Fresh Thoughts #16: Risk Is Part of Business & Why Certification Is Not the Goal

Empty Mason jar sat on a table

Risk Is Part of Business and Everyday Life

Here are the 4 ways to deal with it:

  • reduce: make changes, so the risk is smaller
  • transfer: push the risk to someone else (insurance)
  • avoid: just don't do it
  • accept: just do it anyway, “it'll be ok…”

Pick one.

Or combine reduction with one of the others.

Why Security Certification Is Not the Goal

Earlier this month, my son got his 10m swimming certificate. Watching from the sidelines, I was ready. Big smile. High-five.

At the end of his lesson, he rushed over and said… "Here. Have that." before jumping back into the pool like a cannonball. That was it.

But this was important. It was recognition of the first time swimming 10m without any help. This was 3 years of effort learning to swim to get to this point.

What's going on?

Like many 5-year-olds, my son is a massive fan of Octonauts. A cartoon about Captain Barnacles and his team of scientists and adventurers. Travelling the oceans rescuing sea creatures from imminent peril.

There is a lot to learn with 130 episodes – each one about a different creature. Of course, my son's favourite is Humuhumunukunukuapua'a (aka. the reef triggerfish) - because his mum and dad practised the pronunciation for weeks.

So why didn't he care about the 10m swimming certificate?

Because he has a bigger goal. To go snorkelling on a reef and see all the creatures he's learnt about.

A piece of paper saying he could swim 10m is lovely. But it's no more than a milestone to say he is getting closer to his snorkelling adventure.

It left me wondering - Is a certificate really the goal?

This reminded me of the criticisms levelled at security certification programs.

  • You're CISSP - doesn't mean you're any good at security
  • You've got Cyber Essentials, ISO-27001 - only means you were secure once.... when the auditor was looking.

I can't disagree. But these ideas miss the point.

CISSP is just a way to say - I have studied 8 areas of cybersecurity, and you know them well enough to pass a 6-hour exam. And you've kept up with 40 hours of professional development each year.

Cyber Essentials and ISO-27001 certificates mean you've actually done something to improve security... not simply talked about it.

These certificates are milestones. Not goals.

May 24, 2022
2 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

dropped ice cream

Fresh Thoughts #11: Risk Assessment Mistakes & Do You Need More Security?

The biggest mistake I made on my first risk assessment? It was too detailed. I documented every possible way...

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868