The Value of Certifications

“How does your degree compare to my 10 years practical work experience?”

This was something my very first manager used to say often to me and other fresh-faced graduates. 

He had a point – we knew nothing about the business, any of the tools, or the job compared to him, or indeed anyone else who had been working more than three days at the bank. But we had come in on the exclusive ‘graduate programme’ touted as the future of the workforce. 

It did not even matter what your degree was in. I had completed my degree in Business Information Systems, another grad had a physics degree, and one had studied history. The value of the degree became quite clear – all it provided was a means to get you in through the door. 

---

On my team at work, I was the first to study and pass the CISSP exam. I was young and enthusiastic and did not mind putting in a few hours a week studying for it and practising exam questions. 

Having passed, I walked into the office the next day fully expecting confetti to fall from the ceiling, colleagues to carry me on their shoulders and hail me as the hero they needed and deserved.

Instead, I was met by a few grunts, an approving nod, and one person making the comment, “I saw the course outline and there is nothing in there that I did not already know”

---

One year, I obtained my SANS GIAC web application pen testing – and of course it is easier to get an audience with the Queen than it is to get the approval of pen testers. 

---

Just a few months ago, I attained my Security Awareness and Culture Professional (SACP) certification. And while my colleagues appreciated it, elsewhere similar questions reared their ugly heads… “So what does that give you which my five years of running awareness and culture programs does not?”

---

In London, black cabs are more than just cabs, they are an icon. But before anyone can drive a black cab, they have to undertake the “knowledge”, which involves memorising pretty much every road, alley, landmark and office within six and a half miles of Charing Cross Station. This takes most people between two and four years to complete by spending their spare time riding around on mopeds around London. The test is rigorous and they are tested on the quickest or shortest route between any two points. 

But, this got me thinking. 

What value does the “knowledge” provide that I cannot find myself using the sat nav on my phone? And the answer is that if your sole criterion is to get from point A to point B in the quickest time, then your sat nav is perfectly capable. But let’s look at it from a broader perspective in that the ‘knowledge’ has as much, if not more value as a signal than as a navigation skill. 

Any industry where you literally put your life in the hands of a stranger requires a high level of trust. You can build that trust in many ways, and one of those is to demand proof of commitment before a provider is given the license to take your life in their hands. 

Think about the pilot on your next long haul flight. They did not just get their license a few days before — they had to commit years, if not decades of their life to learning their trade and slowly being promoted to the point where 500 or so people happily sit in the back knowing that they will get to their destination safely and on time. 

You can hop into a black cab and ask the driver to take you to the airport via the scenic route. Tell them to show you some of the sites along the way and they will happily oblige. A sat nav only has a couple of options, shortest route, quickest route or route that avoids tolls or motorways. There is not a whole lot of nuance there. If you try to go for a scenic drive, the sat nav will have an aneurysm trying to redirect you to a more efficient route. 

Of course, Uber uses technology, a log of your journey, and safety features in the app to keep you safe; so it is not to say that the “knowledge” is the only way to build trust.

---

If you look at education and certification through the narrow lens of pure applicable knowledge, then by all means, spend time working in a field and gaining experience. But if you look at the broader aspect, when someone spends time studying for and getting their CEH, their CISSP, any SANS certification or indeed the Security Awareness and Culture Professional (SACP), you will see there is a lot more to that individual than the certification itself, but a commitment and investment they have made to cybersecurity.