Professional Certifications & Information Asymmetry

This is a topic I’ve been meaning to write about for a while. I’d love to receive feedback on it: please, let me know your thoughts… (It got a little long, so bear with me.)

One of the most debated topics on the professional gatherings I attend, be they physical (conferences, meetups, …) or virtual (Twitter, LinkedIn, …), is professional certifications. CISSP, SANS, CCIE, CCxP, Microsoft, VMware, … you name it, there’s discussions about it. Do any of these sound familiar?
  • “Should I get <insert cert name>?”
  • “Is <insert cert name> a good cert to have?”
  • “Why does HR insist on having <insert cert name> as requirement even though I know WAY more than that?”
  • “Wondering if I should keep my <insert cert name> or let it lapse”
  • “What do I need to do to pass <insert cert name>? Any brain dumps? ;-)”

Please note: For many of the points below, someone can almost replace “certification” with “degree”. The discussion whether or not to get a degree – College, Bachelors, Post-Graduate, … – is, in my opinion, deeper than the certification one, with much more significant implications. Let’s treat that one separate, shall we? Baby steps…

I think looking at this issue from the perspective of information economics helps us tremendously, particularly the notion of Information Asymmetry.

In any economic transaction, information asymmetry is the notion that parties in a transaction have different information given their roles, and that each will alter their behavior to maximize their own utility. As a buyer, you may not know much about the quality of the product you’re buying as much as the seller does. However, as a seller, you don’t know how much the buyer is willing to pay for the goods you’re selling, or even if they can actually pay for them.

This is no judgement on either party, but an inherent characteristic of the economic transaction itself: only you know how badly you want a particular car, just as the previous owner of the car knows how well it’s been taken care of over the years.

There are two key mechanisms – signaling and screening – that can be used to reduce information asymmetry:
  • The ‘over-informed’ party can SIGNAL to the under-informed party by presenting information that attempts to resolve the asymmetry.  Examples: “this is a ‘certified’ pre-owned’” or “here is my latest pay stub to show that I’m good for credit”.
  • The ‘under-informed’ party can SCREEN the over-informed party by asking for information or offering choices that force the other to reveal that information. Examples: “give me three references from your career”, “show me your insurance policy against errors & omissions”.

Also important to recognize is that there is a cost associated with both signaling and screening, and that this cost can also be a signal on its own right. Knowing that a signal is expensive to generate might be interpreted as a stronger signal of commitment, or that a complicated screening process might indicate level of importance of the decision, and therefore the value of whatever is being bought.

The study of information asymmetry has been worthy of Nobel prizes – George Akerlof, Joseph Stiglitz, and Michael Spence shared the 2001 Economics prize on this topic. At the risk of sounding geeky, I think this is truly fascinating stuff…

With this in mind, we can shift the discussion on professional certifications, treating them as a potential means of resolving information asymmetry. They can be used both as SIGNAL and SCREEN mechanisms:
  • “Here is my <insert cert name>” signals that you [possibly] have the skills/knowledge/experience associated with that cert.
  • “This position requires <insert cert name>” is a screening mechanism meant to easily (from the point of view of the recruiter) winnow out candidates that have a low likelihood of having the necessary skills/knowledge/experience. It forces candidates to demonstrate at least some commitment to that area.
This is by no means a perfect solution, as several flaws can happen if one relies on certification alone:
  • the content of a certification may not be relevant to the true skills/knowledge/experience required, but may still be considered adequate or even required.
  • the certification process may be broken and allow those without the skills/knowledge/experience required to still obtain the certification.
  • the cost of obtaining the certification may become an impediment and artificially screen out candidates that would otherwise be suitable.
  • and so on…

Nevertheless, they are useful heuristics to be applied to the true problem at hand: reducing information asymmetry. If we focus on that, we can provide better advice. Let’s try to put that to practical use…

“Should I get <insert cert name>?”
This is the most common question, and one that has to be unpacked. “WHY” do you want to have the certification? It’ll likely boil down to one of these reasons:
  • The certification is part of a formal gate in a process: be it a promotion, formal tender, partner requirements, etc… In this case it’s pretty simple: if you [often] find yourself in that formal process and you want to continue, get the certification.
  • The certification is to be used as an informal roadmap for learning. I do this often (see disclosure below). In that case, ask yourself: how high is the marginal cost of actually obtaining the certification after your studying is done? If you look at the cert as roadmap, study a lot, then just need a simple exam after, it may be worth it actually getting it. If, on the other hand, the preparation for the actual certification is arduous and/or the exam is expensive (CCIE/CCDE, VCIX/VCDX, SANS GSE come to mind) then, maybe, you may choose to skip it.
  • The certification “will help in getting something (job, position)” but is not formally required. This is where the “information asymmetry” shows up and you can reframe the question as “can I resolve the information asymmetry in another way?”. If you’re a professional hoping to break into a new field (regardless of this being your first job or just a career transition), a certification may help. If, on the other hand, you have a meaningful alternative – maybe recommendations, a portfolio, blog posts, professional reputation, … – then that certification may not be necessary.
I think this last point is key. Too often we see two problems:
  • Those that think the certification is “necessary & sufficient” for a role, when in fact recruiters look at the cert as “just a signal”. Unfortunately, those candidates are often vulnerable to aggressive and potentially misleading advertising from those offering certifications or prep courses.
  • Those unceremoniously dismissing the certification as “useless”. I think they often do it because they themselves have – consciously or not – enough experience/reputation to resolve the information asymmetry, but fail to see how someone breaking into the field might not be as fortunate.
“Is <insert cert name> a good cert?”
I see this as a variation of the first question. Here, the question is focused on the cert itself, rather than on your intended use for it. As before, the answer follows the similar options:
  • Is the cert used widely in industry as a gate process or generally respected in something you take part often? Might be a good cert to have.
  • Does the cert provide a good roadmap of self-learning?  Might be worth pursuing. Here I mention that while I never got my CCIE, I used the blueprints as a reference of topics to brush up on in network security.
  • Finally, for “having the cert just in case”, it is helpful to think about it in terms of “how well does this certification resolve the underlying information asymmetry?” If you’re trying to signal broad understanding of an area, getting a specialized certification may not be as helpful. The reverse is true, of course: a generalized cert is useless if your signal is meant to be about a specific area. Also, keep in mind the value that industry/market places on the cert as a good signal mechanism. Things change over time…
“Why does HR insist on having <insert cert name> as requirement even though I know WAY more than that?”

HR does this because that certification has been, in their opinion, a useful heuristic to screen candidates. It may not be accurate from your perspective, but HR is making the rational decision that the cost of screening candidates via their certification signal is a good trade-off for the value they are getting. It’s not personal, it’s not stupid, it’s basic economics.

Whether this is a big issue for a candidate, depends on how much flexibility they have with the hiring process. If you’re being formally evaluated with a broad pool of possible candidates, you may have little choice but to go for it. If, on the other hand, you have both another way of resolving the asymmetry implied by requiring the cert AND the flexibility in the process (maybe you know the hiring manager and can bypass that requirement), go ahead and try that.

“I’m wondering if I should keep my <insert cert name> or let it lapse”

In this case, reframe it as “do the benefits of choosing to send this signal outweigh my own individual cost”? The cost may be clearly monetary or primarily the time needed.

Also, if you’re a more experienced professional, thinking of “can I resolve the information asymmetry in another way?” also helps. Maybe you lapse your professional certification, but you have a portfolio of blog posts, community participation, public code, … that are alternatives for showing what the certification was meant to show. It may be OK to let go of your introductory-level certification in a field where you can show expertise differently…

“What do I need to do to pass <insert cert name>? Any brain dumps? ;-)”
I wanted to comment on brain dumps. Personally, I think brain dumps are against the spirit of certifications, if not the letter, but from an economic perspective, consider that: if a certification is somewhat easily obtainable by those resorting to brain dumps, expect the following to happen:
  • the value of the having that particular cert as a valid signal may diminish.
  • the screening effort will increase, both from the certification provider as well as potential employers. We see this happening with more stringent testing requirements, perhaps more obscure questions (in both testing and interviews), all of which raise the cost of the screening itself. Expect that cost increase to manifest itself in more expensive exam fees, or even more stressful hiring processes…
Wrapping up
I think bringing a mindset of “looking at the economics of it” brings a different perspective to the debate about certifications:
  • Understanding certifications as both signal and screen mechanisms.
  • Considering the “transaction costs” and “opportunity costs” of both obtaining the certification OR using it as a screening mechanism.

Hoping this contributes a bit as one considers which certs to embark on, or which certs to list in those job descriptions…


For my own career, I’ve let many certs lapse, not because they were good or bad, but because I evaluated that my personalized “signaling” cost (i.e. keeping the certification) was too expensive given the expected benefit. Others I plan to keep, since either the signaling cost is low enough, or they offer other benefits (tangible or not) that I value…

For the record, I cherish my CISSP designation. It means a lot to me, not so much for the technical knowledge itself (it was  over 15 years ago…) or the inherent signal (many have it, and it has many supporters & detractors), but for reminding me of the never-ending quest to bring excellence to the InfoSec profession.

Finally, as a lifelong learner, I like to look at certifications as a rough guide to the common knowledge of a particular area. I may choose to just review the blueprint/requirements and guide my own studies along those lines. In some cases, I may go further and consider acquiring the certification as a personal goal or as a ‘sanity check’ that I do indeed have the minimum knowledge. After all, I’m always aware of the dangers of Dunning-Kruger effect, though not always able to avoid it..


3 thoughts on “Professional Certifications & Information Asymmetry

  1. George Pajari (@PajariHoots) January 10, 2016 / 8:03 pm

    Excellent discussion of the issue. I would reinforce the benefit of using the certification guide as an outline for one’s self-study program regardless of whether or not one intends on writing the actual exam. In most cases these certification guides represent a lot of careful work by industry professionals in describing the body of knowledge that practitioners in that area ought to be familiar with. Using that as a roadmap to improving one’s knowledge is a good way to avoid significant gaps in one’s self-education.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s