One of the most frequently asked questions I receive from individuals looking to enter the Information Security field is: “Should I pursue certifications?”

I have had many in-depth conversation on this topic with my peers, so I’ll share my thoughts and logic on the subject here.

The answer to this question is not black and white – it is subjective and highly dependent on the individual. I know several smart and knowledgeable professionals with 0 certifications, and an equal number of smart and knowledgeable professionals with 10-20 certs. That said, I have also met individuals with a large number of certifications who are lacking skills, and vice-versa.

While some of my friends and colleagues have strict opinions on the topic, my view is this: you need to know yourself.

I find exercise to be a helpful analogy in this case. For example: many people work out every single day and are in fantastic shape. I, however, am not one of those people. It’s difficult for me to get motivated and hit the gym “just because.” Instead, I need a short term goal in order to maintain my focus and guide my training. I recently completed my first Tough Mudder in Southern California and found it extremely beneficial to have an imminent event with a set date, motivating me to get prepared and exercise.

After coming to this realization about myself, I acknowledged that the same applies to InfoSec. With a certification exam on the calendar, I’m more likely to skip an hour of TV at night and focus on studying instead. Again, this is not set in stone and I have self-taught myself on many different topics, but sometimes having an exam looming on the horizon can motivate me to really focus and learn a topic in-depth.

I have yet to come across a course or certification from which I gained nothing, and I find that to be a telling sign that you get what you put in. As an individual who loves the command-line and prefers to cut up and massage data that way, I still found an excel course beneficial to my skillset. Others, even a few close friends of mine, are extremely skilled and do not feel the need to participate. They can stay in shape on their own, if you will.

In my current studies, I’ve come across two authors with the SANS GSE certification, Chris Sanders (Practical Packet Analysis, Applied NSM) and TJ O’Connor (Violent Python). With the technical knowledge and depth they broadcast through their writing and presentation of topics, I sense that a strong foundation was solidified by achieving this prestigious accolade. Just as I will continue to buy and read their work, I now view the SANS GSE as a credential I’d like to someday obtain.

Early in my career, I was influenced by more experienced InfoSec professionals. When making professional decisions, I would often change my own personal views depending on who I talked to. It took me a few years to realize that each decision is based on the individual and their learning style. In that respect, I hope that this post will help other young professionals.

For what it’s worth, having at least a few certifications will help you to get by human resources at larger companies. I won’t delve into this topic too much, but I will say that I never want to be restricted by something that is within my power to control.

The last point I will address is the cost of certifications. The process of using certifications to guide your short term goals can sometimes be obstructed by the financial cost of these courses. In my career, I have been lucky enough to work for a company that is invested in my training and development, fronting much of the cost for these certifications. I do have a great appreciation for companies with this mindset, though I find myself on both sides of the spectrum when it comes to paying your own way. If you are not fortunate enough to have an employer that will foot the bill as you sharpen your skill set, I would recommend that you save money and focus only on the training/certifications that will greatly increase your skills (or help you get past the HR screening process and on to a technical interview).

Of course there are plenty of stances and opinions on the subject. If you would like to chat or share your thoughts, feel free to comment, message me on Twitter or send an email.

-Mike (@mikeboya)