Top 4 Un-Certifications

Picture of a Canopy TentOn Monday I posted a quick review of top recommended certifications for 2012. One of the points that I tried to make in that article was that certifications aren’t everything. I proposed that certifications only make up maybe 10% of what security professionals should be focusing on in managing their career. In the end I pondered what makes up the other 90%. Well in today’s post I hope to answer that question.

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Career Development. [email protected]grecs)

The analogy that I’ve seen elsewhere is a canopy tent with a center pole (see pic above). Certifications may represent one of the poles. The shorter the pole the less it can hold up. So they all kind of have to balance each other out. If one is too low and there isn’t a counterbalance, then the entire tent (i.e., your career) may flounder. This suggests that you need to establish a minimum level in all five areas with maybe one or two that you excel in (i.e., the center pole).

So the question remains … what are the other four poles? Although there are no guarantees, here are my thoughts.

Formal Education to Lay Theory Foundation: Yeah this is the thing that may professionals have been brainwashed into thinking is absolutely necessary for any chance of success. As one of the brainwashed one, I feel you need to lay a good theoretical foundation down first before getting out into the real world. In the end although your degree may have nothing to do with security, it at least “suggests discipline, drive and commitment” as @stevewerby mentioned a while ago. Additionally, it provides a reference of at least one type of theoretical framework. Even if you are later in your career, it’s never too late to go back and strengthen the foundation previously only supported by theory extracted from practical experiences. This dovetails nicely into the possible next pole … continuous learning.

Continuous Learning to Keep Ahead: If you want to keep up and maybe even get ahead in your field, you MUST NEVER stop learning. Opportunities for continuous learning are everywhere. It could be just researching a topic you are interested in or maybe even something more formal like taking a class or attending a conference. But don’t forget the less expensive options. Listening to podcasts or attending local meetups are great ways to keep your knowledge on the cutting edge. Let me just say this … if you are just eking out enough credits towards your CISSP CPE requirements, you’re doing it all wrong.

Strong Communication to Push Your Ideas: Communication includes everything from writing and presenting to knowing how to talk the customer’s/management’s language. I’ve always said that the difference between a “good” engineer and a “great” engineer is the ability to communicate effectively. You can come up with the greatest ideas in the world however if you can’t communicate or convince someone it is a great idea, then it’s useless. Taking some basic writing and speaking courses at your local community college could definitely assist here.

Expansive Networking to Make Connections: From a networking perspective get out there and get involved. If you are weak in the certification or degree departments but know someone on the inside and they know you are good, then you have a pretty good shot of getting past those pesky minimum requirements. My recommendation is to get involved in some local meetups or create one yourself if there isn’t one in your area. Volunteering at conferences is not only a way to save some money, it’s also a great way to meet and network with new people.


Are there any other tent poles you feel should be mentioned above? Let us know in the comments below. Today’s post image is from

24 comments for “Top 4 Un-Certifications

  1. March 14, 2012 at 11:52 pm

    Another late night post I’ve been working on .. the Top 4 Un-Certifications

  2. March 15, 2012 at 12:58 am

    Top 4 Un-Certifications: On Monday I posted a quick review of top recommended certifications for 201… #ITSecurity

  3. March 15, 2012 at 1:26 am

    RT @grecs #NOVABLOGGER: Top 4 Un-Certifications

  4. March 15, 2012 at 6:09 am

    RT @grecs: Another late night post I’ve been working on .. the Top 4 Un-Certifications

  5. March 15, 2012 at 6:44 am

    Top 4 Un-Certifications: [] On Monday I posted a quick review of top recommended…

  6. March 15, 2012 at 9:39 am

    RT @grecs: Top 4 Un-Certifications Any others un-certs we need to consider?

  7. Andrew Morgan
    March 15, 2012 at 10:45 am

    So two of the posts you mentioned here can be directly linked to certifications, the other two are both just having good people skills. Being able to communicate and being sociable are both the same as having good people skills. So take both of those poles and combine them into one. Now your tent only has four poles so lets look at the other three. One of them is already certs so lets move on to the next, Formal Education to Lay Theory Foundation. As an IT manager the last thing I look at or even care about is your college degree. One reason is by the time you finish a four year degree all of the things you just learned are already ten years behind. Another thing degree’s DO NOT demonstrate a level of commitment, drive, or discipline. Now it is true it does take some a bit of those things to get through college but for the majority it’s just not the case. As a manager why am I supposed to get excited because after high school you just kept doing the same thing for a few more years? The next pole is continuous learning, suggesting taking a class of some sort but not the kind of class where you could be learning the things you need to know to advance your career and strengthen your knowledge of the industry. Once again speaking as a manager I don’t care what podcast you listen to, I don’t care what meet-ups you go to, or even who you hangout with. However if you tell me you attend a night class to obtain a certification in your field I’ll take that as dedication and commitment. Of course on the same note if you tell me you’ve taken this class but didn’t obtain the cert it teaches I’m going to think one of two things. One you’re lying and failed the exam or two you don’t have any follow through.

  8. March 15, 2012 at 1:45 pm

    #NoVABlogger Top 4 Un-Certifications

  9. March 15, 2012 at 1:45 pm

    #NoVABlogger Top 4 Un-Certifications

  10. March 15, 2012 at 1:45 pm

    #NoVABlogger Top 4 Un-Certifications

  11. March 15, 2012 at 3:13 pm

    Andrew: Thanks for your comments. These other “poles” were meant more for someone considering a long-term career in infosec versus what a manager sees. The goal is to use these to create a more well-rounded individual in the long-term, which I feel will create a more valuable person to any organization. I think indirectly practicing the above five habits would produce the type of person any manager is looking for.

    Regarding you comment on communications and networking being one pole, I see what you are getting at but do not agree. I know very sociable people that know almost everyone in their field. Unfortunately, they totally suck as writers and cannot communicate their ideas that well. Yeah, these are very fun people to hang around but they can’t communicate in business well at all. On the other hand I know people who are excellent writers but are very quiet in social situations.

    Regarding the formal education comment, I have to disagree. If universities are doing their jobs right, they will teach you the theory independent of any particular technology. For example, in coding you might learn the basic concepts such as conditions, loops, etc. That basic understanding translates into any modern programming language today and beyond. And regarding formal education not “demonstrate a level of commitment, drive, or discipline,” I again disagree. Yeah, maybe if you are a genius, taking an easy degree, or attending a cake school, it doesn’t but for many it is a very difficult challenge. Maybe I’m an idiot but myself and many other student peers often worked into the wee hours of the night and on weekends doing problem sets, studying for tests, and proving theorems over and over again as part of an engineering degree. Trust me I would have rather been out partying it up but I chose not to … along with many of my classmates. I call that a very high level of commitment, drive, or discipline.

    Regarding your continuous monitoring comment … yeah, you may not really care about what podcasts someone listens to but you might expect analysts to be on top of current attack trends or the most up to date tools so they could better perform their jobs. Maybe going to local meetups or having a large network isn’t that important to management, but it becomes important when your employee can solve a problem in 2 hours versus 2 days based on the connected network.

    Overall I appreciate your perspective and would be interested in hearing what your “poles” would be. From the sounds of it, certifications would definitely be included but what other qualities do you look for.

  12. March 15, 2012 at 3:16 pm

    For those that missed it .. and a great comment from Andrew .. Top 4 Un-Certifications

  13. March 22, 2012 at 2:33 pm

    Found this article related to this that you might be interested in.

    Building Information Security Professionals

    Although it focuses on starting out in infosec, he brings up the following four tenets and discusses maintaining a balance between them.

    * Education
    * Training
    * Certification
    * Experience

    First two map pretty closely to what I proposed. And of course I’m assuming Certifications would be there as well. So I include Communication and Networking but lack Experience. Great feedback!

  14. March 22, 2012 at 2:34 pm

    Added comment to Top 4 Un-Certifications post to include comparing it to another great article.

  15. March 22, 2012 at 2:34 pm

    Added comment to Top 4 Un-Certifications post to include comparing it to another great article.

  16. April 29, 2012 at 9:43 am

    Best Of: Top 4 Un-Certifications

  17. May 7, 2012 at 11:46 pm

    Best Of: Top 4 Un-Certifications

  18. May 23, 2012 at 3:00 am

    Best Of: Top 4 Un-Certifications

  19. July 9, 2012 at 12:08 am

    Best Of: Top 4 Un-Certifications

  20. November 8, 2012 at 9:15 am

    Best Of: Top 4 Un-Certifications

  21. December 6, 2013 at 3:35 am

    Best Of: Top 4 Un-Certifications

  22. March 2, 2014 at 4:46 pm

    Best Of: Top 4 Un-Certifications

  23. December 3, 2014 at 2:11 am

    Best Of: Top 4 Un-Certifications

  24. December 20, 2015 at 12:33 am

    Top 4 Un-Certifications (read with comments by andrew and the one at March 22, 2012 at 2:33 pm) by @grecs

Leave a Reply

Your email address will not be published. Required fields are marked *