Five Reasons for Software Certifications

Several people I respect (notably Gary McGraw) as well as others that I don’t really know (e.g., the author of this blog post “5 reasons why software certs suck”), have argued vehemently against certifications recently. I am a subject matter expert for the new Certified Secure Software Lifecycle Professional (CSSLP) certification. I help write the exam questions. Obviously I wouldn’t do it if I didn’t believe it had some value. So I’m going to try to write a few reasons why they are worthwhile.The author of the blog post is sorta contradictory. In one case he says certifications don’t matter because the companies he respects (e.g., Microsoft and Google) as well as the people he admires (e.g., Wozniak) don’t have them. He simultaneously, and contrarily says that there are times when you’ll be passed over in hiring because another candidate has more certs than you (i.e., because the certs do matter). Which is it? It is neither and it is both.

1. Certifications provide common context and vocabulary

Someone who has completed a certification, no matter how trivial, has assimilated some of the vocabulary, context, and culture that the certification tries to document. I expect someone holding a CISSP, CSSLP, GIAC, GSEC or similar certificate to speak a certain language and understand certain terms when I say them. Let’s not mistakenly ascribe some loftier goal and then be frustrated when the certification’s candidates don’t live up to them.

2. Certifications are about minimum competence, not maximum

A certification is meant to recognize something you know. There are those who cram for a certification exam, in order to appear, for a brief moment, to know the material that the exam tests. No one thinks that the people who study momentarily are the same as those who have a long career behind their passing score. It’s very difficult to design a test that cannot be crammed while staying within the bounds of cost-effective administration. Think of it this way: Mario Andretti has a drivers license in his wallet. So do I. His driving skills and mine are not comparable at all, but we both passed a test that certified a minimum competancy. He also has credentials for Formula 1 racing and years of career racing that I do not. Let’s not, for a moment, consider trying to capture his experience (or Microsoft’s or Wozniak’s) in a test. We are just establishing minimum competence.

3. The world needs objective measures that are comparable

Ignore for a moment what value you place on the content of the exam. If the exam is carefully standardized you have a tool for comparison. If you have ever had to hire someone, you know how people make buzzword-compliant resumes today that say almost anything that could possibly help get the person a job. As a hiring official you have to sort out the BS from the actual capabilities. With a certification you have a better starting point for that weed-out process. If I see J2EE on a resume, I have a long series of questions that will get at their experience one way and another. If I see CSSLP on the resume, I know what they should know.

Now earlier I said ignore the value of the content. Now, let’s evaluate the value of the content of the cert. If it has the ability to establish context and vocabulary and minimal familiarity with topics, I can work with that. If I come to discover that it has more value than just vocabulary (as a CCIE does), then I learn to ascribe more meaning to finding it on a resume.

4. Stop insulting everyone

Both the testsquad blog post and the popular anti-cert crowd make accusations of brainlessness. They claim that once you get a cert, you’ll feel the rush like heroine and have to keep getting more and more certs to feed your addiction. They also claim that employers myopically focus on certs and somehow overlook the true value of the candidate. I say that the employer who overlooks a candidate’s true value because he sees CSSLP on the resume would be equally duped by the long list of buzzword-compliant terminology and some good interview coaching by a placement agency. The root of that problem is the interviewer/employer, not the certification. I don’t see anything inherently worse about a cert than a good coach and a bunch of buzzwords. If anything the certs are at least moderated and standardized.

5. This train is leaving the station

You can be on it or under it. The industry is attempting to create standardized comparison for various kinds of capabilities. We need to find a way to do this with integrity and value. The ivory tower people say “you can’t tell if someone really knows their stuff based on a multiple choice test.” There are lots of NP-Complete problems in the world that we don’t think we can solve in polynomial time, yet we can apply heuristics and do various things to limit how much time we spend solving them. We need to apply the same sort of best-effort focus on quality while balancing real-world constraints. Planting our heads in the sand and saying it can’t be done is not an option. The people who want the standardization of capabilities will continue to push. Those of us smart enough to know how hard this is to do can either help, or shut up. Complaining, though, is not an option.


  1. Glenn Buckholz

    Excuse the spelling, spellcheck has failed me.
    Definately disagree with most points.
    point 1. The ability for a private corperation to control the lexion is called marketing. You gain a common lexion by reading the refereed research not going to a cert class. Pipes are called pipes because thats what K&R refer to them as in their AT&T unix paper not because its in a learning tree text book.

    point 2. There is no general standard for minimum competence. Every job is different, an expert in one scenario is a beginner in another. It is rare that the interviewers in HR know what bar a certification sets. The SME’s that interview an individual next have their own set of questions that are tailored to the task at hand. While a cert class may allow a person to answer these questions the person performing the interview certaily doesn’t care how an individual got that knowledge. To use your example, the intervier doesn’t care if its you or mario, only if you can take a turn of a given radius at 60 mph. He doesn’t care if you obtained that skill on the race track or commuting to DC. Using a cert to tailor interview questions is just well, lazy. You are tailoring the job to the cert not the company’s needs. That qualifies as WRONG and BAD… see internet dictionary.

    point 3. First, the world doesn’t need anything(well maybe love), people need. If you are one of those people, while a cert is comparable it certainly isn’t objective. If they still haven’t perfected IQ or SAT testing, how does a computer cert test stand a chance. The aformentioned have been around waaaaay longer.

    point 4. Well, I agree with you here. But, its the internet what’d you expect. I also don’t see this as a vailid argument for or against certs so I think you sould change your title to 4 reasons not 5.

    point 5. This is just untrue. For any high quality work you are rated on what projects you were apart of or what enviornments you worked. MCSE, CISSP, and CNNA only help the fledgling computer professionals get interviews, which accounts for a very small part of the market. Amdhal says look elsewhere. It’s your reputaion, accomplishments, and contacts that give an impression of your future ability to solve a problem. Most interviewers are willing to overlook the fact that you lack a cert or the spicific knowledge the cert implies you have once you have experience. Based on your track record they know you’ll learn and solve their problem. In case you were wondering we have certifications for learning potential….. BA, BS, MA, MS, MD, PhD … etc.

    I’m not saying there isn’t enlightenment to be had by taking the certification exams or classes. I believe them to be industry’s version of acidemia. I’m just saying to rely on them as an interviewer is foolish…and lazy. Certs are a good tool for education, but they will never be a bar, minimum or otherwise, to judge a persons potenial. The best they may ever be able to say, is that an individual is ready to take the next cert class.

    1. Point-by-point back atcha. Point 1: ISC2 and others, while private companies who make money on the certs, are trying hard to test a candidate’s comprehension of some canonical terms that were set by someone else. When we write exams, we have Gary McGraw’s books, Mike Howard’s books, and all the others out there. We’re just testing on the terms that the industry sets, not that ISC2 or any standard body sets. So the certs test on your application of the word “pipe” as defined by K&R. The cert people don’t make up a term like “pipe” and expect others to adopt it.

      Point 2. Certs serve as a general standard for minimum competence, but only in their domain. They’re not like a bachelor’s degree. They just provide a minimum expectation of familiarity with concepts and terms. That’s it. The anecdotal hordes who mindlessly use a cert for interviewing are just conspiracy theory. They don’t really exist in significant numbers.

      Point 3. Certs don’t have to be perfect to be useful. All we care about is whether they are useful.

      Point 5. There should be no such thing as a “certification class.” A certification is not part of a curriculum. The driver’s license is a good example again. DMV doesn’t offer driving classes or practice exams. The driver’s license and the tests administered prior are intended to identify minimum competence. Each driver, however, must seek out their own lessons on how to drive. Exam cram classes do a disservice to the whole cert. They provide lots of examples of minimally qualified individuals who bring the overall value of the cert down. A certificate, ideally, is a recognition of what you learned elsewhere. It is a way we can recognize common knowledge without having to interview and check references for every person in the industry. That’s n-squared checks and we’re trying to reduce it.

  2. Glenn Buckholz

    Point 1
    Unfortunatly in practice your argument very rarely holds. For examples look at VMware, sun, and microsoft literature. Product names and marketing names are substituted for the conceptual names the inventor or field of research may use. Sometimes companies purposly make names obsure to suborn brand recognition. A name comes to mind…. cigi… wait I lost it. As a matter of fact one of my top complaints about certifications is that they teach the incorrect vocabulary AND limit how people think they can apply a particular technology. I have issues with this in practice working with a bunch of very good, very qualified MCSE type individuals. The microsoft name or way of doing things limits their way of thinking as to activly interfere with problem solving.

    Point 2
    Again, certs only prove you know what was on the test at the time. Unfortunatly compotence is a degree of experience and historically difficult to measure. To use the driver’s license example again…. With computer certs there is no road test, no practical way to judge. Yes, the person knows what a steering wheel is conceptually, but can he use it to turn the car. Or lets take the FAA, to be type rated in a jet you take a checkout flight with an FAA inspector who also has a ton of flight hours. I don’t see this in any certification process. Most accredited Universities acknowledge this failure in their cirulum and compensate with interships. Personal experience shows a certified person knows deeply the vocabulary in a field, but only has a vague notion of the underlying concepts. Since most people are profecient with language, teaching them definitions is the least of my worries.

    Point 3
    Well, my experience is that, as currently implemented, they have negative usefulness. But, thats not to say that can’t change. I think certs can be useful, they just aren’t right now. The major problem is bias and sandboxing of ideas. Both shortfalls which can be overcome, but aren’t do to the fact organizations use certification training as a marketing tool.

    Point 5
    Ahhh but in practice there are certification classes. You can’t fiat away what is because the world doesn’t conform to how you think it should be. The fact is there are CERT factories out there and they produce most of the people who have a mature cert. They base their multi-million dollar business on the fact that the certificate is valuable to have. They want to churn as many people through the program as possible sucessfully to justify tuition. They do not let silly things like comprehension and learning get in the way. Additionally and unfortunaly, to accomplish this goal, they subvert the testing process. The problem with the cert is not the mnimally qualified individuals, its the wrongly certified individuals.

    As an aside, I have seen certifications in the computer field be useful, not as a measuring stick, as a starting point for curious minds. The question I ask an interviewee is what have you done with your certification outside of work. The ones who have persued interesting side projects have always been the most sucessful hires.

  3. Glenn Buckholz

    As a correction to point two there is one exception I know of where there is a practical test. Some of the CISCO certifications require lab work. But there is not “check out ride”. However, this is the exception not the rule.

Comments are closed.