Certifiably certified

THE LACK OF a decent yardstick against which to judge the security skills of IT staff is perhaps the biggest obstacle to improving those skills. After all, how can you know what the standard is when there really isn't one?

But how does the IT community solve that problem? Education is the one-word answer, but that just leads to the obvious questions of what kind of education, how to provide it, and how to assess the results of the education.

I certainly have problems with the approach followed by most IT certification processes, which rely heavily on one's performance on one or more multiple-choice exams with little allowance for practical experience. Anyone who's been in the IT game for any length of time can tell the story of someone holding a "paper cert" on one operating system or another who proves to be less than useless when he or she actually has to apply that knowledge.

Many providers of training and testing services package their offerings in a "boot camp" format, where one spends a week or two studying, preparing, and drilling for the tests. I've done this myself, and currently hold a low-end certificate from a leading network equipment vendor.

Certification makes life easier for hiring managers and the people who work in human resources. Unfortunately, the desire for someone with a particular level of certification too often becomes an unwaivable requirement, no matter how much experience one has. One might say that if you're truly proficient in a particular field, the classes aren't needed and that getting the certificate is a sign of your commitment. I couldn't disagree more.

Class time is important for testing success because you're not just studying the material, you're also studying the test itself. Everyone knows that some people test better than others, and the whole point of practice tests is to reduce stress on the examinee when the big day comes.

I'll also point out that many of the best people can't get away from their jobs long enough for a boot camp or even to take the occasional test. This is even more likely to be the case in the future, as many shops continue to trim personnel ranks in the face of the current economic malaise. Most of you can agree with me that one may be committed to the XYZ operating system, but that takes second place to getting through the day.

I'm not saying that all security certifications are bogus or that certifications in general are bunk. But I'd be more likely to put my trust in a certification with an independent pedigree, as opposed to a certificate that's sponsored by one vendor or another. I also recommend that when you're interviewing for an IT security position -- whichever side of the desk you're on -- the discussion should focus less on the certificate and more on practical experience.

Ultimately, there is no substitute for experience -- going out and doing the job trains you in a way that flashcards never will.