There are some good points in this thread. I think the current schema of IT
related certifications is broken. The certs that exist are largely irrelevant
or overly broad or narrow in focus. They are also ridiculously expensive. I
took the CISSP last year and went into the test sweating bullets. After the
test, I realized how painfully easy it was, and was thankful that my employer
had paid for it rather than myself, because the test was not worth $500. If a
vendor wants to limit the number of people that take and pass a test, then they
should do so by making the test challenging, not expensive. SANS is also guilty
of this, as James has illustrated. I am confident that I have the knowledge to
pass several of their tests, but I am not going to try unless my employer pays,
as they are also expensive. Especially if one wants to take a test without
attending one of their classes. It is clear that SANS is out to make money, and
while they should make some coin on their certificatio
n and training program, their current cost model is prohibitively expensive
for all but the independently wealthy and those with generous employers.
Add in some of the other cert programs, like EC Council and some vendors, and
you get cheaper certifications, but the tests for these certs are often poorly
written and not very challenging, either. And vendor tests often test for the
"vendor answer," which in most cases is not necessarily the right answer. As
the saying goes, "there is the right answer, the wrong answer, and the
Microsoft answer..."
Furthermore, the recertification process for many certifications is a circus.
While I understand the need to maintain a current level of knowledge to keep
current in the industry, trying to use that as a measuring stick for
maintaining a certification is counterproductive (as in the CISSP). Especially
when a person is presented with few actual formal training opportunities.
Retesting is also ineffective, because it requires the tests to be revised at
the pace of the technology they are based on, and in most cases a current
certification holder will crash the week before the test (or get a braindump)
and pass. At that point, are they being tested on their knowledge of the
industry, or on their ability to quickly memorize some key facts?
But if we take away the certifications, then there is no real way for an
employer to gauge a prospective employee's knowledge and experience level.
While placing all of one's stock in a candidate's ability to pass a test is
admittedly flawed, it is also admittedly hard to compare a candidate with a lot
of initials after their name with one who hasn't one cert. With the increase in
emphasis in certs, the problem is going to only get worse, not better. Everyone
in our industry needs to realize that certs are not the end-all, be-all that
their purporters claim, and more importantly, we need to act on this knowledge
just as we do other snake oil salesmen and knock the importance of these tests
down a few notches.
Certifications have their place, but they need to be fairly priced, accurately
represented, not used as a marketing tool, and industry-recognized.
I like the ASE analogy. Too bad it won't happen here.
