What Information Security is Not.

scheduleDecember 13, 2019

Part 2 of an infinite part series

“You realize I’ll have my certification in six weeks.” I’ve heard this before. When I worked as a technical trainer in InfoSec the manager of the school said that he had, “sat for the class for that certification.”


Earning a certification is a starting point. It shows that you have at minimum a certain set of knowledge. It is not the ending point where you get to say, “gee, my certification grants me authority…” An argument from authority is still an argument from authority. And since it seems that it has to be said, no, sitting in a class for a certification is not the same as taking the test and passing.

Imagine for a moment you are about to make an appointment with a surgeon for routine surgery. Your choices are someone that is going to have their medical license in six weeks, someone that has “sat the classes,” or someone who’s been licensed for six years. I know who I’d go with.

The facts are that a test only shows what you know at a given time. The certification is a way of showing that you have in fact demonstrated MINIMUM competency. Too often it’s treated as though it demonstrates MAXIMUM competency. You’ll find articles that decry the value of (insert said certification here) as useful or valuable.

The reality is this. Your certification has the value you provide it. You either build on it, or let it turn fallow. A certification is not like a degree. A degree shows that you can jump through hoops to peoples satisfaction. A certification shows that you have knowledge. Sadly, degrees never expire. Certifications can expire if you don’t update your knowledge base with continuing education units.

It’s no wonder that certain certifications in my field count towards half a Masters Degree. The Masters Degree counts towards… nothing. But it sure looks good with all that alphabet after your name, doesn’t it? Don’t worry, I’ll have my Masters degree in a year… or two.

Next time we’ll complain about the Ford Edsel, and the lesson it taught that security ignores.