Security Certifications

Mon, 06 Oct 2008 16:33:37 GMT
by pdp

Security Certifications - should you get some? Well, this is what I think.

IMHO if you go for a certificate then you pretty much put a box around yourself and your abilities. I am sorry, this is my personal opinion. People will perceive you as such and such because of your certifications. While having a cert might be a good idea for your career and in particular your CV, showing off with it could be a bit harmful. I am not saying that you shouldn't get certified. I am saying that most people get certified because of the certificate and not the knowledge they get with it. Everybody knows that and it is hard to convince people otherwise. And this is the main reason why security certifications are significantly devalued over time, apart from the fact security knowledge needs to be constantly updated. The more people get certified the less valuable certifications are.

What about CISSP? CISSP can certainly help you get good understandings of security processes but when it comes to real-world security what matters the most is your experience. Anything else is irrelevant. At the end of the day you have to solve someone's problems. Well, in order to pass CISSP you do need to have some experience in the field, at least on paper.

The bottom line is - if you want to make a career in the infosec industry than getting a certification might not be such a bad idea. Just be honest that you've got the certificate for the certificate itself. :) I hope that this post helps.

Archived Comments

i have same opinion to this. in my country is one big company, which hired four ppl with certs. company now write it everywhere, that they've some ppl which know security best of the world. i made couple of security audits on their sites and it's poor, but it's business. how you did write, if you have it on your cv, it's something more than someone, who is better than you, but don't have any stupid and expensive cert.
Daniel MiesslerDaniel Miessler
I did a write-up of the various infosec certs here: My thoughts are that certs show very little knowledge on the part of the candidate. They're little more than HR tools. Here's the bottom-line: "The value of a certification is exactly the value that others place on it--no more, no less. If you're interested in the actual value of a given cert, check the job sites, call your recruiter friends, and talk to hiring managers. Just as with currency exchange rates, the only way to determine "true" value is to see how much others are willing to pay for it."
Geoff (Ghost) ChimGeoff (Ghost) Chim
I agreed most people in Security don't understand the truth. Man kinds will always behave the same, the Internet is just another dimension. As I mention with you and AP about my concept of Hack Fu years ago.. A technique is just a technique... Just another way in expressing it.... People who got lots of professional certifications only shows they are good at memorizing brain dumps and putting the same answers in exams. It is nothing more than showing they remember the Kata, form or Routines like in Karate and Kung Fu. But in really combats, Kata, form and Routines will not protect you from really combat or warfare ..... Where the bad guys will not follow the same rules......
Certification in IT is like an university degree - it shows that according to some organization you are supposed to have certain skills and have acquired certain knowledge in a field. It doesn't do anything more than that. Every self-respecting employer will test your skills regardless of how many degrees, certificates, recommendations etc. you have. And I think that this is right and this is the way to do it (until certificate organizations and universities reduce their scrap rate to zero). Such documents can help you to get through only the first round. After that, you are on your own. But having them for their own sake is stupid and useless.
I generally agree, especially with regard to CISSP. I'm sure there are some excellent practitioners with the CISSP, but most that I have met have very little real-world understanding of technology. A possible exception is SANS in that the training is extremely beneficial even if you don't get the certification. With things like CISSP and CISA, you are training specifically to get the certification. With SANS (at least in my experience), you are training to actually improve your skills. If you pass the certification, at least I know you were tested over useful information and not the usage of buzzwords.
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
In short, my view is that there is nothing like experience/skills. However, once you acquire the skills to exceed at your profession, it wouldn't hurt to get some certs. Why? Because some people believe in it. Sometimes you gotta give people what they want. Just like when you wanna get an A on a test: you simply answer the questions the way the teacher wants, even if you don't agree with him/her. I say get the best of both worlds (certs+real skills), can't go wrong. but mostly, make sure you know your stuff so you can look at yourself in the mirror.
Steve JonesSteve Jones
Having a certification on your resume will: 1) Bring your resume to the attention of the recruiter who searches on that particular certification 2) Put you ahead of the other guy who doesn't have it on his resume, especially if it is a requirement for the position 3) Show prospective employers you had both the nouse and the ability to get it Bottom line? If a particular certification is going to get you an interview which may lead to a job you want, having it is a no brainer. Get the cert first - the experience will come when you have the job. If you already have the experience, you probably don't need the cert but it will still help you get noticed on a recruiter's search. Someone mentioned University degrees here. Most of them aren't worth the paper they are written on, but if you're just starting out, try getting a job these days without one.
Certificates are a key to open up job opportunities. If you haven't got the required certificates, you can have all the experience and skills and self-confidence you want, but you're not gettting in. They're keys and tools, and I thank you for stating the obvious in such a clear fasion :)
param, I am sorry but I do not agree. Certifications provide false sense of knowledge to the employer. And I can assure you that there are people with no certifications who make the average security consultant yearly salary over two weeks. Certifications are designed for two reasons: control and false sense of equality. Again, it is a personal choice. In a similar way you can make a lot of money from the falling stock market right now but most people don't do it. It is a matter of personal choice and also lack of understandings about how things actually work. To wrap up, certifications together with collage/university diplomas provide no assurance that the person who has them is employable or can provide any value whatsoever.
pdp, somehow i understand what you are saying about security certificates. But i believe that if you combine security certificate and work experience with good reputation, then you are kind a clear water. In any way if some one is going to hire (senior) security officer he/she will be examine candidate background and etc. No one should hire people just because he/she holds some certificate, you have to have some other information that support information which you get from candidate. So in that light i think security certificate are good.
In my opnion... certifications are just a "paper" that you show to the market when you are searching for a job or during a evaluation. By the time, if you really got skills for security information, and people know you about some cases that you have been involved in the past, the opportunities will come to you- its just a question of time. You will have a name one day. To sum up, they are just a paper to prove that you are able to do something when nobody knows you. But everybody know that, some people donĀ“t need certifications to know somethings and be a good professional.
Drexx LagguiDrexx Laggui
Certifications are useless as a claim to fame that one is "the best" or "the elite" in the infosec industry. A lot of CISSPs and CISMs out there are merely infosec linguists... they can't even printf "Hello World" even if there was a gun pointed at their head, much less even tell the difference between a CX and BX 8086 register --the point being that a pentest or similar risk assessment program may have a highly inaccurate "expert" understanding, that will result with a misguided professional opinion about the real risks an organization is exposed to, if the certified infosec professional is just a philologist (one who can talk the "talk" but can't walk the "walk"). However, for us in SE Asia, certifications can mean having contracts, or be a starving pentester (I know this only too well). Certs are a great marketing tool --and they can help get you through the first door. And that's all you need really, just to be given the one chance to prove yourself worthy with your electronic ninjutsu. Once you've done that, and have gone on to become a 10th-dan cyber ninja, only can people see you as out of that "box around yourself".