My opinion on this matter...
Both of you are right. If your experience is more valuable than the
certification then don't bother with the certification and the other way
around. It's half a dozen of one and six of the the other. Whatever
lights your pipe. As for myself I had several years of experience and
felt that the certification helped me validate that experience both to
myself and to those I work for and with. I know it's a strange thing for
those of us who went the extra mile it's a strange phenom when after you
receive the certification how people tend to think now you have all the
knowledge. And those who think you're just full of it.
I for one find that there are those few professionals who don't know any
more now than before they were certified nor will then know any more now
that they are. It's like this one player on my daughters basketball team.
She's about as significant as a shadow. No matter what she does or how
much she goes to practice she just doesn't get it. She might as well run
back and forth on the court cause she provides nothing to the team.
However she has become a liability. People (hackers) score on her all the
time. Of course she gets frustrated by this but doesn't do any more to
improve her skills. She will eventually make Varsity if she stays on the
team. But what does that mean? She's got the 'Certification' but then
will everyone on the Varsity be judged by the one who is without the
necessary skills?
The small answer is, YES. As human BEANS, we tend to pass judgement sort
of like we elected a President based on propaganda politics.
As you can see I hold many of the "SECURITY" Certifications. I've proud
of this. I worked hard to get these, they were not handed to me and I
didn't just take the test and pass. I studied for three years for all of
them. Does that mean I'm dumb? To some... But then it could also mean
that I'm determined. It could also mean I have a lot of money and don't
have anything else to spend it on. Or that someone else really likes me
and spent the money for me. Actually, I fall into the second category.
I had to take the exams three different times because I had the experience
of working through problems in my practical sense. But there is a reason
for a theoretical methodology. What may work in your environment doesn't
necessarily work globally. Therefore it pains us to think we have to
change our view and think globally. Locally is difficult enough, hey I'm
just as guilty. I took the test three times remember. I remember my
bitterness after flunking each exam by what, two points or even in one
case like one point. DAMN! Who needs to be certified?
The funny part of this is that before I was certified I saw a problem with
a network configuration. I recommended that management make a change for
security reasons. Management just ignored what I said and brushed it off
as a security issue too difficult to guard against. After I became
certified and mentioned the same problem, Management took action. Now
just exactly what did I do different? I've looked into the matter many
times and can't figure it out. I don't work for them any more as the
certifications help me obtain a greater salary (25g's) more than I was
making. Not really putting me up there with Bill Gates but then again I'm
not riding the bus these days.
I teach for all these certifications I enjoy teaching them. I encourage
all the students to forget how they do things and study how the exam's
approach is to the issue.
The certification doesn't make you a guru. It does however give you a
good understanding of information security on a global level. It also (if
you get involved with local chapters) gives you an opportunity to meet
with others in your field. This part is invaluable!
Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
