There was a book I read called “My Mercedes Is Bigger Than Yours” – which pretty much sums up what the book was all about: bragging rights as to whose car is “bigger”. In this case the practice, in some cultures, of using the model tag on a Mercedes -Benz car as an index of the economic and social power of its owner: for example, the Mercedes-Benz 200 designated the small rich while the Mercedes-Benz 500 SL announced the super rich. It was a typical intra-class war where your neighbor had to have a bigger and sometimes better car than the one you were driving.
The scene played out recently when I visited Nigeria. A neighbor had just bought a BMW X5 and not quite a week later, his friend across the street “released” his own BMW X6 and if you know the way the super rich roll in Nigeria, you probably know about the “Vehicle War” that ensued.
Long story short, by the end of the second month, each “big man” had over twelve cars of all sorts ranging from Mercedes 600, Porshe Cayenne, Chrysler 300, Range Rover HSE Sport, BMW 750Li etc. etc. (although I don’t think the drivers were complaining – it is embarrassing to drive yourself if you are rich in Nigeria, you must have a driver and a PA. But I digress).
The story is front and center in my mind whenever I read about the “debate” on which certification is best, or whether a certification holder “knows the job”, or passed the exam by cramming. It does not matter if it is the Certified Information Systems Security Professional (CISSP) or the A+, there is always a case of “My Certification Is Better Than Yours” which I termed the “MCIBTY” Certification.
Each certification has the exact worth that the exam taker ascribes to it. I believe there is a wrong notion out there that one certification is better than the other since each of these certifications are geared toward specific areas of specialization. Take the CISSP examination for example. I have often heard the argument that any “idiot” can memorize and pass the exam without knowing anything about information security. Really? I’d like to meet such an “idiot” and hire him/her.
Based on my own experiences, anyone who can read and memorize materials from the following books and pass a six-hour exam comprised of 250 random mixture of scenario-based and specifically crafted long-winded questions deserves our admiration instead of scorn:
Shon Harris – All-In-One CISSP Exam Guide (AIO) – 1140 pages
Krutz and Vines – Mastering The Ten Domains – 975 pages
Eric Conrad et al – CISSP Study Guide – 566 pages
Tipton and Krause – InfoSec Handbook – 3206 pages (no kidding! and that is just volume 1)
Shon Harris – CISSP Practice Questions – 404
Ed Tittel et al – CISSP Study Guide – 772 pages
Then add the video and audio training from PrepLogic, Learnkey, Shon Harris, the SANS training and the related NIST Publications. And let’s not forget the many hours of practice tests at places like CCCure and from the CDs that accompany some of the books.
Why so many sources? Because (ISC)2 does not release the questions and correct answers of past exams. So the nature of the upcoming exams is highly “unknown”. More important, exam takers are not allowed to disclose the questions. So you really have no idea of what’s coming by way of reviews of real past questions, especially if it is your first time. Of course some may use “brain dumps”.
I can tell you this, three hours into the exam when you are told by the proctor that you have three hours left and you are still on question 100 out of 250, you will have a new respect for the exam. Are there folks who turn in their exam after three hours, yes but I remember the words of Dr. Eric Cole who said “If you walk out of that exam and say “what a joke, I completely nailed it”, you most definitely failed. It is not an easy examination”. When I got out of that exam hall and started strategizing for a re-take, those words gave me hope. On the other hand, those same words almost bit me in the behind after my CISM exam and I was sure I “nailed it” to the high heavens. Ahem, let’s just say I did OK.
The ISACA format is almost the same, but probably worse because you may encounter five questions in a row with what, at first glance, looks exactly the same as the previous questions you just answered. It is deliberate. You have to know the material and real life application of the material to be able to answer the questions correctly. Are there people who can cram for and pass the exam? Absolutely. But it does not remove from the hard work of others who studied for, and passed the exam.
Then there are the Cisco and Microsoft exams. I do not know how anyone can correctly memorize IOS or Active Directory simulation questions unless they have an insider who helped write the exam to know exactly what kind of scenarios the exams will present. You either know binary conversion or you don’t since you do not know what subnet or IP address you will be asked to decipher. The same goes for group policy and domain management.
You either know the commands to configure a router and switch or you don’t. You either know how to subnet (quickly) or you don’t – no calculators or PDAs are allowed in the exam. Sure you can memorize how to recognize an IOS version or even a subnet mask table, but how do you memorize the answer for a question like:
“Given the following scenario, why is the router not routing traffic?:
ip address 10.0.0.1 255.0.0.0
ip address 18.104.22.168 255.0.0.0
frame-relay map ip 22.214.171.124 255.0.0.0
You have to have some idea about frame-relay map statements, yes?
The same goes for Network+, CEH, CHFI etc. Agreed, there are some certification examinations that seem more “theoretical than practical” but that is the focus of those certifications – for management level folks. The CISM has the “M” (manager) for a reason. The requirements are that you must have spent a couple of years managing an enterprise network with a focus on specific domains before applying for certification. Passing the exam is not an automatic certification for some of these organizations. At that level you are expected to have mastered the “hands-on” stage and moved on to a verifiable management position. Some will background check your ass.
The CISA certification is geared specifically for auditors and you better know your stuff before you go audit someone’s network or you may have some years of cold crappy meals ahead for you.
Is it possible to have a CEH who “sucks” at the job? Absolutely. I also know a lot of MBAs who cannot hold their own against my mother who did not go to school when it comes to running a business and keeping it profitable. How many cases do we hear about surgeons who sent a few unfortunate people to their early graves because they “did not know squat”? The best political scientists are probably the worst political leaders ever. Lenin, Stalin, Hitler, Cardoso etc. were brilliant political minds. Our own Obama is having to deal with Realpolitik at the moment.
Certifications are a celebration of personal achievements. Many people are not getting certified so they could get a job or make more money. Many certified folks have pay grades higher than any certification can bring. It is the same reason many of us go back to school for our PhDs, Masters, or MBAs. I have seen a few profiles with over seventeen (17) certifications (okay, these guys need help!). But that is also a testament to people who love studying and learning.
There are a few people who take certification exams because they want to prove that “any idiot” can take and pass a certification exam. And I know many who came out of the process convinced that there is more to it than just cramming. And after certification, even those who did not believe in its worth perk up and become very good at their jobs. Self respect has a lot to do with that. You do not want to be pulling out Shon Harris’s book when your boss asks you a question about cryptography now do you? After all, you are supposed to be a CISSP!
So, to wrap up, I do not think the question should be “which certification is better?”. Rather we should be asking what certifications are more appropriate for specific specializations. Someone interested in Business Continuity for example is better served by a BCI certification and if your area of expertise is IT Governance, then you are better off with the CGEIT certification. For a network focused professional, a Cisco cert is a no-brainer. If you are more into the “dark side”, then CEH is probably where you need to focus.
MCIBTY is not a certification you should pursue. It is bad for your health and could expose you as the owner of a small LADA!