Experience vs Certifications

Viewing 50 reply threads
  • Author
    Posts
    • #6614
      lorddicranius
      Participant

      Great article by Sil:

      https://www.infosecisland.com/blogview/15226-I-Am-Certified-You-Are-Secured.html

      So I’ve been studying various aspects of security so that I can get into a security career.  As soon as I started listening in on the infosec community chatter, this is something I’ve heard a lot of about: ‘certifications are not the end all, be all; one must have the experience to back it up.’  Yet, these seemed counter to what I was seeing in job postings.  I’ve seen it here on the forums too when people ask questions about certifications.  ‘These certs will give you some great experience in this or that, these will get you past the HR filter.’

      How do we as an industry change that, or can we?  While I’m very passionate about getting into a security career, forking over all that money to get a number of certs and keep them up to date just doesn’t jive with me.  When I separated from the military after 3.5 years as a sysadmin and experience in security, I had the hardest time finding a civilian sysadmin gig.  I ended up working at a help desk, then after a year I decided to get my Net+, Sec+ and Linux+ (without the use of study guides, mind you – the knowledge was already there) just so that I could get a call back regarding a sysadmin/netadmin position (and it worked).

      How does one go about proving their qualified with previous experience on a resume to get past that HR filter?  I’d assume that after you get past the HR filter, you can explain your previous work experience and the home lab you use to explore various technologies on your own dime and time…but there’s that damned HR filter in the way…

      Anyway, just trying to stir up some conversation here.  I know I’m not the only one whose trying to break into the industry that’s frustrated with this (not to mention those who are already in the industry that think its BS).

      Sidenote: Lee Kushner of InfoSecLeaders (teamed up with Mike Murray) is doing a workshop at BlackHat on careers in infosec.  If anybody here goes to that, I’d love to hear what was talked about.  He’ll be presenting the results of their latest survey on the value of infosec certs too.

    • #41019
      hell_razor
      Participant

      This article did strike a nerve, so I suppose it was targeted at people like me.  Here goes…

      To me, there are two different stories Sil speaks of in his article.

      The first story involves HR using certifications as a barrier to entry of employment.  The second story is that people put too much value on certifications and not enough value in results.

      As a hiring manager, I ask HR to look for industry certificates in the field I am hiring for.  I may not specifically ask for CIS(A/M), CISSP, or CCIE certifications or degrees, but I do expect to see something there.  I do not hire based on the certification, but it does allow me to filter out candidates without having to manually review hundreds to find the gem that would otherwise fall out.  In a perfect world, I would love to have the time to review every application sent, but the real world has limited resources, my time included.  I need an easy, predictable (if not ideal) way to sort applications and filter how many I receive simply due to time management.

      I am not impressed because a candidate has one or more of the certificates I expected or hoped to see until I have interviewed them and determined their technical skill level as it related to the position I am filling.  A certification will not prove to me that they have the ability to actually apply the knowledge they learned or that they even still have the knowledge, but the interview will hopefully show them whether or not they are qualified (and if it doesn’t I clue them in as politely as possible).

      Again, my hiring decision is not based or even related to the certification(s) they may or may not have.  It is a cost of admission, though.  If a great candidate otherwise has no certifications they may well be capable of doing the work.  They may have a multitude of reasons they could not get some certification or degree (lack of experience, lack of money, whatever the issue is), but the fact remains that they have not taken the opportunity to invest in themselves to make themselves more marketable, even if it adds little or no technical skill.  If someone comes in with no experience, but has a couple of relevant certifications, and does a good job on the technical (and non-technical – don’t forget about this part) interviews, then I would not hesitate to hire them.  If a candidate applies, has nothing to put on a resume to show me how important setting themselves apart or bettering themselves is, then I probably do not have a reason to interview them, all things being equal.

      This works for me in this economy and situation.  If things change, and it appears they will, we may end up with more security openings in the industry than we have applicants, things may change.  We may have to lower the threshold of applicants to review because we have more time available to review each applicant.  In that situation, I will adjust requirements accordingly.  There is a huge difference between wading through 100 applications than there is 1,000 applicants.

      The second point in Sil’s article, hiring consultants who appear qualified solely based on their certification than actual ability, is a similar shortcoming for the hiring manager.  That being said, if you are involved a court case or being audited, right or wrong, you will get more traction if you have externally validated (read certified) staff than if you have self-taught, non-certified staff.  Now, some will whine that it is not fair, but life is not always fair.  Sometimes it just “is.”  Again, the point, though, is not to have a certification for window dressing but to really understand what is behind the window.

      For the people who have all heard of or know that have been hired solely based on their certification and not on their ability, is that really the fault of the employee?  Maybe.  Does it show an obvious problem in the hiring process?  Definitely.

      Sorry for the rant today and long post today, but I get tired of hearing the complaints.  Seriously, add a certificate or two to get in the door and consider it an investment in your future.

    • #41020
      hayabusa
      Participant

      I agree with both sides.  hell_razor does make a valid and understandable argument for his point, and sil also duly notes that the certification doesn’t ‘make the man’. I tend to side with sil, in my personal beliefs, but have to give a nod to hell_razor for the reality, at least in MOST cases.

      That said, I do agree, however, that having even simpler certs is worth getting the second look in interviews, even though, in the end, it might mean the lesser ‘truly qualified’ guys get a job.  While costly in many cases, at least it does truly BUY you a second glance… (literally buy, in many / most cases)

    • #41021
      tturner
      Participant

      I have a B.S. degree, 17+ years of exp in IT (only 6 or so in IT Security) and a truckload of certs (more than you see in my sig). When I interview, I find my certs become a topic of conversation for the interviewer far more frequently than my degree. My experience is gauged based on the questions I’m asked but I rarely have an interviewer ask me about a specific job unless it’s my current one. Certs on the other hand become a topic for discussion because the interviewer is often curious what all the letters after my name are for.

      The sad reality is that most of the jobs I interview for are conducted by hiring managers who do not understand what they need or what it is an infosec guy even does. Last 3 interviews I went on they got blinded by my certs and acted like giddy schoolchildren at the prospect of me working there when I know for a fact they have current staff that make me look like a moron. Certs are also the reason I suspect why I get at least 5 recruiter contacts weekly. It’s seriously messed up but whatever, I play the game like everyone else. It’s an investment in “me”.

    • #41022
      dbest
      Participant

      Certificates open doors for you in terms of job opportunities and its the experience that can help you win the job.

      The level of awareness in the company that is gonna be hiring you is something that needs to be considered as well.

      When I tend to look at resumes with loads of certs, I tend to get put off, but that’s just me. Sometimes its better to retain only the relevant certs on your resume and discuss the rest if required.

    • #41023
      nonexistententity
      Participant

      @tturner wrote:

      It’s seriously messed up but whatever, I play the game like everyone else. It’s an investment in “me”.

      I think tturner nailed it on the head here. I think the OP’s desire mirrors everyone who genuinely wants this industry to grow properly: to have those responsible for hiring InfoSec professionals looking for the right things. But the simple fact is, that’s not happening in the vast majority of cases.

      Experience is the most important thing any of us can possess to be good at our jobs and to be productive, contributing members of the Information Security community. But we still have to put food on the table and that generally requires playing the game to some degree. And I think if you actually attempt to derive value from the study process then a certification isn’t just a necessary evil.

      Great discussion, everyone!

      -N33

    • #41024
      tturner
      Participant

      @dbest wrote:

      When I tend to look at resumes with loads of certs, I tend to get put off, but that’s just me. Sometimes its better to retain only the relevant certs on your resume and discuss the rest if required.

      I completely understand that mentality and have in fact been turned down before because the prospective employer was concerned I would be too focused on getting my next cert and not enough on doing the job I was being paid for. It’s a valid concern I suppose but if you hire the right person and keep them engaged with relevant and exciting work than that’s usually not a problem.

      Most of the time people who have an issue with certs are old fogeys who “didnt have no goshdarned certifications back in my day, less’n your a M.D”, people who never invested in their own careers and are angry because they got overlooked in favor of a certified guy sometime in their past or people who actually have enough competence in the job tasks being interviewed for that they understand just how poorly certification prepare the average worker to perform the job duties they will be engaged in. There are of course some exceptions here, but that’s been my experience.

      People are by and large judgmental in nature. We all have criteria we use to quickly evaluate a situation, person, place, etc. This is party based on our personalities and what we are looking for as well as past negative and to a lesser degree, positive experiences. Most of us have had exposure to a “paper tiger” at some point in our careers and it’s easy to let that prejudice form future decisions. You will have mixed reactions because everyone is different. We all have different experiences and different requirements. So for one employer, my 15 or so certs is going to be a fantastic thing, and for another it’s not. There’s no reliable way of knowing before you apply to the job unless you have an inside track with the hiring manager and then it probably doesn’t matter what you put on your resume.

      My rule of thumb these days, is to put every credential and job on my resume that is *relevant* to the job I’m applying for. I don’t include my A+ or my iNetvu Satellite Repair Technician or my 27 FEMA/ICS/CDC/Red Cross certs on resumes for security jobs but I definitely put all the security related ones as well as some others depending on the exact nature of the position. Pentest job probably does not care about ITIL, but for the security manager job it’s probably relevant, unless of courses it’s an ITIL shop and then it’s applicable for any job. Don’t just have the one resume, you need to tailor it and your cover letter for the job you are applying for.

    • #41025
      sil
      Participant

      The main point of my rambling was few fold: 1) I wanted to expose some of the certification bodies for allowing nonsense to go on via way of unqualified candidates devaluing certifications that once meant something. 2) I wanted to expose many-a-mentality of douchebag wanna be security professionals who once obtain that cert, forget the term and concept of “security” 3) I wanted to expose the douchebag who knows nothing about security but enough about studying that passed a cert exam and is now passing off bogus security services.

      In the #1 for far too long many of the organizing bodies ISC, ISACA, etc., have been promising or alluding to vetting qualified candidates. This was never the case in fact as far back as 1999 I know of COMPANIES that were re-creating the CISSP in order to label all of their contractors as “security capable.” This was then one of the big four accounting firms. This practice is still present and evident today. If you’ve ever set out to take the CISSP in DC/VA you will have a better chance of hitting the powerball. This is because 2-3 companies continuously buy up all of the seats. Now, these companies collectively don’t have enough security people to fill these seats, so ask yourself why bother buying them.

      FACT Certain certifications are mandatory in government and it is far easier to get contracts pushed through GSA shenanigans when all your guys are CISSPs. FACT: Not all of those guys can qualify FACT: It would be easy with enough test takers to re-construct this exam I don’t care how big your question pool is.

      On #2, for all of the certified guys at Booz what happened? 400+CISSPs, 150 CISMs, 100+ CISAs, 50-100 SANS (GCED, GPEN, etc) and so on. You mean to tell me collectively they couldn’t have secured that network? Something is wrong with that picture. With all of the NIST, NSA, etc., templates, read mes, etc., they couldn’t lock it down? What happened to GAP, SWOT and other “methods” and standards they swear by. Not to mention business continuity and disaster recovery. What happened to encryption for data at rest. Its all a charade of AV*EF nonsense.

      On #3 I have seen so many people with certs out the wazoo that know close to nothing about security. In my forensics and analytic mood, I can track down far too many to see FACTUALLY that they shouldn’t have even been allowed to take that exam. Of those that do, you can be sure that their credentials were NEVER checked. There was zero due diligence from the certifying bodies (ISC2, ISACA, etc.)

      Finally, I wanted to show the frustration of someone in the industry who had no choice BUT to get certified even though he’d be doing the SAME EXACT work for years. In order for him to maintain his livelihood, he had to succumb to the idiocy of certifying. The article wasn’t an attack on any one specific, it was to point out the obvious frustrations across the board. From HR, to the candidate, to the prick wanna-be.

    • #41026
      hayabusa
      Participant

      All I can say is, I fully (continue to) agree with sil, and AMEN!

    • #41027
      yatz
      Participant

      Not to jump on the bandwagon, but ultimately I agree certs do not equal qualification and are mainly used for getting past the HR process.

      However, I like having certs. 🙂  It feels like quantifiable method of judging accomplishment.  This feeling is 90% water vapor, 9% test taking ability/memorization, 1% actual useful knowledge… but I still like it.

      The question remains: how is it possible to quantify a quality when qualities are inquantifiable by definition?

      Sil (et al.) – point to as many objections as you want, businesses want a number.  Your worth as an employee, contractor, whatever is based on this number.  Certs make the number go up.  It’s business.

    • #41028
      sil
      Participant

      Yatz, everything is a business period when you break it all down to science. When it comes to security in certain arenas, the professionals in charge should be properly vetted. Someone at Infosecisland tried to associate pilots and doctors in his response, so I will follow suit here.

      Your doctor whom you trust most is about to perform life or death surgery on you. How would you feel it the hospital board simply said: “Trusted, I see your certificate” without ever determining whether this Dr went to med school? In the industry of say government contractors, this is exactly what is happening. Voodoo security doctors. All paper based with no experience. As a taxpayer it costs both you and I more when taxes are raised.

      It is not as difficult as one thinks to validate whether or not someone has experience. Simple onsite tests prior to hiring work. Simple “Googling” helps as well however, many are in a rush to “hire right now!” where candidates aren’t vetted as they should be.

      As for having certs, I prefer the challenging ones exams that consist of practical versus the typical multichoice nonsense.

    • #41029
      dynamik
      Participant

      I think there are several deeper issues that you’ve alluded to.

      First, it’s scary how advanced our knowledge is compared to most human resources personnel, and even technical hiring managers who are generally considered to be quite savvy. When I tell people I’ve walked through banks dressed as a pest inspector, they act like I’m a spy. When I demonstrate that I can analyze a simple packet in hex, it’s like I’m Neo decoding The Matrix in real-time. Mention Nmap and Metasploit, and their eyes glaze over. I’m not bragging, and I know I’m extremely far from the best. However, I’m light years beyond the vast majority of people (as are most of you). The others are just grasping at “tangible” items, such as certifications, for concepts and knowledge that they can get their head around. There’s often no other way to really relate.

      Second, I think demand is a major issue. I know a lot of people are struggling to break into the industry, but on the flip side, it’s extremely difficult to find qualified people. It’s difficult to find people who are genuinely passionate about security; it seems like a lot are simply drawn to the glamour of it. I know of several companies who haven’t filled all their positions over the course of years, despite bringing on warm bodies who have no genuine security experience. Most companies aren’t willing to hire just anyone, despite being desperate, but having a few letters behind your name really draws attention to yourself and provides some level of comfort for the people hiring you.

      I have more certifications than anyone I know (although it seems like tturner would be able to best me if it came down to it), and I have recruiters pinging me almost daily. Sometimes I respond and decline to be polite, saying something about how I wouldn’t feel right about leaving my current employer after only seven months, and they literally beg me to reconsider. I absentmindedly complained about this in front of a coworker, and in a dejected tone, he said, “Must be nice.” I felt kind of bad, but got over it quickly when I remembered he also had to dump his way through the Security+.

      In the end, and like everything else, you get out what you put in. I pursue certs because they’re a challenge, and having to become proficient enough with a technology in order to pass an exam forces me to learn things beyond what I find interesting. I think this approach has made me a significantly more well-rounded and knowledgeable professional overall. I don’t think I could have progressed as much as I have without taking this approach.

      Having said that, people like me are an extreme minority. I’m not disagreeing with the points that others have made, but I did want to share another perspective. The market is what it is (as much as I hate that saying), so I encourage you to get better, not get bitter. A few letters won’t genuinely differentiate you from your peers and other truly skilled professionals, but it makes you stand out from the herd. I think certifications, for better or worse, are undeniably a critical component of career development and stability.

    • #41030
      TheXero
      Participant

      Great post dynamik,  I wish I had to fend off employers like you.

      I have no commercial experience, and despite having few certs I don’t even get an interview 🙁

    • #41031
      caissyd
      Participant

      I agree with dynamik:

      In the end, and like everything else, you get out what you put in. I pursue certs because they’re a challenge, and having to become proficient enough with a technology in order to pass an exam forces me to learn things beyond what I find interesting.

      @Sil: You have to realize that you are almost one of a kind. The vast majority of people in the field won’t do what you do: spend countless hours reading, learning, practicing and trying to stay on top of their game. In a word, they have a life!  😉

      So other than for an handful of superstars, certs is useful to:

      1) For you to learn something that you would otherwise not look at because it doesn’t interest you (basicaly, what dynamik said).

      2) It gives you a goal and forces a schedule on you.

      3) It opens doors. But on this point, all not certs are equal. CISSP, CISM, CISA and a few others open doors big time. GSEC, GPEN and the other GIAG certs open doors too, but not as much as the other ones I mentioned. OSCP and OSCE for example barely open any doors. They are excellent certs (arguably the best ones for a pentester), but they are not recognize by HR.  And finally, Security+, CEH and the like are entry level certs, showing the candidate know the basics.

      So we cannot put all certs in the same basket here. CEH is not CISSP when it comes to HR…

      Last thing, I am sorry guys, but these letters are usually written in something called a resume. Certs use only a few lines in a multi-page document covering your experience. Like hell_razor said, it takes a while to go through resumes and to me, a superstar with no certs means nothing. Because if you are so good, why don’t you go just take a day and write an exam (like the well known CISSP) and have the best door opener for the remaining of your career?

      The opposite is also true. I have 4 certs and not much experience and I have an hard time finding a job in security. But when I reach the interview, I know my answers. Not like Sil, but I do know the answer…

      Oh and to conclude, regardless of how many certs or experience you have, it’s often who you know that makes all the difference…

    • #41032
      dynamik
      Participant

      @TheXero wrote:

      Great post dynamik,  I wish I had to fend off employers like you.

      I have no commercial experience, and despite having few certs I don’t even get an interview 🙁

      Hang in there. I spent six years working my ass off trying to get into security; it didn’t just happen. I started off by taking over the IT responsibilities of a company of five people (it wasn’t my primary responsibility), moved to a company of about 30 people, and then went to a managed services provider before I finally got a full-time security position. You need to start wherever you can get your foot in the door and work your way into what you want from there. 

    • #41033
      WCNA
      Participant

      Here’s my take even though it echos what most have already said.

      Sure it’s a game but if you want to get past HR it’s a game you have to play.

      True knowledge and experience is more important but that’s difficult to put down on paper. A cert shows that at least you’re trying to prove you have at least some skills. The CISSP  has been described as a mile wide and an inch deep and that’s true. It’s also a damn tough exam. Does it prove you’re a security expert? No. However, it does show that you can remember vast amounts of information and maybe, just maybe you’ll remember some of it when the time comes for when it’s needed.

      I do it because it’s a challenge and I love learning. Occasionally you’ll come across a cert that will actually help you in your job. The one I’m working on now comes to mind, CWDP (great book). Security is a lot like wireless. It’s constantly changing and learning new stuff is part of the job. Nine years ago, we were using FHSS. Look how much has changed since then. 802.11b then 802.11g, now 802.11n, mesh networks, WNMS/WIPS/WLAN controllers….all changing constantly.

      I guess it really depends on what you make of it. A cert may get you on the racetrack but you still have to drive the car.

    • #41034
      Triban
      Participant

      @sil wrote:

      Your doctor whom you trust most is about to perform life or death surgery on you. How would you feel it the hospital board simply said: “Trusted, I see your certificate” without ever determining whether this Dr went to med school? In the industry of say government contractors, this is exactly what is happening. Voodoo security doctors. All paper based with no experience. As a taxpayer it costs both you and I more when taxes are raised.

      I always loved the quote/saying

      “A student who graduates med school with a C average is still a doctor” or something of that effect. 

      Certs help hiring managers and HR feel warm and fuzzy.  It documents that someone is SUPPOSE to adhere to an ethical code in some cases (ISC2, GIAC, etc…).  I agree they are great for helping you get in the door.  I also agree that they help prove that you have taken the time to invest in your career.  After all we should be doing this because we love it not because it makes us good money.  I always like to say that the money is a perk for doing something I love. 

      I don’t agree with companies forcing their staff to obtain certs just to say our staff is certified.  The only exception are vendor partners.  Many vendors require their partners to hold a certain level of certifications.  If a conulting company is a Microsoft Gold partner, then they need to have a certain amount of MCITPs, MCSEs, MCPs etc…  Now what I don’t agree with is making the current employees flip the bill themselves for certification exams and training, reimbursement is fine, but offering to pay for training up front is better.  This shows the company wants to invest in you and your abilities as much as you do. 

      My last job the CIO or CEO (not sure who made the ultimate call in the end) decided that they would take the advice of a hack consulting firm who recommended that they have fully certified staff for their internal tech support.  This prompted a full review of the current operations of the technical support department and eventually lead to the decision to outsource our duties to contractors.  They began by bringing in a number of consultants to “help” with planning our enterprise projects.  It consisted of project manager with a CISSP but no relevant experience related to the projects and another person who again had no real experience.  But hey they are certified so all is well right?  Then they began bringing in consultants to help fill the help desk seats.  Again no relevant experience but they were certified.  Supposedly they had someone coming in experienced with our Patch management system, alas, that was a myth.  Neither of the consultants even heard of it.  2 days later after I resigned, I got a call to work a 2 week contract in the city for the exact system.  I had to chuckle.  So they brought in all these consultants to replace the 8 fully qualified full timers, user issues are falling by the wayside, nothing is getting done and overall moral is crap.  But hey, its ok, they are all certified. 

      Ok one more good one, they didn’t even vet these consultants, one was coming in stinking like alcohol every day, he was eventually let go.

      Certs are important, I enjoy going for the ones that will benefit my knowledge rather than fill a quota.  When I finally did take my first SANS course, I thought it was excellent!  For one it forced me to study, otherwise I get distracted when I try to self study and for two, I got to learn some things I didn’t know.  Its also nice to gauge my success and even better utilize what I learned.  Just wish the SANS classes would have some form of student loan program, you are not always lucky to find an employer who will dole out 3500 for a 6 day course.  I also agree that certs do not make the individual.

    • #41035
      WCNA
      Participant

      My last job the CIO or CEO (not sure who made the ultimate call in the end) decided that they would take the advice of a hack consulting firm who recommended that they have fully certified staff for their internal tech support.

      One of the CISAs here (tturner?) would know better about this but I seem to remember reading that a lot of auditors want (require?) companies to have some sort of certified staff even though the present staff may have superior knowledge.

    • #41036
      tturner
      Participant

      Let’s face it. Humans are not geared for making rational and intelligent decisions about risk. We are notoriously bad at it. It comes down to risk management of your human resources.

      A certified person is a somewhat known entity. There is still the possibility that they may be incompetent, but they were at least validated against the set of requirements that earned them the cert. When trying to build mature processes, it helps to have as many known quantities as possible. Variance is the enemy of maturity. Using “qualified” employees also provides some level of defensibility (is that even a word?) when things go wrong.

      The uncertified person may well be more capable, and often is but how do you validate that? What do you tell management when you choose an uncertified person over the vastly more qualified candidate (on paper) and then he proceeds to delete your AD domain?

      The intelligent choices will factor in multiple criteria including problem solving skills, experience, available resources, certifications, education, etc., but auditors often like to see those credentials because they indicate uniformity and maturity and that’s how they structure their reports. I really don’t think anyone is wrong, but we don’t live in a world of absolutes and there’s a lot of gray area here.

      Oh and I’m a CISA only so I know how to deal with auditors. I’m not an auditor. I do security testing, not blind checkbox compliance (except when it’s the only way to pay for security control X)

    • #41037
      caissyd
      Participant

      Funny you guys are talking about CISA. I just had an interview (literaly 2 hours ago) by a guy who is extremely knowlegeable in security. After the interviewer had a chance to verify my experience, he asked me if I had CISA. He said it is often written in RFPs that at least one person in the team be CISA certified.

      So as I said, it’s good to have certs. It’s hard to have a career as a consultant without any certs since you are constantly applying for contracts. Full time employees, on the other hand, may not need letters next to their name. In both cases however, experience is always a big thing…

      Oh and tturner:

      Let’s face it. Humans are not geared for making rational and intelligent decisions about risk. We are notoriously bad at it. It comes down to risk management of your human resources.

      You are so right!!  ;D

    • #41038
      idr0p
      Participant

      I think certifications are very powerful when used correctly. Much like Masters Degrees, I feel people need to gain experience first then use the Cert/Degrees to augment their development. I hate it when i see “newbs” come into our company with a M.S. straight of or College and No experience. It is often much less effective because you don’t have experience to reflect your learning’s off of in your masters degree. Thats why it is called a Masters… you are mastering your field. you can master something without being involved. There is no such thing as a Boxer with no hands.

    • #41039
      kennut
      Participant

      I think it’s being debated here in the topics for so long.

      the final word on this -> when it comes to certification, yes, if you have it, congrats and it’s easier for you to get an “interview” not necessary a guaranteed job!

      I have CISA, CISM and CEH, so what? the point as some have mentioned, company are looking for people who can do work and do it properly. you may have CISA, but if you cannot do IT Audit work (which is what my previous supervisor had full credentials but cannot do IT Audit work!). and you have lot of CISAs in big four companies, but they don’t care about the work, they just need the CISAs word printed on their name cards to look good (quote – financial auditors!)

      again, I was in an interview not long ago, yes, certs does get you to the interview, at the end, it’s your experience and attitude that gets you the job. the paper collection is just that…..collection, but it does “help” you to get pass those who “dont” have it.

      before I got the certs, there are times the clients would ask me, “why should I listen to you?”, but when you have the certs to back you up, you know what you’re doing, and you can tell them off, well, I’m a CISA and that shut their mouth!

      ;D

    • #41040
      YuckTheFankees
      Participant

      I’m going to continue with everyone, yes certs will get you an interview..but once you sit down for the interview and the questions start coming out..they will know if you’re legit.

      I remember going in for my first networking interview..I had the Network+ and CCNA ( home lab experience) and to be honest..I thought I was going to kick ass. BAM all hell broke lose.

      We started talking about my education and certs, then technical questions started. I think I might of answered 2 out 10 questions right. Yeah I have certs and decent knowledge of networking but I was put in place and realized I need actual experience not just certs.

    • #41041
      Joshsevo
      Participant

      I am living proof of the certs debate.  I have my BA as well as CEH, CHFI, Sec+ but no experience.  I still can’t find a job that says entry level.  I also have a security clearance…

      So I recently signed up for my Master’s degree and start in a few days.  That should help me a bit I hope also. 

      Experience is so highly sought after that I wish I approached things differently in the past but I can’t change the past and can only look forward and move in that direction.

    • #41042
      YuckTheFankees
      Participant

      Do you have any IT experience? and have you had any interviews?

    • #41043
      Anonymous
      Participant

      I think having experience is more important than any qualifications. That is one of the biggest problem in the UK at the moment there are not enough people breaking into pen testing  because they don’t have any experience but the only want to get that is to work as pen testing.

      This one most frustrating things I found when trying get a job as junior hardly any companies will take on junior as when they do they are running at a loss. So you get companies just stealing pen testing from other companies by offer them more money.

      I also think that no course can really give you true experience in the real world.

    • #41044
      Joshsevo
      Participant

      Yuck,

      Very little.  I do tech support at my job for 4 yrs.  Very little actual computer work.  I volunteer at a Computer Forensics lab but it’s only after hrs and after my FT job.  I can’t go down there every day as they are testifying, or go home.  So its maybe once a week.

      If I had no bills I would not be in this situation.  I could quit my FT job and go down there every day like the owner wants me too.

      I have had a few interviews.  The most recent was a DoD job in FT Huccuica.  It’s that base in AZ.  They said they didn’t like my personality and that’s the reason I didn’t get the job….Really WTF…

      There is a Jr computer Forensics position that I am being recruited for in VA but they need to hire a senior Forensics director and they will interview me.

      So the only thing I can do is get certs, prove that I can learn and learn quickly and then hopefully find a person that was in my position until he got hired and then hopefully will hire me.

      But in the mean time I keep plugging away one day at a time.

    • #41045
      YuckTheFankees
      Participant

      Josh,

      They actually said they didnt like your personality? Wow that’s ruthless, WTF?
      In about a 12-18 months, I’ll be in almost the same situation. I’ll have B.S, in IT..hopefully finish MS in Info Assurance, and a hand full of certs but no security experience.

      I hear its rough out there without any security experience. Are you willing to relocate anywhere (from your post it seems like you are)?

      Are you looking for forensics or just any job in security?

      I would say definitely get the masters, keep on doing the certs, and eventually you’ll get a job. There’s not stopping with security. You’re doing everything you can, keep up the good work and let us know of any good news!

    • #41046
      Joshsevo
      Participant

      Yes they said they didn’t like my personality.  That’s the only reason.  The interview went great. I was friendly and answer all of the questions.  I was astonished that they said that to me.  Yes I am willing to move all over the world.  Looking at some jobs in Afgan/Kuwait now.

      I will take anything anywhere.

      Ya I figure having a Master’s degree can’t hurt.

    • #41047
      YuckTheFankees
      Participant

      Can you take of any reason they would of said that?

    • #41048
      Joshsevo
      Participant

      The only thing I can think of is that he made a negative comment about where I got my BA from and I think this is the real reason why.  Blaming it on my personality was just a scapegoat maybe.  Other than that I can’t think of anything else.  The interview went good.

    • #41049
      YuckTheFankees
      Participant

      Where is your degree from?

    • #41050
      Joshsevo
      Participant

      Devry

    • #41051
      hell_razor
      Participant

      I’ll go ahead and say it again…certifications will land you an interview, experience will land the job, all other things being equal.

    • #41052
      tturner
      Participant

      @Joshsevo wrote:

      The only thing I can think of is that he made a negative comment about where I got my BA from and I think this is the real reason why.  Blaming it on my personality was just a scapegoat maybe.  Other than that I can’t think of anything else.  The interview went good.

      Yeah I had an interview like that once. I aced the technical interview(s) and they were talking salary and when could I start, etc. Then after the last “soft-skills” interview at customer site, they said their environment was too “dot-com”like and that my personality was too structured to work out well there given my history in largely state and local govt work. They were probably right, everyone was wearing jeans (some were cut-offs), t-shirts and sandals, and I found myself questioning whether it was a work environment or a beach party. Many employers do culture fit interviews and it may be something as simple as that.

    • #41053
      YuckTheFankees
      Participant

      tturner,

      My new job is like that. They wear whatever they want and I was taken back by it for the 1st week. I’ve only worked at large corporations before that and they all had strict or at least some type of dress code. Once I started at this small business, I tried dressing up the first couple of days…then I realized what the hell am I doing…jeans and t-shirt..HELL YEAH

    • #41054
      impelse
      Participant

      You’re going to laght but I work in an IT company and I HAVE TO WEAR UNIFORM >:(

    • #41055
      rattis
      Participant

      @impelse wrote:

      You’re going to laght but I work in an IT company and I HAVE TO WEAR UNIFORM >:(

      I worked in a NOC and had to wear a full suit (Jacket, vest, tie, slacks, polished shoes) on the 11pm to 7am weekend shift.

    • #41056
      YuckTheFankees
      Participant

      damn thats rough!

    • #41057
      Solinus
      Participant

      @hell_razor wrote:

      I’ll go ahead and say it again…certifications will land you an interview, experience will land the job, all other things being equal.

      I have to agree with this 100%. I have seen many guys come in with certs and they are easily passed onward for the interview, and fail miserably when the tech talk starts. I have also known others, myself included once upon a time, that could not even get a call back until the resume was overflowing with certifications. Now, I have become a certification monkey! I love studying for them and taking the tests. I have become addicted and my wife is very supportive of this addiction. She is probably thinking there could be much more worse ones for me to get involved in.

      On as side note, as consultants with our firm, we all were full suits, shirt and tie at the very minimum. I think it is a proper way for us to be dressed for what we do.

    • #41058
      YuckTheFankees
      Participant

      I can see consultants wearing suits or dressing up more than the random employee.

      I wish my girlfriend was supportive of me being a cert monkey. ???

    • #41059
      ttime245
      Participant

      A full suit at a NOC….on the night shift at that? That’s ridiculous….

    • #41060
      p0et
      Participant

      A full suit?!  Damn, I couldn’t do that.  I just can’t think straight and do my job well if I’m not comfortable.  Luckily, they let us wear anything we like (within reason) where I work now.  I tend to get a lot more work done and be more productive in jeans/t-shirt then full suit.

    • #41061
      l33t5h@rk
      Participant

      @dynamik wrote:

      Hang in there. I spent six years working my ass off trying to get into security; it didn’t just happen. I started off by taking over the IT responsibilities of a company of five people (it wasn’t my primary responsibility), moved to a company of about 30 people, and then went to a managed services provider before I finally got a full-time security position. You need to start wherever you can get your foot in the door and work your way into what you want from there. 

      This is the best path to get into a full time security position. Take over, and the job will come …

    • #41062
      Triban
      Participant

      @p0et wrote:

      A full suit?!  Damn, I couldn’t do that.  I just can’t think straight and do my job well if I’m not comfortable.  Luckily, they let us wear anything we like (within reason) where I work now.  I tend to get a lot more work done and be more productive in jeans/t-shirt then full suit.

      Suddenly I have an image of Casual Friday from Man in the Box.

      My last job was great, summer time was extra casual.  Shorts, t-shirts, sneakers.  During the regular year we had many jeans weeks for charity of course.  Fridays were always casual/jeans.  Day after a snow day was casual.  I miss that, I am in a mixed environment now but I am typically slacks and button-ups.  I don’t mind that so much, if I will be working with clients I will typically be in a tie and/or sports jacket, sadly I need more of the jackets.  I don’t bust out the full suit except for weddings and interviews, I don’t like getting it dirty 😀

      I am still shocked when my recruiters remind me to wear a suit and tie when going for interviews.  I look at them like “duh” but they have told me that they had recruits going in wearing jeans and such.  Shocking how people don’t know how to dress for success.  I heard wise words once “Dress for the job you want, not for the job you have.” 

    • #41063
      lorddicranius
      Participant

      Thanks for everybody’s input on this.  I understand the point Sil was trying to get across, and I think we’re sort of digressed from that, but I like/appreciate what everyone’s said.  There’s some good knowledge and experience shared here 🙂

      @3xban wrote:

      I am still shocked when my recruiters remind me to wear a suit and tie when going for interviews.  I look at them like “duh” but they have told me that they had recruits going in wearing jeans and such.  Shocking how people don’t know how to dress for success.  I heard wise words once “Dress for the job you want, not for the job you have.” 

      I’ve heard this before and have wondered a few things.  So I understand that there’s this societal hierarchy of clothes.  Jeans and t-shirts, slacks and button-ups, 3 piece suits (not comprehensive, but an example).  So the quote “dress for the job you want, not for the job you have.”  This implies that you’ll need to wear clothes higher up on the clothes hierarchy to get a “better” job.  Does this train of thought only apply to a job interview?  Or does the type of clothes you wear to an interview reflect the clothes you’ll be wearing on a daily basis (from an infosec position perspective)?  For me, the job I want isn’t wearing suits everyday.  Is this really what higher security positions require?  Or as I asked above, is it only for the interview process?

      Maybe I’m just ignorant to the whole hiring process and what you wear to an interview implies, but I think that in this day in age where it’s way more common that you can’t judge a book by it’s cover, we’d be evolving out of this “you need to wear a suit to get a better job” idea and actually interview for a persons knowledge.

    • #41064
      Triban
      Participant

      In many large enterprises, they still grasp the old ways.  The higher up managers are in suits and lower down the chain you get into more casual dress.  In the smaller companies, it isn’t so much but it does show the interviewer that you want to impress them.  Remember you are part of the presentation.  You wouldn’t make a power point slide deck with nothing but words right?  Of course not, you would lose your audience.  You want to put nice graphs, images and clever quotes or such.  Even if you are going to work for a small shop that spends their time in t-shirts and jeans, well you still want to show them you care enough to put on a tie for them.  Remember all companies will have a customer and you may need to see that customer in person every so often. 

      Eventually many of us will want to shoot for that CSO/CISO position someday and sadly they sometimes have to doan a black suit instead of the blackhat (there was a video of this at some con, can’t remember). 

      I still think the full suit in the NOC during 2nd shift is a bit much.  That’s just crazy.

    • #41065
      YuckTheFankees
      Participant

      To me, dressing up in a suit is a respect thing.

    • #41066
      Triban
      Participant

      Que the Barney Stinson Suit song: http://www.youtube.com/watch?v=sCvSENxG1p0 (hope its the write one currently behind mean filters 😉 )

    • #41067
      l33t5h@rk
      Participant

      Really though, most companies (at least everything but the very top) don’t require a suit or even a tie in daily wear. It’s really 1-3 days (pending on # of interviews) for you to wear a suit, then you can typically dress however you want. Isn’t that a low risk to take to potentially land a new position?

    • #41068
      lorddicranius
      Participant

      @l33t5h@rk wrote:

      Really though, most companies (at least everything but the very top) don’t require a suit or even a tie in daily wear. It’s really 1-3 days (pending on # of interviews) for you to wear a suit, then you can typically dress however you want. Isn’t that a low risk to take to potentially land a new position?

      Yep, agreed.  My post was multi-faceted.  I agree with the low risk/high gain.  The rant was just building on the real question which you answered in the first part here.  I was really just wondering what other peoples experiences were in security roles in other company’s environments when it comes to dress codes – interviews vs daily clothing.

      Thanks everybody 🙂

      @3xban wrote:

      Que the Barney Stinson Suit song: http://www.youtube.com/watch?v=sCvSENxG1p0 (hope its the write one currently behind mean filters 😉 )

      lol

Viewing 50 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?