Five Reasons for Software Certifications

Several people I respect (notably Gary McGraw) as well as others that I don’t really know (e.g., the author of this blog post “5 reasons why software certs suck”), have argued vehemently against certifications recently. I am a subject matter expert for the new Certified Secure Software Lifecycle Professional (CSSLP) certification. I help write the exam questions. Obviously I wouldn’t do it if I didn’t believe it had some value. So I’m going to try to write a few reasons why they are worthwhile.

The author of the blog post is sorta contradictory. In one case he says certifications don’t matter because the companies he respects (e.g., Microsoft and Google) as well as the people he admires (e.g., Wozniak) don’t have them. He simultaneously, and contrarily says that there are times when you’ll be passed over in hiring because another candidate has more certs than you (i.e., because the certs do matter). Which is it? It is neither and it is both.

1. Certifications provide common context and vocabulary

Someone who has completed a certification, no matter how trivial, has assimilated some of the vocabulary, context, and culture that the certification tries to document. I expect someone holding a CISSP, CSSLP, GIAC, GSEC or similar certificate to speak a certain language and understand certain terms when I say them. Let’s not mistakenly ascribe some loftier goal and then be frustrated when the certification’s candidates don’t live up to them.

2. Certifications are about minimum competence, not maximum

A certification is meant to recognize something you know. There are those who cram for a certification exam, in order to appear, for a brief moment, to know the material that the exam tests. No one thinks that the people who study momentarily are the same as those who have a long career behind their passing score. It’s very difficult to design a test that cannot be crammed while staying within the bounds of cost-effective administration. Think of it this way: Mario Andretti has a drivers license in his wallet. So do I. His driving skills and mine are not comparable at all, but we both passed a test that certified a minimum competancy. He also has credentials for Formula 1 racing and years of career racing that I do not. Let’s not, for a moment, consider trying to capture his experience (or Microsoft’s or Wozniak’s) in a test. We are just establishing minimum competence.

3. The world needs objective measures that are comparable

Ignore for a moment what value you place on the content of the exam. If the exam is carefully standardized you have a tool for comparison. If you have ever had to hire someone, you know how people make buzzword-compliant resumes today that say almost anything that could possibly help get the person a job. As a hiring official you have to sort out the BS from the actual capabilities. With a certification you have a better starting point for that weed-out process. If I see J2EE on a resume, I have a long series of questions that will get at their experience one way and another. If I see CSSLP on the resume, I know what they should know.

Now earlier I said ignore the value of the content. Now, let’s evaluate the value of the content of the cert. If it has the ability to establish context and vocabulary and minimal familiarity with topics, I can work with that. If I come to discover that it has more value than just vocabulary (as a CCIE does), then I learn to ascribe more meaning to finding it on a resume.

4. Stop insulting everyone

Both the testsquad blog post and the popular anti-cert crowd make accusations of brainlessness. They claim that once you get a cert, you’ll feel the rush like heroine and have to keep getting more and more certs to feed your addiction. They also claim that employers myopically focus on certs and somehow overlook the true value of the candidate. I say that the employer who overlooks a candidate’s true value because he sees CSSLP on the resume would be equally duped by the long list of buzzword-compliant terminology and some good interview coaching by a placement agency. The root of that problem is the interviewer/employer, not the certification. I don’t see anything inherently worse about a cert than a good coach and a bunch of buzzwords. If anything the certs are at least moderated and standardized.

5. This train is leaving the station

You can be on it or under it. The industry is attempting to create standardized comparison for various kinds of capabilities. We need to find a way to do this with integrity and value. The ivory tower people say “you can’t tell if someone really knows their stuff based on a multiple choice test.” There are lots of NP-Complete problems in the world that we don’t think we can solve in polynomial time, yet we can apply heuristics and do various things to limit how much time we spend solving them. We need to apply the same sort of best-effort focus on quality while balancing real-world constraints. Planting our heads in the sand and saying it can’t be done is not an option. The people who want the standardization of capabilities will continue to push. Those of us smart enough to know how hard this is to do can either help, or shut up. Complaining, though, is not an option.