Certifications are good; Licenses are bad

An ongoing meme (am I using this word right?) in the security world is what value certifications have – whether it be the CISSP or Certified ASS. Certifications act as signals that we have some combination of skill, experience, and knowledge in applicable areas. They certainly aren't intended to demonstrate anything other than an initial level of expertise and act as a decent filter. I generally support certifications as a kind of short-hand approach to setting expectations about background knowledge.

On the other hand, licenses are a whole different ball game. Licenses are designed as a barrier to entry and really don't signify anything other than certifications. However, the implication is that they will become a requirement. I feel like Robin Hanson when it comes to licenses:

This is completely inadequate as an economic argument, and
I expect economists would pretty strongly agree that neither economic
theory nor data on net supports such regulations.  But economists
almost never actually speak up about them, and they continue to grow. 
Why?

My colleagues tell me that it would just seem silly to make
a fuss over this; it is just not a serious topic.  Yes we can't take
seriously the idea of legally requiring a college degree to suggest
where pillows go, but we also can't take seriously an economist who
would focus on such a trivial and obvious point.  Economists are
supposed to talk about serious, important, difficult topics, you see. 

Which saddens me more than I can say.

1 comment for “Certifications are good; Licenses are bad

  1. April 15, 2009 at 12:06 pm

    Licenses wouldn’t be a bad thing if software engineering/security engineering were a “profession” rather than just a “job” to many. I think that if we (could) have the same level of “due care” or “professional standards” that other professions like structural engineers, lawyers, various medial professionals, we’d have a “step up” on the quality of what we see.

    However, because of our relative immaturity as a profession (we’re what, 60 years old as a “profession” in software right now?), this isn’t right to even *think* about this IMO right now – we have to many other challenges and need to define the profession more. This is a whole new can of worms that is a separate discussion :)

    I don’t see licenses as a barrier to entry – more the case of “the person who has this license will do/meet at least this level of work”, and a “standard of conduct” which I think would help. Many certificates I see out there are practically useless for many reasons (rote learning is a big one for me). Having an apprenticeship scheme is an interesting idea

Comments are closed.