Certification and Experience: Putting the Cart Before the Horse

Bookmark This (opens in new window)

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

10 thoughts on “Certification and Experience: Putting the Cart Before the Horse


    Looks like you are the one that has it backwards.
    What you are saying implies that hiring managers should hire people that pretty have no clue about the IT field as long as they have the intention to sit for their certifications after a few months/ years..after gaining experience.
    By passing a certification exam, the hope is to demonstrate to the prospective employer that you have the mental aptitude, let alone the desire to thrive in your field of certification.
    If you were a hiring manager, who would you hire; someone who has not passed the certification exam and at the same time has no experience, or someone who has passed the exam but has no experience??

    1. Jeremy Licata

      No, Peter does not have it backwards. There is no implication that managers should hire “people that pretty have no clue about the IT field as long as they have the intention to sit for their certifications.” Hiring managers are looking for qualified and experienced individuals. In many cases, and HR department will focus on finding certified individuals because the IT director/manager that wrote a job requirement that specifies the credential.

      Security certifications are not, as you state, “to demonstrate to the prospective employer that you have the mental aptitude, let alone the desire to thrive in your field of certification.” The intention is to provide to the prospective employer, that you bring a certain level of skill and experience to the position that will add value to the organization — a value that is backed by an ISO-certified international organization. Certification demonstrates that you already thrive in the field, not that you have a desire to thrive.

      I’m with Peter — I wouldn’t hire either candidate.

    1. Javedktw

      I completely agree with KNEMHARA.

      If employers only wants experienced folks, then what the recent grads and entry level will do?
      Getting certified at least shows your interest in the field, knowledge of the subject and eagerness to grow in the certification field.

      It is a way to convey that you hold the knowledge to do the work and would eventually take the certified candidate less time than a non-certified -without experience candidates who neither have the required knowledge or experience.

      Unfortunately, many employers are taking too much advantage of the recession and so many lay offs. I have seen job postings requiring experience of AT LEAST 5 YEARS + MUST HAVE “xyz” certifications for a compensation of as low as 9-10$ per hour.

  2. Amol Godbole

    Information security is a vast area and I dont think its feasible for most individuals to gain experience in all or even most of the area’s. As an example most people hold the CISSP / CISA and CISM certifications but I really doubt how many of them have the expertise ( and not just know how ) in diverse area’s , for example, secure coding, encryption, access control implementations and at the same time auditing IS systems, IS risk management and security program development. ( maybe a career spanning a couple of decades )

    The way I look at it is, these certifications will give you a push in other area’s of information security provided you have a strong background in some area and want to build on it. In fact getting a recognized certification in an area where you are not an expert is probably one of the few ways in which one can validate/demonstrate his skills and knowledge in that area. One has to grow out of his current role to make that certification count ( open source projects, helping out in internal audits in current role etc ) before a full time role in that area can be aspired for.

  3. ITEYE

    To be perfectly frank, the reason we’ve an influx of so many incompetent individuals in security is the trend of hiring on the basis of certifications itself… have you ever wondered why people can’t flock into… say nuclear engineering the way they do in IT…. because you can’t become a nuclear engineer by passing a petty certificate…. and come on… these certificates are really really easy; try comparing certs to courses in traditional sciences and engineering – certs are essentially just a sort of user manual training…. not that these trainings are bad but the trend of hiring people with these certs and absolutely no educational pre requisites is to be blamed.

  4. Jeremy Licata

    Thank you, Peter, for raising awareness about this issue. This really needs to be a call to ISACA and ISC2 to enforce their own policies which require that individuals applying for a credential have the necessary experience. All of the certifications programs require that the applicant have 5 years of experience in the field. These “boot camp” programs, or training programs that promise that the candidate can pass the test after a week, or a year, are entirely missing the point. But is the credentialing program itself that needs to step up their efforts to validate candidates before issuing the credential.

    Too often I have witnessed certified individuals engage in behaviours that minimize the value of the credential. And it is the responsibility of credential holders, as stated in the “ethics statement” for each certification, to report those that jeopardize the value of the credential. Part of the problem is that neither ISACA nor ISC2 have sufficient resources to investigate these individuals, much less have the resources to review and validate each candidate’s resume. Not like PMI, which takes great pleasure in their candidate validation audit.

    To those that want to get into the field: focus on education. There are plenty of degree programs out there to get started. This will lead to opportunities in the field and experience. Once the experience is gained, certification can follow. Security certification is not a starting point… unlike the technical certifications (like those from Microsoft), which can be achieved just by being a good test taker. Well… ok… in all fairness, one can start with Security+ without any experience – start there.

    On the other side of the coin, those that have the experience, and/or the certification, should be making an effort to mentor those that are working to get ahead in the field. I’ve told the individuals that I’m training that they shouldn’t even think about certification until they prove themselves in the field. It’s nothing personal — it’s just the way it works. Get 5 years of experience, then apply for the credential.

    And to those that have the credentials, don’t recommend a candidate if you can’t validate their experience. Plenty of CISSPs, CISAs, and CISMs are more than willing to sign off a recommendation form without thinking about the implications. We, as the certified individuals, need to be more vigilant in preserving the value of the credential.


  5. John Kramer

    Peter is absolutely correct but the’market’ for these Certs does not agree. When I wrote my book on the CISA exam the publisher wanted me to explain in a ‘for dummies fashion’ what some of the items were that required experience to understand. My response was that if you did not already have that experience, you should not be seeking certification to evidnce that you had.

  6. Donald Johnston

    I agree with the “experience first” then “get certified”. Too often many of the certifications available in the IT industry are all paper based … read the study guides and you have all you need to pass the certification exam.

    IMHO you shouldn’t be able to get a certification without proof of related real world experience. As an example, I received a degree as an Engineer but could not become a Registered Professional Engineer until after a number of years of work experience in my field.

  7. Kunle

    Hello Peter,

    As regards your article above, let us discuss myself as an example. I had a 2 year stint with a small IT firm that specialises in selling and implementing server-centric anti-virus solutions where I worked as an internet security helpdesk officer, before I commenced my M.Sc. in Network Systems at the University of Teesside. U.K. I have done the MCSA 2003 exam track, and the CompTIA Security+ exam. Do you think I am qualified to write the CISA or CISSP exam in future?

    By the way, I am reading your book on IT Disaster Recovery Planning for my dissertation on the same topic, and i think your book is a great asset to IT professionals. Please let me know if your book titled “CISA All-in-One Guide” is good enough to be an independent study guide for the CISA exam.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.