What's in a certification?

Certainly there's value in security certifications, even if respect for some has decreased

I certainly wasn't expecting a rooster to start crowing as I hit question 50 on my information security certification exam this past Saturday. Then again, not much had gone as I'd anticipated. Soon after number 50, a noisy cow was driven back to the nearby hillside, and the din outside the wide-open school lunchroom windows was reduced to the distant clatter of cars and honking on the nearby outskirts of Pune, India.

I was the only American bhidu in the room. Afterward, several people asked why I'd take an exam half a world away from home. Why here indeed, and why at all? I wondered that myself, having completed the higher-level certification several years ago.

Certainly there's value in security certifications, even if respect for many of the vendor-specific certifications -- notably Microsoft's Certified Systems Administrator (MCSA) and Software Engineer (MCSE) -- has decreased. But the broad idea of professional certification hasn't fallen out of favour, and certifications still make sense in the information technology or security industry.

In fact, I think Microsoft's current perception problem is due to specific missteps: flooding the market with certified administrators and software developers, and since-reversed mistakes related to the forced expiry of certifications according to product release cycles. Cisco, for example, has managed to retain a bit more cachet for the Cisco Certified Network Administrator (CCNA) and Internetwork Engineer (CCIE) simply through reasonable rigor and a touch of scarcity. The percentage of people with insufficient practical experience among CCNAs may be the same as among MCSAs, for example, but there's a clear difference in perception.

Two decades ago, Novell made important early strides in vendor-driven certification with its Certified Netware Engineer (CNE) designation. The CNE was not only one of the first well-marketed extensions of engineering designations from other industries, but it provided a much-needed bridge between entry-level network cable-jockey and support jobs into the realm of respected professional roles.

Through this widely recognizable structured route, technically competent IT workers who might lack the social skills necessary to advance in a highly social professional environment could assert their merit without limitation from managers, employers and even industry. Potential advancement, new employers and peers could in turn recognize a competent individual by the designation.

That was the idea, at least. As more companies adopted the model, pressure increased for enterprise software and network clients to adopt vendor-certified implementation processes and people. At the same time, test mills expanded from the already-lucrative college and graduate school exam-prep market into the realm of professional IT certifications -- and churned out waves of certificate holders with no experience. Adding a third axis were a few vendor-independent organizations, making much noise about their certifications denoting distinguished experts rather than just competence. Reality, as usual, was somewhere in the middle.

Microsoft and other vendors started to bind their certifications to products, and then to specific versions of those projects. (Novell, interestingly, went against the grain when it acquired UnixWare in 1993, broadening and renaming the CNE designation to Certified Novell Engineer.) While this is great for short-term projects where a product revision cycle is longer than the average tenure of an entry-level employee or temp, it reduces relevance for clients seeking to make a long-term investment in qualified persons -- i.e. hiring.

Join the newsletter!

Error: Please check your email address.

More about AxisCGICiscoHISInternational Information Systems Security Certification ConsortiumMicrosoftNovellSANS InstituteThe SANS Institute

Show Comments

Market Place