DISCLAIMER: I work with CWNP as the CTO, but these opinions are my own and I have held them for more than 20 years now.
I have been thinking about acquiring the Security+ and CASP certifications in order to move my IT career in the direction of Information Security. Do the certifications matter or should I just focus on gaining experience?
Refocused IT Pro
First, there is no replacement for experience. Get experience and get expertise. Expertise does not exist without experience. You can become a professional without experience, but it requires experience to be an expert because an expert has fine-tuned experiential impulses and awareness that do not come through reading, attending classes or gaining certifications. At least not entirely.
Second, yes, you should get certifications. If you want to work in wireless, get the CWNP certifications. If you want to be a DBA, get database administration or programming certifications. If you want to work in security, get at least one certification related to testing (ethical hacking, penetration testing, whatever you wish to call it), one certification in security management like CISSP, and then go to certifications of Security+, CASP and possibly the new CSA+. Furthermore, shameless plug coming, I would get the CWSP certification as not other cert so thoroughly covers Wi-Fi security. Remember, along the way, it is about saturation in knowledge to enable quality experience development above all.
What do certifications prove? They prove you learned the material required to pass the exams (assuming you did not cheat, which will evince itself soon enough and you’ll be out of a job) and I’d rather have someone working for me who has the knowledge and has proven it than someone who claims the knowledge but has not.
As I’ve always said, “Certifications prove you can pass the exams. Not having a certification proves nothing.” It’s really that simple.
Now, I can hear someone arguing, “But Tom, I have significant experience and my resume speaks for itself.” Great! I would rather have someone with significant experience and no certifications than someone with certifications but no experience. However, I’d rather have someone with both. Why? The acquisition of the certification tells me something about the individual (maybe I’m wrong, but I’ve talked to many other IT directors and CTOs who feel the same way). It tells me they are willing to continue their learning and invest in their future. I am comfortable with that person.
I may hire an individual for a job role and not even specify certifications as a requirement. However, when filtering the applications to select candidates, the listed certifications or continued education weight heavily in my decision. Just because a job posting does not list a certification as a requirement, you should not assume your certifications will be of no value to you.
So, in the end, while this is my opinion (held strongly) and not based on empirical data, you are better off having experience and certifications than experience alone. This is, of course a general statement, much like a wise saying of Solomon of old, but it holds true in most cases that I’ve seen.
Good luck on your transition!