While reading through the most recent issue of Information Security Magazine (which is really just a Web site more than a magazine now days), I came across a well written article titled Determining the Value of Infosec Certifications. I was enjoying the article until I came upon those wonderful cloaking phrases like "in my experience" and "it did surprise me." The first statement indicates that the author doesn't care what statistics say when they disagree with his or her opinion. The second statement is an admission of the fact that the survey data disagrees with his or her opinion. The point is that the author of the referenced article is insisting that his view (certifications are not that important) is more correct than the statistics. In fact, when 54 percent of the respondents of a survey said that they received a promotion directly related to having a security certification, the author said that this was just their "perception" and that he was surprised by this.
Maybe this author should look at government employees working in security who are absolutely required to have certain security certifications if they want to continue in their roles. There is no question, regardless of anyone's opinion, of whether these employees are benefited (in their job opportunities) by having certifications like the CISSP, CWSP, Security+ and CASP.
Now the author is right about one thing: very rarely do professionals gain employment exclusively on a certification. However, this does not diminish the value of the certification. Yes, experience is important; however, give me a technologist with ten years of experience with no certifications and another with the exact same experience and multiple certifications, I'm going with the certified candidate every time. Why? Because the possession of the certification tells me something about the individual. It tells me she or he is not an arrogant know-it-all who feels that her or his methods are always right. This makes me feel more comfortable as an employer. I can trust that they will not "do their own thing" regardless of the damage it may do to my organization or my client's organizations.
I'm very appreciative of the article's author for pointing out that experience is essential. He is right about that for sure, but certifications tell us the individual is willing to learn and prove his knowledge. When someone tells me that certifications don't prove anything, here is my simple response, "Not getting certified definitely proves nothing." Think about it. The truth can't be more simple: getting certified proves you have the knowledge to pass that exam; not getting certified proves that you are not certified. Certainly, gaining certifications relevant to the area in which you wish to work cannot do you any harm.