Harsh Words for Professional Infosec Certification

Viewing 7 reply threads
  • Author
    • #5360

      The report cites the following reasons for its tough-love approach to certification:

          * Individuals and employers spend scarce resources on credentials that do not demonstrably improve their ability to address security-related risks; and

          * Credentials, as currently available, focus on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in actually reducing risk through identification, prevention and intervention.


    • #33905

      I wish I could disagree. I’ve put more time and money into popular certifications that are garbage when it comes to real-world applicability than I would like to admit…

    • #33906

      Now that is what I would call harsh. Anyway, I wish I could say something about it as Dynamik have clearly stated it. I just cannot disagree on this one simply because everything that is being said here is absolutely correct andlogical despite being very harsh and rude. I guess sooner or later, it is the health of professional InfoSec certification that is going to degrade if they do not act upon it, in my opinion

    • #33907

      From the article:

      And, since most of us are not able to assess the qualifications of a practitioner when a need arises, we now have an education system with accreditation standards and professional certifications by specialty.

      This is also true!

      I am working very, very hard not to be the next security guy who knows more than everybody else at work, but still knows a lot less than the expert working across the street. What I mean is it isn’t difficult to look like you “know it all” in front of people who has never work in IT security. It is a different thing to be considered an expert among your peers…

      On the other hand, if we look at ourselves, we all know we lack experience in this and that domaine. The fact that there is so much to learn forces us to become specialists. But we are required to work in many different fields, so we are stuck…

      If we look at people on this forum, who are very, very good at doing a pentest for example? You can count them on one hand… BUT, I believe we all make a huge difference where we work. Without us, the “average” IT Security guys, the “experts” would be overwhelm!  ;D

      Finally, it is the same with all types of work. We want the best car mechanic, the best doctor, the best accountant, etc. But hey, we all have to start somewhere… 😉

      So again and again, like almost everyone thinks on this forum, certs are part of the equation. They aren’t perfect and they aren’t everything, but they have their use and their place.

    • #33908

      I agree with H1t M0nk3y, the exp is the must dificult part and because there is to much to learn we need to become specialist but the employer want you to know everything.

      I know a little bit Cisco but in my new job over night I had to migrate one Pix to ASA to new ISP provider with 7 vpn without knowing the password and one guy hiding some information. Come on that was a job for a CCNP or CCSP and not for a CCNA in that moment but I did with some help.

      Now I am learning more about pen test and I think “Would I have the same situation with some pen test? Would my employer require far beayond my skills? Who knows!!!!

    • #33909

      Most of the problem with certification is that the tests primarily consist of multiple-choice tests that merely test your book knowledge or very basic reasoning skills. For example one could likely pass the CISSP or CEH with very little technical knowledge by simply reading the materials and perhaps participating in lab exercises. There of course is a bit of test-taking skill and strategy that comes into play as well.

      Understanding theory in IT security(or any science for that matter) is only half of it. I think that more lab-based tests need to become part of the common testing framework. A good example is the OSCP, which is one hard-core technical test.

      I’ve taken the CISSP, CEH, CISA, CCNA, and OSCP. OSCP being a completely practical test is definitely the only one that I feel truly tested skills versus “book smarts”. If I’m ever in a hiring situation and I see the OSCP on someones resume they’re going to be the first person I bring in for an interview.

    • #33910

      to be frank, it depends on what field you’re doing, let’s say if you passed CISA, and got certified, at the end game, the result of the audit / report will then know if you are really an IT Auditor or not (IT audit can have financial auditors / or techies auditor). I have an ex supervisor who is CISSP, CISM, CISA, etc, long until name card cannot fit in, but when comes to “real work”, he can’t perform or even write a good report. end up was ask to leave by my director.

      so, no certification is bullet proof, it only gets you pass HR filtering, but the end game is, where you can do the work or not. No one is really a specialised “know it all dude”, otherwise we’ll end up being a DBA who’s only doing DBA work only.  😉

    • #33911

      I agree with partek.  Demonstration based exams are worth more than knowledge based exams.  OCSP is a good measure of practical ability needed to perform in a pentest environment and does provide a good benchmark for what you can expect from a certification holder.

      The problem with demonstration based exams is that they are expensive.  They have to be.  It is much more difficult to test someone’s ability to demonstrate concepts than to answer questions about the same concepts.  Employers don’t like to pay for certs, especially not high priced certs, because people use them to pad the resume for the next job (at least this has been my experience).  Anyway, there’s no perfect cert (as this thread demonstrates), but I agree with partek that those with demonstration based certs are going to get the first calls for an interview (all other things being equal).

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?