Fellow Security Professionals,
Many of us have received business cards or correspondence that included a line of acronyms following the individual's name. I used to believe this was only necessary with medical doctors and accountants to make sure I didn't go to the dentist to help me find a tax break. Over the years however, I have seen this practice become more commonplace in many other professional fields including IT/Cybersecurity. There doesn't seem to be an acceptable standard on what should or shouldn't be included and I would like to open a discussion to see what others in the field think.
It would only be fair for me to share my opinion first with the very clear disclaimer that it is ONLY my humble opinion and not meant to criticize anyone else’s views or practices. I welcome the discussion and am very interested in hearing about your perspectives.
I always ask myself what the objective is for listing any of my certifications or education before I include them on anything. So far, the only place I have found it necessary is on my resume so I can get through the HR filters and show my qualifications for the position I am competing for. The position I am in now requires I maintain a certain baseline so I do not feel it is necessary to list that information anywhere. The complicated part is that few people outside the field know what the baseline is or even what it takes to attain it which, leads me to believe it is even more unnecessary to include it. This is one of the few instances I suppose it’s easier to be a doctor. When they write Dr. Doogie Howser, MD, everyone already knows they have a PhD and are CPR certified. In this field it is less defined and that is where the uncertainty comes.
The other aspect I sometimes contemplate with is how to handle the certifications and education that are above the baseline.
Overall, my past experiences have led me to believe that listing my certifications and education is unnecessary. Recently however, I have begun to wonder if we as a community are missing an opportunity to open lines of communication by not advertising all the different ways to contribute to the field. My hypothesis is that listing a bunch of foreign acronyms could be the ice breaker to start a conversation with an aspiring Cybersecurity professional. I hope to gain some insight through this discussion and look forward to your responses.
Well, I can say that recently I had some opportunities inside the current company (the one I'm working with just now) just for the fact that I started to list my badges and certifications in email signature. I think that in the near future even the colleagues who criticized you must also resign themselves to list their credentials, because this is the new world.
I started my initial contribution to this forum in respect to those who talk negatively about the CISSP / ISC2 and industry certifications. While I think that flaunting certifications is an immature way of validating oneself in the IS / IA knowledge space, being proud of one's accomplishments is probably NOT a crime... yes, I am being facetious here.
One has to pull the academics of IS and the experience together. Prior to the education, there's no other unit of measure that attests to one's foundational knowledge. Some people were probably thrown into a job and became good at it - but as a hiring manager, how would I know that?
I had to work a lot harder to achieve my graduate degree and I am working even harder than that in my current doctoral studies - but how does one measure that? Certification is the only validation when you as a hiring manager who doesn't know a candidate personally.
Knowledge professionals are going to go back and forth with each other with our thoughts and theories, and if we were not doing that, this job would be extra boring in my opinion. So on this subject matter, I would think:
"Do what makes your happy!"
The reason many of us harbor some negativity toward the certification industry in total lies in the fact and perhaps this hasn't been your experience but is common among many of your peers, is too often we have faced valid credential holders who should have never have been certified but use that slip of paper like an indiscriminate lethal weapon.
Add to that occasionally certifications have become nothing but the de facto standard for employment in a industry and you're going to have problems within the ranks who feel obligated to pay for a paper cert, annual membership fees and continuous learning of which you do during the course of your career anyway. Not doing so will find your out of date self without a position/job anyway. So what's the point of the certification in the first place?
None of the above is specific to any one certification or certifying body but indicative of any number of well advertised certifications aimed at making HR screeners lives easier but giving them one big filter out candidates.
Hope that helps.
Brent,
I know you addressed this comment toward Lamont, but I have a story from the trenches to share.
@Beads wrote:
The reason many of us harbor some negativity toward the certification industry in total lies in the fact and perhaps this hasn't been your experience but is common among many of your peers, is too often we have faced valid credential holders who should have never have been certified but use that slip of paper like an indiscriminate lethal weapon.
My colleagues and I over the years have had several conversations about reporting someone to the standards body based on their behavior, or apparent lack of competence. This included (ISC)^2, as well as others (AICPA, ABA, etc.). I can only think of one case where we did that.
There were several of us (about 5x CISSPs... maybe one more?) that worked with the 6th. The 6th had passed his or her CISSP exam and had the relevant years of experience. The problem was, that absolutely no solution proffered by the 6th CISSP was ever sound. Actually, this was the same CISSP that I had mentioned in a previous post on this thread that basically said they were correct in their analysis and designs simply by virtue of holding the CISSP.
The problem was that the 6th CISSP believed he or she was giving competent advice. We recommended that he or she admit when they had no prior experience with a topic and seek a mentor, but this CISSP believed that the CISSP credential itself meant their speculation was always correct even if it was based on ignorance. The counterargument to an ethics complaint was that the 6th CISSP was simply in disagreement over the relative level of risk in every analysis or design with the other 5x CISSPs, and that in and of itself was not incompetence.
It's extraordinarily hard to prove an ethics violation out of incompetence. And the folks that use the CISSP as that lethal weapon in a proposal/conversation severely degrade the value of the credential for the rest of us.
I think that also feeds why when someone leads off with their credentials, I immediately begin dissecting every detail of a proposal. I've seen too many folks slip through the cracks, and leading off with the credential sends up a red flag that the person may be attempting to hide behind the acronym rather than proffer sound advice.
@Beads wrote:
The reason many of us harbor some negativity toward the certification industry in total lies in the fact and perhaps this hasn't been your experience but is common among many of your peers, is too often we have faced valid credential holders who should have never have been certified but use that slip of paper like an indiscriminate lethal weapon.
Seems to me that identifying certified professionals who are poor performers is a job for senior management. Let us all think in holistic terms here. As a security professional, we should be involved in the near daily knowledge feeds of threats to information assets; as well as collaborating with other professionals in order that we may add to our knowledge base and improve the security postures of our organizations.
Senior management have the responsibility to know what their requirements are. Performance evaluations for IS / IA professionals are key in these responsibilities. In other words, we don't have to go back and forth with certified professionals who have leaned too far in touting their CISSP or other credentials. I am of the opinion that these things have a way of working themselves out. Either these people self-correct or a travesty happens that necessitates a change.
@Baechle wrote:Brent,
"It's extraordinarily hard to prove an ethics violation out of incompetence. And the folks that use the CISSP as that lethal weapon in a proposal/conversation severely degrade the value of the credential for the rest of us...
The person whom your are referring to @Baechle sounds like a real "A-hole" who has to take their lumps. When one has an attitude like that, other security professionals are reluctant to work with them and that person falls on their face in very short order if they don't self-correct. However, should this encourage you to take the position that there's something inherently wrong with the certification industry? I think NOT!
For every one example that you see of this character, I'd offer you a hundred who are true professionals who are ready and willing to learn and advance the organization. Just because the water is murky, you don't throw out the baby with the bath water - just change the dirty water as the baby (industry certification) is fine.
Lamont,
I think I miscommunicated my position.
@Lamont29 wrote:The person whom your are referring to @Baechle sounds like a real "A-hole" who has to take their lumps. When one has an attitude like that, other security professionals are reluctant to work with them and that person falls on their face in very short order if they don't self-correct. However, should this encourage you to take the position that there's something inherently wrong with the certification industry? I think NOT!
For every one example that you see of this character, I'd offer you a hundred who are true professionals who are ready and willing to learn and advance the organization. Just because the water is murky, you don't throw out the baby with the bath water - just change the dirty water as the baby (industry certification) is fine.
I hope people don't read my post as me suggesting that the CISSP exam or CBK is broken. What I'm saying is that this person's actions devalued the CISSP by failing to provide good counsel, and blaming the rejection of their sub-par work on the other CISSPs default position being, "No." When in reality we always had a road map to get to, "Yes," but this other CISSP wouldn't follow it.
I should also clarify that I have heard the same complaints from folks in many other industries over the years: Audit, Accounting, HR, the list goes on ad nauseum. By no means has this been something exclusive to any one certifying body but to any number. Please don't take this as an indictment of any one industry.
More established or mature organizations such as the ABA and IACPA very much do weed out poor performers and ethical miscreants from their organizations but have decades if not a century's worth of experience behind them.
@Beads wrote:I should also clarify that I have heard the same complaints from folks in many other industries over the years: Audit, Accounting, HR, the list goes on ad nauseum. By no means has this been something exclusive to any one certifying body but to any number. Please don't take this as an indictment of any one industry.
More established or mature organizations such as the ABA and IACPA very much do weed out poor performers and ethical miscreants from their organizations but have decades if not a century's worth of experience behind them.
I reiterate that the flaws observed are in the people and not necessarily in the certification of governing bodies. You only have to turn on the TV and see the flaws in those certified by the ABA... maybe that was a bad example to give. We can't go judging the ABA because of lawyers who give other lawyers a bad name, just as we don't do this to the AMA; you are going to have good doctors and bad doctors. But again, that has nothing to do with the AMA. Just be fair to ALL professionals.
Well, it's true, there are good doctors and bad doctors. Certifications state only that the argument in the certification program has been studied well, nothing at all. If a certification involves more practice, than it ensures that such person is able to handle such problems, not that he will be able to solve it for sure! Anyway I'm convinced that certifications are a step forward to understand people professional level.