'Certification' tag logo

Are certifications useful? A few words about career plans.

I regularly encounter people claiming that certifications have no use, or at best only help to pass HR screening.

I acknowledge that the importance and impact of certification is often over-emphasized by people selling certification-related books and services (which is to be expected: they are selling something, this is advertisement), and I also agree that a certification is not a proof of anything per see.

However, I believe that a certification from a well-known and trusted organism benefits the whole IT security chain: it benefits both you, your employer and the final customer.


I talk here of “certification from a well-known and trusted organism”. There is a tendency for a lot of websites hosting a few training material to deliver “certifications”, praising the value your resume will get with one of these.

In case of doubts, check job offers: if there is no demand for this particular certification (and don’t be fooled by similar names), it means that it will be most likely useless to you as a professional certification.

However, this does not mean that the training material itself will also be useless. Even if a lot of such websites provide generally poor content and try to sell it by putting on the storefront a few reasonable quality “preview” and their shiny “certification program”, some of them may be serious organisms really trying to become part of the tomorrow’s trusted ones.

Do your research, don’t get fooled by marketing tricks.

For yourself

Choosing the right certification

If you don’t design your own life plan, chances are you’ll fall into someone else’s plan. And guess what they have planned for you? Not much.

I find this quote from Jim Rohn at the same time so true and so widely ignored. You need to design yourself a concrete career plan. This is your life we are talking about!

You may already take some time to choose your shoes, your car, you cellphone and your flat. Why not take a few moments to also choose your life?

Lee Kushner and Mike Murray made a very good talk at DEF CON 17, Effective Information Security Career Planning where they presented a diagram like this:

Aptitudes: the union of talents and interests

I really recommend you to view their whole talk1 as it is really interesting and well-presented.

To make it short here they explain that you have:

  • On one side things you are good at (you may or may not be interested in them).
  • On the other side things you have some interest in (you may or may not be good at them).

The intersection between the two are the things you are simultaneously good at and interested in. These are the things you must focus on, Lee and Mike named them your aptitudes.

  1. Discover your personal aptitudes.
  2. Search for job names which rely on these aptitudes (Rory Alsop made an interesting overview of jobs description and requirements for people entering the IT security field).
  3. Read corresponding job offers to check which certifications they value.

Too often I see people skipping one or several of these steps, or even worse doing the whole thing in reverse order by first getting a certification matching their current talents (maybe on something they don’t like, but are talented in), then find a job matching the obtained certification, and finally (try to) build a life around this job. This is so wrong! You may be lucky and still be happy this way, but your life deserve more care than leaving it to luck.

Getting certified

Once you have done this work on yourself, the certification allows you to focus and sharpen your aptitudes.

Don’t over-estimate yourself! Since this is a domain you both like and are good at, most chances are that you are already highly familiar with it. You may therefore be tempted to think that you already know enough, this is an easy trap. Doing so you will most likely discover the hard way the difference between being familiar and know. This is why so many people fail their exam, and repeat their failure as long as they do not acknowledge where the real problem is but instead prefer to blame the exam itself.

Granted, depending on the exam some questions may be dubious at best, but the amount of such questions is never large enough to fully explain a failure, only to prevent people from reaching 100%. When you fail an exam, it not because the questions were not good, it is because you were not prepared for them.

In the exams authors mind, a few months after you passed the exam you will only remember about 40 to 60% of the things your learned to get it. This is normal and expected, this how any training system goes.

The consequence of this is that, to indeed grant you the certification, exams authors put the bar very high, far higher than what the professional positions associated to the certification requires on daily basis, this with the only objective that these remaining 40-60% will, at the end of the day, effectively match the jobs needs.

Because of this, when studying for an exam, you must prepare yourself for tears and suffering. In those hard-times when you feel that your head will explode, that the chapter your are currently reading just feels like random gibberish, that the end of the course seems to reside in a galaxy far, far away: remind yourself why you are doing all this.

You are not studying to be able to setup and configure that foobar device. You are not studying for the exam, or for the certification, or for the job. You are studying for yourself: you are studying to build yourself your own life.


You may find on the Internet so-called “brain-dumps” or websites offering you “real exam questions” so you just have to learn the mapping between a question caption and its corresponding answer without having to understand their meaning.

Ignore them.

  1. Such material violates the exam Non-Disclosure Agreement. By using it to pass your exam you expose yourself to get your certification revoked at any time.

  2. Such material kills the certification. Once enough people manage to get certified without having the accompanying knowledge, putting the certification on a resume looses all its value.

  3. This is useless. Would you manage to get a job this way, how do you expect to perform your duties if you do not have the corresponding knowledge? The employer will quickly be able to tell.

  4. This is stupid. As a reminder, you do this for yourself, to extend and systematize your knowledge on an area you are supposed to like and be good at, why on hell would you jeopardize all this by cheating when you can just go on and be proud of yourself and of your work once you managed to pass the test?

This warning however does not targets “exam-like” questions which are independent creation and are not part of the exam, or old retired questions published by the certification organism. They are both good ways to train yourself to the wording and topics targeted by an exam and may be a required step to pass it.

For an employer

When looking for a job, an appropriate certification goes beyond simply passing human resources screening:

  • Well-known certifications act as a kind of common language with a potential employer to convey your aptitudes and competency in a few acronyms.

    While the rest of your resume provides details on your experience, an employer knows what a CEH or a CISSP are for instance, he knows what he can expect from an employee bearing such certifications and which roles in the company would match its qualifications.

    Providing a sound set of complementary certifications allows an employer to get a factual, objective and clear view of who you are and what you can bring to his company right from your resume header, without even having to read any further.

  • As said earlier, certifications are hard to obtain. The benefit from this is that, beyond the technical knowledge, a certification is also an objective testimony of your determination.

    You are capable of working hard and provide efforts to achieve a goal.

A certified employee also represent an added value for the employer, which may translate in a better position and salary within the company.

For a customer

In technical and specialized domains such as IT security, it is very easy for a customer to find himself lost in a Lemon Market where he has no clue on how to distinguish good quality services from poor ones, thus lowering the general market price to poor quality services.

Here, the certification plays a major role by allowing a company providing IT security services to bring an objective testimony of its employees competency. For some contracts like governmental contract, this may even become a prerequisite.

  1. Sadly the linked video covers only the first part of their talk, I have the impression that DEF CON did not release the sequel. If anyone knows where it can been seen, please inform me, nevertheless this first part still remain a very good talk in itself. 

Aptitudes: the union of talents and interests

Aptitudes: the union of talents and interests

Popular tags see all