A little more than 20 years ago, I was browsing Help Wanted ads in some publications, and for the first time, I saw an ad that required a CISSP. I remember thinking, “Wow. The (ISC)² just justified its existence.” I was reminded of this when I recently read people questioning the value of different certifications and the sponsoring organizations.

People criticize certification organizations and say that they don’t see the value of their certification and complain about paying dues. They complain that certification does not mean competence and highlight the fact that incompetent professionals are certified. They are basically right, but that is irrelevant.

There is a joke that goes, “What do you call the person who graduates at the bottom of their medical school class? Doctor.” Many professions have certifications. I am certified as a Master Scuba Diver Trainer by PADI (Professional Association of Diving Instructors). I can assure you that not all scuba instructors are equally good. However, any instructor or other diving professional has achieved a base level of knowledge. They have demonstrated a base ability to demonstrate, train and assess the skills of students. They agree to adhere to follow PADI standards and stay aware of those standards. When a student is certified, other diving professionals can assume that they have demonstrated that they know how to and can dive safely.

Dive operators satisfy insurance requirements by serving only certified divers. To satisfy the certification requirement, divers go to PADI instructors. The instruction includes the safety requirements that PADI-affiliated dive operators adhere to, which drives divers to PADI-affiliated dive operators.

In return, PADI is constantly evaluating incidents and updating training standards and materials. They evaluate any violations of safety standards and serve to promote the dive industry. They support professionals by providing business training to schools and resorts. Despite the fact that there are infinite ways to kill oneself scuba diving, the infrastructure created by PADI leads diving to be a safe and approachable activity, and the entire industry relies on it. While instructors frequently complain about PADI, the reality is that their profession would not exist without the organization because the would-be divers would not perceive diving as a reasonably safe activity. Instructors and dive shops are not the ultimate audience for their own PADI certifications; the diving public is.

When you consider the CISSP, CEH, Security+, CISM, etc., cybersecurity professionals are not the certification customers; the professionals’ clients and employers are. While (ISC)², ISACA, EC-Council, SANS, etc., should be responsive to the needs of certification holders, the primary benefit they provide is creating perceived value in the certifications they issue.

The organizations created the belief that the certifications they establish define a minimum level of knowledge that is useful to identify a person as having sufficient knowledge to function in a given role. They create the belief that their process is also trustworthy in testing and maintenance for the purposes of maintaining the perceived legitimacy of the certification.

All of the major cybersecurity certification bodies put together lobbying efforts to get government entities to accept the legitimacy of the efforts. In return, their certifications are required for government cybersecurity positions, such as the DoD Approved 8570 Baseline Certifications. I’ve also seen many non-US organizations requiring CREST certification from consultants.

In return, people who invest in obtaining the certifications clear a major hurdle in qualifying for jobs working with the Department of Defense and consulting organizations. To research this article, I went through dozens of job announcements for senior cybersecurity openings throughout the industry, and almost every one of them required a CISSP certification.

Many consulting companies require their consultants to have certifications to use as a marketing tool, and sometimes, their customers require the certifications. Why is this? For many people, it is a way to identify that people have a basic level of knowledge. The CISSP requires years of holding cybersecurity-related roles. In many cases, this might be due diligence. Given the proliferation of the major certifications, if there is an incident, if an organization does not have a certified individual in a role, it can be perceived as a lack of due diligence.

Having certifications is not unique to cybersecurity. Cisco and Microsoft certifications are required for many positions in IT. The accounting, legal, medical and even scuba professions require certifications or licenses for practitioners. To address a common complaint that I hear in cybersecurity, in all of these professions, it is likely that there are uncertified/unlicensed people who are better at the job than certified practitioners. The certified people, however, have submitted themselves to examinations and agreed to maintain a given level of professional standards.

Let me recommend that you don’t get certification because it sounds good. You get it because you believe it will allow you to qualify for a position of some sort. If you just want to expand your knowledge, you can read books or take courses that don’t result in certifications. However, entry-level people might want to obtain certifications to show themselves as having an established knowledge and skill level to potential employers or to facilitate a career transition.

On a personal level, I avoid criticizing any particular certification or certifying body, even if I have strong opinions on the matter. I believe that such criticism devalues others’ certifications and could harm their potential employability. If you are a hiring authority and not in an organization that has standards for certifications, you can set standards requiring certifications or not. You can determine the value of a certification. However, it should not be considered a negative that an individual invested their personal time and money to obtain and maintain certification.

I fully acknowledge that certifications do not translate to a given level of performance. Likewise, a person without certification may be the best person for a given job, assuming there isn’t a requirement to meet. But my advice to practitioners is to base the value of a given certification not on opinion or biases but on what certifications are intended to do, which is to qualify you for positions and increase your employability. Likewise, while I encourage and expect certifying bodies to be responsive to the needs of their certified base, their primary mission is to promote the value of the certifications. In the end, that is what really matters.