while the employer may help with the process by sending a candidate to training, it is largely an individual accomplishment.
- They know at least enough to pass the test—While it may happen, an individual that has no experience in the areas tested on a certification examination is unlikely to pass without studying. Most certification examinations are built in such a way that industry terminology and specialized processes and knowledge are required to pass. An individual who merely studies review materials will not likely pass an exam without the applicable experience. Accredited certification programs also require the review and approval of examination questions by a panel of subject matter experts in the related field to ensure that relevant knowledge is being tested, making it even less likely that a candidate will be able to pass the test without studying.
- They show commitment to the industry—Very few people enjoy taking tests, so it takes someone with initiative to want to test their skills. Testing requires study, which takes commitment and time. Individuals committed to their jobs and their industry put in the time, effort and cost associated with obtaining a certification.
Conclusion
The value of certification to an individual is more than just another credential and, in the hiring process, possession of a certification should be part of the overall evaluation of a potential hire. Some may believe that certifications are a thing of the past when, in fact, they are very relevant in the IT and information security industry. When used wisely, a manager can leverage certification as another tool in their hiring process and individuals can leverage the many benefits and resources that are included with the credential they earned.
Endnotes
1 ISACA, The Benefits of CISM
2 Computing Technology Industry Association, CompTIA Security+, http://certification.comptia.org/certifications/security
Thomas Johnson, CISA, CRISC, CISM, CISSP
Has more than 25 years of experience in security and technology and has extensive compliance-related expertise in banking, health care and manufacturing. He leads the information security practice at a consulting firm in Chicago, spending most of his time providing security and compliance leadership to clients in various industries. He holds a position on the Certified Information Security Manager (CISM) Certification Working Group with ISACA and teaches masters-level courses as an adjunct professor at the Illinois Institute of Technology (Chicago, Illinois, USA) in the Cybersecurity and Forensics Program.