Couldn’t agree more Paul. “A Certification can never replace practical experience. It is an added bonus to hard works that will add to their resume and build there “Search-ability” on job sites” This is pretty much spot on.

Presently I’m a FTE for a company but I’ve worked as a consultant most of my years in IT and Information Assurance. Previously I found that I was interviewing for a new assignment about twice a year. (My normal engagement was about six months). When I started listing certifications, and then gaining more, I found that I consistently was in the top half of the cut to interview for better and more lucrative projects. Certifications clearly helped do that.

With the exception of those of us that have to meet specific training requirements (and cortication requirements) to remain employed and access/protect/manage classified information (Read DOD employees as an example) the number one reason to certify is to have something that independently attests to general skills in a specific area and this is most crucial when you are looking for a new project or new job.

Many certs are arguably “weaker” when initially authored. It’s only with time that the certification fine tunes their exam and admission criteria. I’m not sure of a vendor program that hasn’t fit this model. One advantage of the certification is that ISACA is at least mandating continuing education and attesting to it for those holding continuous certification. This alone is a huge step up on many vendor certification programs.

Without work experience a certification is (virtually) worthless. As hiring managers we need to ensure that we are balancing “paper” with proven performance. I look at certifications (on candidate’s resumes) as evidence of a baseline of knowledge and enough dedication to their chosen career path to take the time to certify/remain certified. I weight this less than the sum of the work experience and interview performance, however if two people look similar on paper and one is certified and the other isn’t’ I’m far more likely to interview the certified individual. What I don’t do is rely on that certification instead of performing a comprehensive interview with real questions or looking for sufficient experience in the field.

I agree, and hope that my certifications help hiring managers look at my resume of 20+ years information security experience.

Michael Thoni
CISSP, ISO 27001 ISMS PA, Archer Certified Professional, CISM, CISA, CGEIT, HITRUST Certified Professional, CRISC in progress

Available 1/1/2011 mthoni1@tamopabay.rr.com

I have never been able to secure a payrise in a perminent position on the basis of having a passed a specific certification. I once tried to argue that my market rate was significantly higher due to once passing the CCSE but was ignored by my employers.

They had not paid anything for training or even the cost of the exam, although the CCSE was part of my KPIs for that year.

I took that new cert and almost tripled my income by going contracting.

I know use certifications as a marketing tool, when i bounce form contract to contract but it does allow me to get instant credibilty with the locals when they see the experaince and certs together.

I’m sure I could grandfather the cert but will most probably leave it till next year and just sit the exam and claim the CPEs for it. I refuse to sit through pod casts or webinars and prefer study and exams to get them.

“Are you aware in 2002/2003 the CISM (first released) was initially offered through a grandfathering program? Per your name tag, it appears you hold the CISM???”

Does this make you not want to get the CISM? You are currently perusing this cert yet it had a grandfathering program as well. Why are you getting a certification anyway? What does the CISM actually get you? What does it mean? Do you get a raise for passing it? OR do you get recognition for the knowledge that is shows you have? Do you really have that knowledge?

A Certification can never replace practical experience. It is an added bonus to hard works that will add to there resume and build there “Search-ability” on job sites. Just as you want the CISM to show that you have practical knowledge in that area that is what the CRISC is for. I am planning to take my CISA at the end of this year… and yes I am going to apply to be grandfathered into the CRISC as I have been in IT Security for over 10 years now.

People are looking at this in the wrong light. If the CRISC means nothing then so does the rest of your certifications (and yes I hold a few; ITIL V3, SAP Security, …). I got my certifications because I wanted to show that I have knowledge in those areas. It is also a way to show that you can learn something and pass a test on it, much like a college degree. How many people that work in a business can do a double derivative right now? I know I cant!

“Just don’t expect me to believe that this certification means that the individual knows anything about information risk analysis, or risk analysis in general.”

I would never expect to believe ANY CERTIFICATION!!!! A Certification is a test with a book that people read prior to the test. Yes, I will say it again. It is a TEST that has a BOOK that will assist with the answers. For some people all the certification means is that they are good at taking a test. It does not mean they have practical knowledge of that topic. It does not mean they are qualified for the job!!! That is why there are interviews! All these certifications boil down to is to giving someone (A Recruiter) access, at a quick glance, to know that you Might have knowledge in that field. To truly find out if you do requires an interview.

People will probably deny it but truly a certification only means something when changing jobs. You will rarely get a raise in your current company just for passing a certification.

Kind Regards,
Paul