Re: RE: Value of certifications

[nomail () hotmail com]

There are some good points in this thread. I think the current schema of IT related certifications is broken. The certs 
that exist are largely irrelevant or overly broad or narrow in focus. They are also ridiculously expensive. I took the 
CISSP last year and went into the test sweating bullets. After the test, I realized how painfully easy it was, and was 
thankful that my employer had paid for it rather than myself, because the test was not worth $500. If a vendor wants to 
limit the number of people that take and pass a test, then they should do so by making the test challenging, not 
expensive. SANS is also guilty of this, as James has illustrated. I am confident that I have the knowledge to pass 
several of their tests, but I am not going to try unless my employer pays, as they are also expensive. Especially if 
one wants to take a test without attending one of their classes. It is clear that SANS is out to make money, and while 
they should make some coin on their certificatio
 n and training program, their current cost model is prohibitively expensive for all but the independently wealthy and 
those with generous employers. 

Add in some of the other cert programs, like EC Council and some vendors, and you get cheaper certifications, but the 
tests for these certs are often poorly written and not very challenging, either. And vendor tests often test for the 
"vendor answer," which in most cases is not necessarily the right answer. As the saying goes, "there is the right 
answer, the wrong answer, and the Microsoft answer..."

Furthermore, the recertification process for many certifications is a circus. While I understand the need to maintain a 
current level of knowledge to keep current in the industry, trying to use that as a measuring stick for maintaining a 
certification is counterproductive (as in the CISSP). Especially when a person is presented with few actual formal 
training opportunities. Retesting is also ineffective, because it requires the tests to be revised at the pace of the 
technology they are based on, and in most cases a current certification holder will crash the week before the test (or 
get a braindump) and pass. At that point, are they being tested on their knowledge of the industry, or on their ability 
to quickly memorize some key facts?

But if we take away the certifications, then there is no real way for an employer to gauge a prospective employee's 
knowledge and experience level. While placing all of one's stock in a candidate's ability to pass a test is admittedly 
flawed, it is also admittedly hard to compare a candidate with a lot of initials after their name with one who hasn't 
one cert. With the increase in emphasis in certs, the problem is going to only get worse, not better. Everyone in our 
industry needs to realize that certs are not the end-all, be-all that their purporters claim, and more importantly, we 
need to act on this knowledge just as we do other snake oil salesmen and knock the importance of these tests down a few 
notches. 

Certifications have their place, but they need to be fairly priced, accurately represented, not used as a marketing 
tool, and industry-recognized.

I like the ASE analogy. Too bad it won't happen here.