One of the more remarkable things that seems to have become trendy is bashing those with infosec certifications. With great regularity, I see Twitter and LinkedIn posts by other infosec professionals, many of whom I follow, actually poking fun at CISSPs and other security credentials. While not entirely new, the increase is most definitely there. And it’s unfortunate, given that we are all working to make the world a safer place.
Every Company Has At Least One
When I say every company has at least one, I’m not talking about CISSPs (or similar). While that part is increasingly true and certainly welcomed, it’s not the focus. I’m talking about someone who is there and openly declaring why they are so much smarter than anyone who has ever been certified and why none of that mumbo jumbo matters. And as you might expect, that person is often quite shallow when it comes to their own certification history. But, I’m not reverse bashing them at all. They clearly have their reasons and I, myself, haven’t yet felt the need to even begin to research what they are. Because, doing so would betray what I have found to be the culture of IT in general, which is a rich society of very diverse individuals with an infinitely wide range of backgrounds and motivations. So if his/her background doesn’t necessarily lead you down the infosec certification path, so be it. That said, I may very well not hire you, as I will explain in a minute.
You Don’t Have to Tear Others Down to Build Yourself Up
Personal choice aside, there are clearly those who are taking aim at those with security certifications in what always jumps out as their attempt to build themselves up by tearing others down. There’s little to no humility with this crowd. They may be social media trolls, internal security team know-it-alls, or both. They see themselves as always smarter than you and want the everyone around them to know it. These are NOT the people you want on your team. While they may be absolutely great in a specific area of concentration, their condescension is tiresome and damaging.
This is not to say that criticism isn’t warranted though. With my background in the USAF and and active pilot, I have seen the amazing power of constructive criticism, even out in the open. Organic, authentic, and well placed professional criticism offers real and enduring value. And so is the same on any team out there. This is why each mission is fully planned ahead of time and debriefed after. If someone on the team isn’t pulling their weight, a team counseling session can bring about miracles. The bottom line is that tearing someone down the right way is to ultimately build them back up. We simply don’t tear someone down just to build ourselves up.
Wearing the InfoSec Team Jersey
Going back to what I mentioned earlier about perhaps not hiring someone who is against key certifications, I’m happy to share exactly what I mean by that.
Security works best as a team, right? And the better the team, the better the security. Well, that’s what we would hope and expect, at least. We might have a great team and still get outmaneuvered by some bad actor(s), but I would always weigh the ability to recover by just how good the security team is.
Example: In Atlanta, I do all I can to remain well informed and quite close to the security community. And learned over the years are those few great organizations that I don’t even bother calling on. Not as a consultant and not as a vendor. Respectfully, I know who they are and I suspect many of them know of me. If they do somehow get hacked, I won’t be rushing to see if they need any help, either. It’s not because I don’t feel I can help them, but because I know all team members are standing up to proudly say “I’ve got this!”. So while I’m confident my skills are on par with their level of professionalism and could play a part if asked, their team is already very much intact and simply doesn’t need another star player at that particular moment. And not surprisingly, a few of the individual team members don’t have any security certifications at all. But of course, most are awash with them.
So, my view is that security teams get the job done. And with that it’s my belief that looking like a part of the team is equally important. Security certifications, especially those at the top serve as a great symbolic team jersey. When I see them, I instantly know that they are an active and participating member of the global information security brand. It’s just a matter of which team they ultimately land on. Not wanting to wear a team jersey simply makes me a bit worried that a fit might be harder, though not impossible, to find.
Would You Hire…
To close this out, just ask yourself whether or not you would consider hiring…
- a doctor who isn’t fully board certified?
- a pilot without a pilot’s certificate from the FAA and multiple certifications/endorsements/ratings?
- a barber without a beauty school diploma and a state license?
- a player on a sports team who won’t wear the uniform?
- a soldier who didn’t graduate from boot camp?
- a security professional who openly discredits those who do have certifications?
As a consultant/contractor, I have to struggle with this quite a bit. This is a role where I have to be a temporary part of a team, always remaining highly focused and motivated in helping the team grow and continue to do so long after I have moved on. Having the right certifications obviously helps a great deal. It sends the right message up front, helping make that always critical first impression. I’m not there because I have, or have had, key certifications from the likes of Microsoft, Cisco, Juniper, SANS, or ISC2. But of course not having that rich resume would make earning a seat at the table much more difficult. I wouldn’t have it any other way!
So let’s dispense with any mocking of the various infosec certifications. We are in a team sport and need the leaders to have our back and focus on helping elevate the entire team, not jousting all across social media with those who they otherwise have to interact with each and every day.