The World According to Mitch

While I have been using and learning computers since 1979, by my own definition I only became a real IT Professional when I passed my first certification exam in 2003. At that time I was already aware of a lot of people in the business who were… less than reputable. When I went out on my own as an independent consultant I learned quick that a lot of businesses had been burned by the last guy… possibly shady characters, possibly people who just bit off more than they could chew and were in over their heads. Whether intentionally or not, both sorts fleeced the customer – with often tens of thousands of the business’ dollars already paid, they walked away – disappeared without a trace. It did not matter what credentials the swindler (or not) might have had… outside of the legal system, there was no board or council that could reprimand them.

I vowed that I would never be one of them.

In 2006 I earned the credential Microsoft Certified Trainer… and have held that ever since. When I was sent my first contract for a training engagement I read it from top to bottom. I was intimidated that it set expectations for high instructor evaluation scores, and that if those minimum expectations were not met then the training company did not have to pay me. I was relieved that I did well and was subsequently paid for my work. I realized that the training company that had that clause was in the minority, and that most of them just expected you to do well, and if you did not I suppose they would just not hire you back. Fortunately I have maintained consistently high evals throughout my years of teaching but I have heard horror stories from students who had taken a class in which the teacher was simply reading a script, but likely had no experience with or understanding of the technology. I have always thought that to be immoral, but again there is no body that students (or training providers who hired them) can complain to in order that action be taken.

I sat (and failed) my first certification exam in 2001 and it was not until my 104th exam – Certified in Cybersecurity from ISC2 – that I realized there was another way. It was the first exam I had ever passed yet was not immediately certified. I was required to pay the Annual Membership Fee (okay, no problem)… and I had to agree to the ISC2 Code of Ethics. To be clear, the Code of Ethics has been in place since 1989, and has been a core requirement for all certified members since the very beginning.

The code of ethics consists of four canons:

• Protect society, the common good, necessary public trust and confidence, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.

The code of ethics states that if you act dishonestly or dishonorably then there will be consequences. There is a standing committee at ISC2 that addresses complaints (see Professional Conduct (Ethics) Committee). They review candidates before they are grated membership in ISC2, and they review ethics complaints brought against members. They do a slew of other ethical and conduct issues that can arise in our industry.

But why does it matter?

Never before has cybersecurity been so crucial to our lives, but especially to the businesses and organization that run IT systems. When hiring, these companies specifically ask for up-to-date certifications, and the number of job postings that require CISSP or CCSP or other ISC2 certifications is growing. To have these certifications stripped can mean a huge drop in potential income. The number of job opportunities I have seen in the last week that I could did apply for because it clearly asked: ‘Do you currently hold a valid CISSP certification?’ is significant… and no, I did not say ‘Yes.’ There is no option to say ‘I do not have it now, but I passed the exam and my certification should be approved within a few weeks.’ Saying yes would be a lie… and against the code.

I have warned my students for nearly twenty years that cheating on an exam could result in their having their certifications stripped. I have seen it happen. What I have never been able to say is ‘If you are dishonest then you can have your certifications stripped.’ I have always wished it were so. With ISC2 it is exactly thus.

I will never know first-hand what it is like to be stripped of my credentials because I have always acted honourably and with integrity. I am sure it has happened to others though… in fact, as I write this paragraph, I looked into it on Google and came back with several hits, including a Reddit post from someone who had received his ‘Provisional Pass’ from the exam centre, and then was forensically stripped of the cert for cheating on the exam. Aside from the professional hit of not being able to claim the credential, the shame of having it stripped must be horrible.

While I wish there was a Code of Ethics for the IT Professional that we all need to follow, and violation thereof could mean losing our livelihood, I know that will never happen. It is just not viable, especially when one man’s ethical lapse is another man’s professional triumph (as we learn from the cyber threat actors in the employ of governments who pay them a salary for what most would consider unethical if not criminal activity). You do not need a license to be an IT professional; certifications are qualifications but nothing more. If I knew everything that I know about the Microsoft 365 ecosystem but I did not hold the certifications that would not preclude me in any way from implementing, managing, and security desktop computers… I would simply not have a piece of paper saying that I knew how to do it and had passed exams to prove it.

Certifications are often how companies narrow down the pool of applicants for a position. Do you hold the following certifications? or if they are receiving CVs from candidates they filter by keywords – MCSE or CISSP or Network+ or whatever their criteria are. I have always believed them to be extremely valuable, but they do not always mean that one IT pro knows more than the other. Once you have them… well, that’s it. Over the last decade or so certifying bodies have evolved so that certifications expire and that is a huge leap forward… every year I have to prove that my knowledge of Microsoft Windows, Intune, Entra, Azure, and a slew of other offerings is current. With CompTIA I need to earn a certain number of Continuing Education Units (CEUs) every three years. With ISC2 I need to earn a certain number of Continuing Professional Education (CPE) for each of my certifications. All of this to prove that I am current.

I will always be a Microsoft Certified Systems Engineer (MCSE)… and when claiming that I am not required to disclose that it is on Windows Server 2003. That was the last version of Windows for which the credential was offered. I have in the past vetted candidates for jobs whose CVs clearly claimed that they were MCSEs… and even fifteen years ago the MCSE on Windows NT4 was obsolete.

These are reasons why expiring certifications, or at least certs requiring us to stay current or lose them, are such a great advancement for the industry which, lets face it, has not always had the greatest reputation. Why, you ask, is that the case? It goes back to the premise of this article… we are not bound to a professional association that accredits us. This is why, at least in the cybersecurity world, the ISC2 Code of Ethics is such a great requirement. If you act in bad faith then you can lose your certification.

If you have been reading this blog since the beginning then you know that in the early days I was a huge advocate for Microsoft, and would eventually go on to have a very close relationship with that company. Do not expect me to be a long-term evangelist for ISC2… but expect me to be a member for as long as I am in the industry.