- CPA to Cybersecurity
- Posts
- Perspective on the "Certification Industrial Complex"
Perspective on the "Certification Industrial Complex"
Business Value Analysis for your Career Development Plan
Steve McMichael
November 29, 2024
Contents
🪡 Tailoring is Key
Hey there,
Business Value Analysis is an important topic covered in Domain 3 of the AKYLADE Cyber Resilience Practitioner (A/CCRP) exam. Let’s apply this concept to your Career Development Plan. Would your Return on Investment be higher:
Taking the course for knowledge gained only?
Certifying it with the exam?
Just like when applying the NIST Cybersecurity Framework to organizations, one-size does not fit all. Tailoring is key, and that’s why two options are provided in Simply Cyber Academy.
Some people quickly jump on the opportunity to pursue the exam. Others don’t see any value in getting CCRP letters beside their name until those letters start appearing on job postings.
Others still have just generally been burned by aggressive, manipulative sales - we all have, and are skeptical of all 1,800+ IT/cybersecurity certifications, which have well documented problems. Why should you even get a cert when it’s what you can do that really matters?
In the GRC Certification Roadmap, I talk about significant price increases in the 22-46 year old certs we see on job postings from large, bureaucratic organizations: CompTIA’s Sec+, ISC2’s CISSP, and ISACA’s CISA. Also that I was inspired to collaborate with innovative startups like Simply Cyber and AKYLADE because they can provide leaner, practitioner-focused offerings at lower costs, in closer touch with what hiring managers need.
Your Career Plan: Cybersecurity GRC includes my regular mantra:
The research is clear: use a combination of on-the-job, social, and formal learning, known as the 70-20-10 [experiences-relationships-education] model
The focus is not all certs. In fact it’s 90% NOT certs
In Accredited, Practical Exams to Help Solve the Experience Catch-22, I talk about how many courses today create their own "certifications" but those are really just certificates of completion. Without independent accreditation, employers won't recognize them as proof you can do the job.
We don't need another certification, we need different certifications, with a different way of testing
It also talks about how 50-70% of cybersecurity job postings are tied to certifications in the DoD 8140.01m list. AKYLADE certifications are already recognized by the DoD for Continuing Education Unit credits. In “8. Industry Recognition” below they provide an update on their progress and expectations in attaining further industry recognition.
While generally I’m 10-100x more concerned about the quality of the course content than the value of certification exams debate - it’s an important topic to share of my perspective on and get your feedback.
I’m of course biased being (newly and at a super-micro scale) on the seller side, and if you’re already convinced that AKYLADE exams are part of the certification industry problem as opposed to a solution, I don’t expect to change your mind. My goal here is to advance our mutual objective of launching or lifting your cybersecurity GRC career, with all the relevant decision making info.
Sincerely,
Steve
🤖 Analyze Claims: The Certification Industrial Complex
The Certification Industrial Complex blog post has been referenced as a reason to take AKYLADE Cyber Resilience courses only and not pursue the exams. For an independent perspective, I ran it through Daniel Miessler’s open-source framework for augmenting humans using AI, fabric, with a prompt/pattern called analyze_claims.
Input
fabric --changeDefaultModel claude-3-opus-20240229
pbpaste | fabric -p analyze_claims -sOutput
ARGUMENT SUMMARY:
The cybersecurity industry overrelies on certifications for proving competence, and there are better ways to demonstrate skills and knowledge.
TRUTH CLAIMS:
CLAIM: Certifications only teach and test at the bottom tiers of Bloom's Taxonomy (remember/understand).
CLAIM SUPPORT EVIDENCE:
- Bloom's Taxonomy is a well-established framework for ranking knowledge, with remembering and understanding as the bottom tiers. [1]
- Many certification exams focus heavily on multiple-choice questions that test recall of facts rather than higher-level skills. [2]
CLAIM REFUTATION EVIDENCE:
- Some advanced certifications like the OSCP have a significant hands-on lab component that tests practical application skills. [3]
- Certain certifications like CISSP are designed to also test analysis and evaluation through scenario-based questions. [4]
LOGICAL FALLACIES:
- Hasty generalization: "certification exams only display a minimum level of competence". Some certifications are more rigorous.
- False dilemma: Implies certifications and self-study/creating are mutually exclusive. Many use both approaches.
LABELS: Thought-provoking, contrarian, anti-establishment
CLAIM RATING: C
CLAIM: Certification companies perpetuate the narrative that you need to be certified to be competent in order to profit.
CLAIM SUPPORT EVIDENCE:
- The certification and training industry generates over $200 billion in annual revenue. [5]
- Certification vendors often use marketing language implying their certs are necessary for career success. [6]
CLAIM REFUTATION EVIDENCE:
- While certifications are profitable, many vendors seem genuinely committed to developing quality training.
- No direct evidence provided of vendors making false claims about the necessity of certifications.
LOGICAL FALLACIES:
- Appeal to motive: Assumes profit motive means cert companies are acting in bad faith.
- Straw man: Misrepresents the claims and motives of certification vendors.
LABELS: Cynical, anti-corporate, uncharitable
CLAIM RATING: C
OVERALL SCORE:
LOWEST CLAIM SCORE: C
HIGHEST CLAIM SCORE: C
AVERAGE CLAIM SCORE: C
OVERALL ANALYSIS:
The post makes some valid points about the limitations of certifications and the benefits of alternative skill-proving methods. However, it overgeneralizes the flaws of certifications and the motives of cert vendors. The dichotomy between certs and self-study is overstated. A more balanced take would acknowledge the value of both traditional and alternative approaches.🔭 My Point of View
I agree with the broad stroke themes of how to get where you want to go in your career:
Certs are not the ‘only’ option for demonstrating proof of competence
Certs have pros, just don’t over rely on them
Create a custom learning plan
These themes are very aligned to my 70-20-10 GRC Analyst Career Development Plan template, and Jason Dion’s sound byte that:
Cert’s won’t get you the job, they’ll help you get the interview
When it comes to providing a balanced analysis, however, a C grade from Analyze Claims seems right.
CLAIM RATING: C
The post makes some valid points about the limitations of certifications and the benefits of alternative skill-proving methods. However, it overgeneralizes the flaws of certifications and the motives of cert vendors. The dichotomy between certs and self-study is overstated. A more balanced take would acknowledge the value of both traditional and alternative approaches.
I felt similarly in my CISSP surprise #5 last year:
Simply CYBERCON keynote: "Multiple-choice certifications need to be destroyed with fire!"
Thought providing, contrarian, anti-establishment
CLAIM: Certifications only teach and test at the bottom tiers of Bloom's Taxonomy (remember/understand).
CLAIM SUPPORT EVIDENCE: - Bloom's Taxonomy is a well-established framework for ranking knowledge, with remembering and understanding as the bottom tiers. [1] - Many certification exams focus heavily on multiple-choice questions that test recall of facts rather than higher-level skills. [2]
CLAIM REFUTATION EVIDENCE: - Some advanced certifications like the OSCP have a significant hands-on lab component that tests practical application skills. [3] - Certain certifications like CISSP are designed to also test analysis and evaluation through scenario-based questions. [4]
LOGICAL FALLACIES: - Hasty generalization: "certification exams only display a minimum level of competence". Some certifications are more rigorous. - False dilemma: Implies certifications and self-study/creating are mutually exclusive. Many use both approaches. LABELS: Thought-provoking, contrarian, anti-establishment
CLAIM RATING: C
Quite the hot take from John Strand! Here’s a recap of key points:
The industry perpetuates a problematic culture of elitism and exclusivity
There is a general distrust of higher education's effectiveness in preparing cyber professionals
The high cost of professional cybersecurity training creates barriers to entry
Multiple-choice certs don't necessarily reflect real-world skills or abilities - like we just talked about that
Free or low-cost cyber ranges and practical skill assessments, can be more valuable than traditional certs.
The industry needs to shift from an elitist mindset to a more inclusive and supportive culture.
Then John provides some balancing perspective, on where multiple choice certifications are appropriate.
I’d add to that perspective that:
Education is only 10% of a Career Development Plan
Some certs are more practitioner focused with case studies as opposed to rote memorizing the terminology that is table stakes for a case study discussion
CISSP was a good fit for my 70-20-10 Career Development Plan and it might also be for yours.
On the thought-provoking, contrarian, anti-establishment themes, I see AKYLADE as disrupting the status quo, not perpetuating the problem.
Cynical, anti-corporate, uncharitable
CLAIM: Certification companies perpetuate the narrative that you need to be certified to be competent in order to profit.
CLAIM SUPPORT EVIDENCE: - The certification and training industry generates over $200 billion in annual revenue. [5] - Certification vendors often use marketing language implying their certs are necessary for career success. [6]
CLAIM REFUTATION EVIDENCE: - While certifications are profitable, many vendors seem genuinely committed to developing quality training. - No direct evidence provided of vendors making false claims about the necessity of certifications.
LOGICAL FALLACIES: - Appeal to motive: Assumes profit motive means cert companies are acting in bad faith. - Straw man: Misrepresents the claims and motives of certification vendors.
LABELS: Cynical, anti-corporate, uncharitable
On the cynical, anti-corporate, uncharitable side, I see AKYLADE as being authentic, wanting to make a positive impact and having the right motives. The company was founded because bigger players they asked to change weren’t prepared to.
But let’s hear directly from AKYLADE so you can judge for yourself.
🔍️ AKYLADE’s Point Of View
I caught up with AKYLADE on this topic and they provided the following points for students to consider.
Why Choose A/CCRF or A/CCRP Certification Over Just Undertaking the Training Courses?
While completing the training is undoubtedly valuable for skill development, earning the A/CCRF (Cyber Resilience Foundation) or A/CCRP (Cyber Resilience Practitioner) certification offers several key advantages that go beyond the knowledge gained:
1. Demonstrates Verified Experience
A certification proves to potential employers, clients, or peers that your skills and knowledge have been rigorously assessed and verified through a formal process. It’s not just about completing a course; it’s about demonstrating mastery.
On this point, in addition to general skepticism on the “Certification Industrial Complex” which we covered above, a common counter-point I hear (including in CISSP surprise #5) is the limitations of multiple choice tests.
Limitations of multiple choice tests
I see room with CSF training for multiple choice tests to bring you cost, efficiency and effectiveness benefits in the narrow 10% education component of a Career Development Plan, because they can:
Boil down exam time
Make grading more objective, standardized, reliable and measurable
AKYLADE’s Mastering Cyber Resilience training is not Security Operations Center techniques or Digital Forensics, where being hands on keyboard in a cyber range yields much higher learning Return on Investment.
Also while the Practitioner cert is technically multiple choice, it’s business case studies that require you to apply, analyze and evaluate (“Blooms levels” 3-5) in real world scenarios.
2. Future-Proofs Your Credentials
The A/CCRF and A/CCRP are designed around emerging frameworks like NIST CSF 2.0, positioning you at the forefront of cybersecurity practices. Although these certifications may not yet be "required" in job postings, they signal your commitment to staying ahead of the curve in a rapidly evolving industry.
I’d add that while the new A/CCRP may not yet appear on job postings, you will see “NIST Cybersecurity Framework” on job postings today - just try searching in your job portal of choice. Here’s a GRC role AKYLADE posted to Linkedin recently.
3. Sets You Apart in Competitive Markets
The certification differentiates you from those who have only completed the training. By holding a recognized credential, you can showcase dedication to professional growth and readiness to tackle complex challenges.
Completing a course is not the same as really understanding the material.
When you take a course, you usually just watch someone explain things. It's easy to nod along and think you understand. But you don't really know something until you can explain it yourself. Taking an exam forces you to explain things, if only to yourself.
Exams are hard for a reason: they make you prove you understand. It's not enough to kind of get it. You either know the material well enough to be certified or you don't. And the only way to find out is to try to get certified.
Sure, just taking a course is easier and cheaper than also getting certified. But like a lot of things that are easier and cheaper, it's ultimately a false economy. You're not saving money if you end up having to come back later and really learn this stuff.
Getting certified doesn't just prove to others that you know what you're doing. It proves it to yourself. Confidence is the real value to weigh against the cost. Once you've forced yourself to learn something well enough to be certified in it, you know you can rely on your knowledge. That confidence is visible to others too, and it can open doors.
4. Aligns with Industry Standards
The A/CCRF and A/CCRP are mapped to widely recognized frameworks and practices. This alignment ensures the certification remains relevant and credible as the industry continues to evolve.
5. Builds Long-Term Credibility
While established certifications like CISSP, CISA, or Security+ are great for broad recognition, niche certifications like A/CCRF and A/CCRP show a specialization that employers value. As these certifications grow in recognition, you will have already been part of the early adopters, reinforcing your reputation as a forward-thinking professional.
Imagine you're hiring someone, and you have two candidates, both of whom claim to be proficient in the subject of the job. One has taken a course. The other has taken a course and then passed a test about it. Which would you hire?
It's the same with peers and clients. People can tell the difference between someone who has learned something from a course and someone who really knows it in their bones. Getting certified is what puts you in the second group.
6. Practical and Affordable
Compared to other certifications in the industry, A/CCRF and A/CCRP offer significant value at a more accessible price point. This allows professionals to upskill without overburdening their budgets while maintaining high-quality, actionable knowledge.
Cost comparison from GRC Certification Roadmap
Renewal fee comparison
Organization | Cert | Annual Dues (USD) |
|---|---|---|
ISACA | CISA | $185 ($145 Membership + $45 Maintenance) |
ISC2 | CISSP | $135 |
CPA Ontario (and Canada) | CPA | $621 |
AKYLADE | CCRF, CCRP, CRMF, CRMP | $17 ($50 every third year) |
Comparable CSF Training from ISACA $299-$399
Comparable CSF training, e.g. for Continuing Professional Education credits while maintaining a CISA or CISM:
7. Signals Professional Commitment
Earning the certification, rather than stopping at the training, demonstrates that you take your career seriously. It communicates that you’re willing to go the extra mile to validate your expertise and hold yourself accountable to industry standards.
There are other ways you can demonstrate your ability to commit to and follow through on big challenges, like starting a YouTube channel, an independent business, a non-profit and many more. A benefit of degrees and certifications is that they are time bound, with a defined, tangible outcome.
Also keep in mind that the Return on Investment for your education might not be immediate, it can come years later. This was the especially the case for me with:
CISA: When I got it for Financial IT auditing I hadn’t even heard the term cybersecurity GRC
MBA: The skills helped immediately but from a job application perspective, hiring managers weren’t considering me for management positions when I got it
8. Industry Recognition
While not yet as widely recognized as certifications like Security+ or CEH, A/CCRF and A/CCRP are still built to meet the ISO/IEC 17024 standards. Achieving this accreditation involves rigorous external validation, ensuring the certifications meet high-quality benchmarks. AKYLADE is in the process of this external validation and expects it to be done in early 2025. Once accredited, these certifications are expected to gain broader acceptance and will be included in certifications frameworks like the United States Department of Defense’s DoD 8140.01m list that enhances their value in the job market both within the government and its contractors.
9. Bottom-Line
Certifications like A/CCRF and A/CCRP may not yet dominate job descriptions, but they represent a proactive investment in your professional development. They help bridge the gap between theoretical knowledge and demonstrated competency, ensuring you’re prepared not only for current demands but also for future industry trends.