Sunday, May 13, 2007


A man who carries a cat by the tail learns something he can learn in no other way. ~Mark Twain

According to this article from Computerworld, there are people cheating on technology certification exams. Next they will bring us the bulletin that rain is wet. Exam cheats may be more organized now; it may even be more widespread (although that would be hard to imagine); but it is nothing new.

For the uninitiated, companies like Microsoft, Novell, and Cisco, and third party organizations, have been offering certification exams for almost as long as computing has been around. The idea was really three-fold, I think. First, it gave someone a roadmap on learning the ins and outs of the company's products. Second, it gave those companies an advantage in that practitioners who had taken the effort to get certified would be inclined to want to use those products. Finally, employers looking for technology-savvy people would specify certifications that would fit their environment.

Nice plan, but execution has been somewhat lacking.

First of all, many people seeking certifications didn't care for the most part whether they knew anything or not. They weren't looking to gain expertise; they wanted a certification to put on their resume. The companies, more interested in pushing product than creating knowledgeable professionals, partnered up with publishers and training companies to provide example exams, making it easier to get certified without actually learning anything.

To add to the problem, people who took the tests gleefully posted the questions online for free. The certifying companies cracked down on web sites that allowed this, and it seemed to have some effect. Now it seems that the Asian market has figured out how to make a buck swiping exams and selling the answers to anyone with the money to buy them.

I have some experience in the matter of certifications. I have Novell and Microsoft certifications, which I obtained after working in the field for several years. The only reason I bothered to get them was because employers seemed to be impressed by them. I wasn't, but I preferred to be employed.

The problem is that courses are geared not toward learning the subtleties of, say, operating systems. They are purely geared toward passing certification exams. As I said, training companies, with the blessing of the certifying companies, provide sample exams, some of which are remarkably close to the real thing. There are also publishers who specialize in books related to certification exams, which also contain practice tests. Some of these are frighteningly similar to the actual test.

Some years ago, I was taking the exam for Microsoft Exchange, which was the last one I needed to be my Microsoft Certified Systems Engineer (MSCE) certification. I used a book by a company I will not name (to protect the guilty). Exchange is a massive and complex mail system. A test about it could go in so many directions, and the study book was so massive I was concerned that I wouldn't pick up on the most important items.

The book did, however, come with a "practice exam", which I must have taken twenty times. Which turned out to be a very smart thing to do. When I took the Microsoft exam, I was surprised when the first question turned out to be word-for-word what one of the practice exam questions had been. So was the second. So was the third. Even the multiple choice answers (right and wrong) were the same. The only difference was the order in which they were given.

It took me ten minutes to complete the exam and get my certification.

Now, I find it hard to believe that Microsoft was unaware of this, since this publisher put out a lot of Microsoft course books. Apparently it was more important to Microsoft to get people certified in their products than it was to have people who were knowledgeable about their products.

I'm not just picking on Microsoft here; Novell practice exams provided by a certain training company were also frighteningly accurate.

There is a definite problem in the technology profession where this whole certification process is involved. If employers are really relying on applicants' certification status as a screening tool, they aren't necessarily getting the most qualified people.

As long as training courses are geared toward passing exams, they don't really provide information about the things that go wrong and how to fix them. Troubleshooting is seldom a factor in any certification curriculum (the Cisco CCIE is an exception to this, being one of the toughest certifications to obtain). Worse, technology is making it easier to prepare for a test without learning anything.

The irony, of course, is that the foundation for the technology that allows this to happen was developed by geeks who knew technology inside and out, most of whom did so before certifications were ever available. It is creating a population of technology "professionals" who are ill-equipped to handle the complexity of networking and security in the 21st century.

The results of this are being seen daily in reports of hacked customer databases. Network security is being set up using default modes; software is designed using developer interfaces that hide the complexities of code from the software writers.

There are still IT pros out there, in networking and software development, who know what's going on and how to deal with it, but they are fighting a losing battle against the crackers who are able to create massive botnets thanks to exposed systems created by all those certified "professionals". Not all crackers are computer geniuses, but there are enough of them to have provided tools for the less competent crooks to ply their trade.

The irony is that, for the most part, those accomplished crackers never wasted time getting certifications.

No comments: