Fellow Security Professionals,
Many of us have received business cards or correspondence that included a line of acronyms following the individual's name. I used to believe this was only necessary with medical doctors and accountants to make sure I didn't go to the dentist to help me find a tax break. Over the years however, I have seen this practice become more commonplace in many other professional fields including IT/Cybersecurity. There doesn't seem to be an acceptable standard on what should or shouldn't be included and I would like to open a discussion to see what others in the field think.
It would only be fair for me to share my opinion first with the very clear disclaimer that it is ONLY my humble opinion and not meant to criticize anyone else’s views or practices. I welcome the discussion and am very interested in hearing about your perspectives.
I always ask myself what the objective is for listing any of my certifications or education before I include them on anything. So far, the only place I have found it necessary is on my resume so I can get through the HR filters and show my qualifications for the position I am competing for. The position I am in now requires I maintain a certain baseline so I do not feel it is necessary to list that information anywhere. The complicated part is that few people outside the field know what the baseline is or even what it takes to attain it which, leads me to believe it is even more unnecessary to include it. This is one of the few instances I suppose it’s easier to be a doctor. When they write Dr. Doogie Howser, MD, everyone already knows they have a PhD and are CPR certified. In this field it is less defined and that is where the uncertainty comes.
The other aspect I sometimes contemplate with is how to handle the certifications and education that are above the baseline.
Overall, my past experiences have led me to believe that listing my certifications and education is unnecessary. Recently however, I have begun to wonder if we as a community are missing an opportunity to open lines of communication by not advertising all the different ways to contribute to the field. My hypothesis is that listing a bunch of foreign acronyms could be the ice breaker to start a conversation with an aspiring Cybersecurity professional. I hope to gain some insight through this discussion and look forward to your responses.
There is a balance that comes down to motivation. If you list them because you are proud of your accomplishments, keep in mind that pride is one of the seven deadly sins.
However, they can be useful in a professional setting. For example, I like seeing certifications on a sales-engineer's card. Knowing I am talking with another CISSP assures me there is a common vocabulary, a common understanding of risk measurement, and that they understand "security" is a lifestyle, not a check-box. Although their recommendations remain biased to their own benefit, it does make the discussion flow smoother.
It is very similar to being in a hospital and having the doctor realize a family member is a doctor or a RN. Instantly, they start talking in this strange latin-esque gibberish and within a minute or so, tremendous detail has been communicated. Having been in this situation a number of times, it has taught me both the value of techie discussion and also how isolating it can make others feel when done in the wrong setting.
My "feeling" on the first glance at an email, business card, bio, etc. is to cringe and then wonder what selfish motives are behind the listing of 20 creds. I mean really. What does it prove? That the person is a professional student, test taker and braggart. I certainly wouldn't want to be teamed with that person on a real project for a real customer who has a huge outage.
Even when I was a business owner my title was "consultant".
Is someone paying me because I can list the alphabet several times behind my name or because I have a strong reputation in the IT world and come highly recommended? I hope the latter because the prior never happens.
Dear denbesten,
interesting point, I agre. Here in good ald Europe (Germany) this is not as common as in the US but increasing.
I came across signatures in E-Mails which were containing titles assigned by organizations of no reputation with no value at all. This causes actually the oposit what - I guess - people were trying to achieve - it disqualifiues them cause they seem to have not much knowledge of this market.
Personally, in E-Mails or un business cards I use the official job title and nothing else.
There's one thing I recently changed - I added CISSP to the Description field on Linkedin next to my job title (but not any other cert). I am just curious if that has any influence on searches by recruiters.
Anyone experiance with that?
Kind regards,
oms
@oms wrote:
There's one thing I recently changed - I added CISSP to the Description field on Linkedin next to my job title (but not any other cert). I am just curious if that has any influence on searches by recruiters.
Anyone experiance with that?
My Linked In stats showed that out of 39 search hits last week, the #1 of the top 4 terms was CISSP.
Listing the CISSP a few short years ago would instantly garner probably more attention than you wish but today it will certainly increase your search results. Its calmed down somewhat but still provides a good increase.
Americans have always fallen for the over self-promotion thing to the point of being part of the culture. Probably why I rarely see contact cards instead of business cards these days. Still I am always flattered to be presented a contact card.
This has been an interesting discussion to read.
I used to work in an environment where work was portioned out by certs. Walls of framed certs, or flip books, or databases matching name to cert were all tools of the trade back then. For a VAR or Integrator, we might only work if we had the appropriate certification, so gaining a dozen or twenty or more certs was a way to keep getting gigs. I still occasionally find a certification I forgot I ever earned, except it was necessary for one long-ago project.
In the 90's I used lots of certs after my name on cards and e-mail signatures, to try to prove my worth (as much to myself as to my customers).
In the 00's, I reduced it to the two most important certs to create a baseline for my value.
Now I use those same two, plus a cloud cert, to build bridges with stakeholders (mostly cloud architects) in other business units.
When I read certs in a signature, I like it. It's a way of establishing a baseline of knowledge I can (often) assume they have to start a conversation. If it's a cert I've never seen before, I now have something to talk to them about and a way to get to know them a little better.
Like most things, why you do it may be more important than whether you do it. Are you using it to help your ego, as I did in the 90's? Or are you using it to build better working relationships and to help your organization? One of these is a better path than the other.
On LinkedIn, I have the three key certs as a part of my last name. I also have a custom headline showing my current professional focus and a custom image which reinforces the headline. (I had to do this to stop getting so many invitations and messages where they were looking for what I used to do, not what I want to do.)
Checking my the searches in which I recently appeared, I see that there are lots of searches for multiple certs - the number one showing a search for four certs, and three of them are in my name.
James,
@crossmage wrote:
In the 90's I used lots of certs after my name on cards and e-mail signatures, to try to prove my worth (as much to myself as to my customers).
You raised an interesting point about ego. I have an example of that in play when I first started advertising my qualifications in email and business cards, and another about when I stopped.
Eating my Alphabet Soup
There was definitely a time in my career when I walked around flaunting my qualifications. I found that before I either had the qualification or used it, I would often have to defend my designs and estimates articulately to my boss and my clients. I believed at the time (in the late 90’s early 00’s) that if I beat people about the head with my alphabet soup of qualifications that they would stop making me do all the extra work defending my position. That was before I was mature enough to realize that relationships were more important than lapel pins.
What I actually found was that I had to defend my position even more than before. Once I earned a more advanced certification, I found myself now being challenged by my own peers on my designs and estimates; even bringing competing designs and estimates to my boss. We would have laborious conversations in front of a dry erase board about the detailed steps and settings and their net effect. I had no problems sharing my knowledge and experience and taking criticism on my design, but somehow it always seemed to be under the pretext of proving that the certification was a sham or I that didn’t deserve it.
I never recovered while I was in that position. When I moved on to the next position, I only used the CISSP-ISSEP and eventually dropped even that from my signature line. Instead I went back to citing and sourcing all of my designs and estimates in the proposals and all was good with the world.
Alphabet Soup with Crackers
What happened at this next position as the CISSP (and other qualifications) became more prevalent solidified my view that relying upon certifications in professional communication is problematic. At this next position, I worked as a systems security engineer. Instead of submitting designs and proposals, I was now reviewing them for completeness and errors. I would forward them on with a “recommend approval” letter or a “recommend denial” letter with a statement of reasons.
Several folks would submit proposals, which overall were very detailed and complete, but had one fatal flaw or just needed a small change in order to meet organizational policy. Although several people made challenges as to credentials, one stands out in my mind as the most appalling. I went back and forth with a systems architect over a proposal, and returned the proposal with comments citing organizational policy and collateral impacts to security. Now, I returned the proposal expecting those issues to be addressed with either mitigative controls or a request to accept the residual risk. Instead, I got a message that said, “There are no residual risks, and I’m right because I’m a CISSP.”
I mean, I’ll admit that I’ve silently thought I’m right because I’m a CISSP in my head, but I would never say it much less rely on it as my evidence of a sound proposal! We went back and forth, and this other CISSP basically argued with Gibberish expecting that as apparently a non-CISSP (because it wasn’t in my signature line), the argument would appear over my head and I would concede. The proposal had 30 days to be corrected before it was outright denied. We went back and forth so long that it finally reached the 30 day mark, and I signed the “recommend denial” letter using my credentials, a copy of which went back to the architect. I never heard from that other CISSP again.
I'm all for almost complete anonymity for the same reason-I do not need the notoriety. I'm very comfortable with my ethics, work product and reputation in the industry. I am turning away amazing job offers all the time.
My current task requires "CISSP" in my signature block because of the project that I am on. It is a proactive message sent to all that I interact with that I do have the credentials to complete the task. If it wasn't politically motivated, and I *hate* politics, I wouldn't have it there.