There are many ways to attain and maintain information security expertise. The path that one person followed isn’t necessarily appropriate for another. What role do professional certifications play in the process, and what other considerations should you keep in mind when expanding your skills? Here’s what has worked for me.
As a practitioner who aims to keep up with advancements in security practices, I’ve benefited from GIAC and (ISC)2 certifications that I’ve attained over the years, such as GIAC Security Expert (GSE) Certification and Certified Information Systems Security Professional (CISSP):
- Goalposts: I’ve treated certifications as concrete milestones toward which I could progress. Such specific goals helped me focus, making it easier to stay motivated to learn and practice a new skill set. Also, the sense of accomplishment I received after earning a certification was one I wanted to repeat when working on my next one.
- Signals: I’ve used certifications as signaling mechanisms for employers and clients — a way to indicate that I possessed a particular skill set, at least at the baseline validated by the certification. They’ve also helped demonstrate my strong interest in the corresponding subject because attaining the certifications required a lot of time and effort.
I’ve also found that shared certifications sometimes helped me establish rapport with other professionals during informal interactions and as a part of hiring and job-seeking activities. This might be due to the “similarity effect” that authors of the book Click: The Magic of Instant Connections described. Ori and Rom Brafman explained that even small shared traits, such as having the same Zodiac sign or rooting for the same sports team, make it more likely that people will “click” with each other.
Certifications have also provided me with an added incentive to keep up with changes in the industry. This motivation came in the form of Continuing Professional Education (CPE) requirements that organizations such as GIAC and (ISC)2 expect individuals to meet to keep their certifications current. For me, maintaining the certs sometimes involved taking a recertification exam; sometimes, it meant keeping track of the educational activities in which I engaged to demonstrate to the certifying body that I’m continuing to learn.
My career path has taken me toward executive and business-focused roles in cybersecurity. I found that as I gained seniority and experience, my reliance on certifications gradually declined. I now spend more time learning through self-study and by talking to and collaborating with others. I still take an occasional training class. And I still keep my GSE and CISSP certifications; though I don’t need them now as much nowadays, we’ve worked through many challenges together, and I’d hate to see them go.
Certifications aren’t for everyone. As you can see, they played an important role in my professional development, along with many other factors. I suspect many of those reading this post feel the same way.