After reading a very spirited, informative discussion on this topic over at SecurityFocus I decided to throw my own hat into the ring. I want to expand on several relevant topics. 1 - Certifications are a joke - A certification alone, without experience is typically not worth that much in the real world. It proves that the candidate can pass a test, often with having the questions in advance( see Testking/ActualTests). All it really guarantees, is that the candidate has some basic knowledge of the subject. Even the certs with experience requirements are pitiful, due to the fact that they do not audit every candidate. And if they did, there's always a chance they lied, like most people do on their resume.  2 - Certifications are necessary - until the HR machine is overhauled, you cannot afford to not have certifications. Unless you have a good contact in the company, most non-certified individuals will be screened out by the non-technical HR employee, who basically knows keywords. I think also if your very specialized, like on a certain product or field, having one of the more advanced certs could be very rewarding financially. Also on the opposite spectrum, having certs in several different areas, like various OSes, networking, security, etc can show that your pretty versatile. 3 - Experience is still king - Despite the fact that you have a lot of "enhanced" resumes out there, experience is still the most important factor in deciding whether or not a candidate will be successfull. A good track record of completing projects, troubleshooting, implementing, etc along with personal references from those jobs are still the best indicator that I've seen. Granted you need to do a fair amount of vetting via the technical interview, I still think its what employers should put more emphasis on versus certifications. In conclusion, I would like to state that I don't think its possibile for anyone to argue that the current certification system we have is not broke on multiple levels. We have hiring managers without a clue. We have money grubbing, so called experts selling us mediocre certifications. In short, we all have to take responsibility for fixing it. Whether its done by educating people of the dangers of paper only certified employees or by designing a new system, something needs to be done.

http://www.digg.com/security/The_Value_of_Certifications

I was refering to the postings on the Security Basics mailing list under "The Value of Certifications", not Parker's article. If you have time check them out, some interesting comments. Its toward the end of April I think.

I agree with what your saying for the most part however I see exceptions everyday. For instance I had a CCIE in one of my graduate classes that worked at Cisco and didn't understand PAT and NAT correctly. That is really scary. I could tell he was a sales person and not a technical guy. Likewise with the CCNP, I've worked with several that don't even work on routers. I infact know several people that clearly didn't have the CISSP requirement met, yet someone signed off on them. ISC2 only audits a tiny fraction of the applicants. I've seen all these, and IMHO its more of the norm then the exception. Just strictly opinion though. While I understand certifications have some value, there needs to be way less emphasis on them, because there not as credible as most people believe they are. And this is coming from someone with a lot of certs, not from a guy who refuses to get them.

I will add my two cents here. I have had this conversation many times over the years.

I agree with experience and college education is king.
I think a Computer Science degree (or Engineering) will give the proper foundation and then experience really puts a person head and shoulders above the others.

I am scheduled to take the CISSP in a few weeks.  This is the first time I am actively going after a certification.  I am only doing it because the industry has recognized it and many positions require it.  I am pleased with the materials so far.  I do feel ISC2 is making a best effort to protect the value of the certification aside from "making" money on it.  It appears the CISSP exam (IMHO) to be structured in a way that insures the candidate has the ability to use theory and technical analysis.  Those types of exams are difficult to regurgitate from memory.

I am 12 years working in IT and I have debated for years whether to go "get" certifications.  An interesting point that helped sway me away, was from a friend who was a Director of Networking/Telecomm of a large university.  His response was that when he sees a resume with 15 certifications, he tosses it because he wonders how much time the candidate will be spending of his time and money to get the next certification, instead of adding value to his team and environment.

It's a valid thought and a different pespective for others to think about.

Overall, I think certifications can allow a hiring manager to gauge a candidates capabilities a little bit. It provides a front line screen.  Yet, it is still the repsonibility of that manager to hire someone qualified, and good interview questions can reveal a persons capabilities very quickly.  Experience ends up being king in my book.

everyone is entitled to his opinion, so here is mine, that guy is a jackass.  The "I have tons of experience I dont need certs" talk is almost as old as the "vaule of cetifications" talk.  I am guess this guy doesnt have certs, Sure he is much too busy for that kind of thing.

in my experience i have seen that the majority of people that pull the i dont need certs, certs are stupid talk, usually dont have any and usually have dated experience with that they do know (There are obviously exceptions).  I am not saying that certs=knowledge in the subject.


While you buddy may be throwing away a good chunk of paper certs into the trash, with that biased way of thinking i am sure he threw several qualified applicants in the trash as well.

on another but similar note, how do you demonstrate to a potential employer that you have drive and desire to keep your skills current if they cant look at a resume and see that you have a record of improving yourself versus spending all your time "dedicated to the team and work"?  That dedicated guy may not be the most current of most driven guy you can hire.

pros and cons....

I agree with you, a traditional degree doesn't add much value in IT work environment, unless its at very tech focused place. Still though, a degree is often listed as a requirement and therefore is vital to many people. Also, if you ever leave the IT world, a degree is more apt to help you then a bunch of technical certs.

 

Well, just ask your HR how much more would you earn if you would have a Master Degree.

A lot of companies offer their packages depending on your studies and not necessarily on your certs or even experience. Studies prove that you should be able to overcome challenges and that you are able to commit for a long term.

The good thing about certs is that your CV might catch their attentions and maybe it is required if your company is placing you at their customers. And if you are a freelancer, it is a BIG plus to sell yourself $$$.

I agree though that experience is the most important.

To quote Joe McCray, quoting Zig Ziglar :

"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."

I have been working as a network support administrator for 5 years, and I am now ready to move into security.

Not coming from a security background, I would need to get a basic understanding of security for me to build upon. I think the first logical step now would be to get some security certifications behind me.
 
To get your foot in the door I have found that your resume is what sell you and make you a candidate for employment, now if they see that you are certified then I think they would take time to look at your resume and then go on to check your experience and skills set.

I agree that experience will always be the king, but everyone started from scratch and had to work their way up.

I would like to think if I attended a number of training courses to get actual hands on work, that would count towards at least a bit of experience.

I have now passed my CEH and now studying to take Comptia Security + and Linux +,  hopefully this will give me the foundation I need to start my end goal in becoming a Penetration tester.