.

Experience vs Certifications

<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Tue Jul 19, 2011 11:26 am

Experience vs Certifications

Great article by Sil:

https://www.infosecisland.com/blogview/ ... cured.html

So I've been studying various aspects of security so that I can get into a security career.  As soon as I started listening in on the infosec community chatter, this is something I've heard a lot of about: 'certifications are not the end all, be all; one must have the experience to back it up.'  Yet, these seemed counter to what I was seeing in job postings.  I've seen it here on the forums too when people ask questions about certifications.  'These certs will give you some great experience in this or that, these will get you past the HR filter.'

How do we as an industry change that, or can we?  While I'm very passionate about getting into a security career, forking over all that money to get a number of certs and keep them up to date just doesn't jive with me.  When I separated from the military after 3.5 years as a sysadmin and experience in security, I had the hardest time finding a civilian sysadmin gig.  I ended up working at a help desk, then after a year I decided to get my Net+, Sec+ and Linux+ (without the use of study guides, mind you - the knowledge was already there) just so that I could get a call back regarding a sysadmin/netadmin position (and it worked).

How does one go about proving their qualified with previous experience on a resume to get past that HR filter?  I'd assume that after you get past the HR filter, you can explain your previous work experience and the home lab you use to explore various technologies on your own dime and time...but there's that damned HR filter in the way...

Anyway, just trying to stir up some conversation here.  I know I'm not the only one whose trying to break into the industry that's frustrated with this (not to mention those who are already in the industry that think its BS).

Sidenote: Lee Kushner of InfoSecLeaders (teamed up with Mike Murray) is doing a workshop at BlackHat on careers in infosec.  If anybody here goes to that, I'd love to hear what was talked about.  He'll be presenting the results of their latest survey on the value of infosec certs too.
Last edited by lorddicranius on Tue Jul 19, 2011 11:35 am, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Tue Jul 19, 2011 4:07 pm

Re: Experience vs Certifications

This article did strike a nerve, so I suppose it was targeted at people like me.  Here goes...

To me, there are two different stories Sil speaks of in his article.

The first story involves HR using certifications as a barrier to entry of employment.  The second story is that people put too much value on certifications and not enough value in results.

As a hiring manager, I ask HR to look for industry certificates in the field I am hiring for.  I may not specifically ask for CIS(A/M), CISSP, or CCIE certifications or degrees, but I do expect to see something there.  I do not hire based on the certification, but it does allow me to filter out candidates without having to manually review hundreds to find the gem that would otherwise fall out.  In a perfect world, I would love to have the time to review every application sent, but the real world has limited resources, my time included.  I need an easy, predictable (if not ideal) way to sort applications and filter how many I receive simply due to time management.

I am not impressed because a candidate has one or more of the certificates I expected or hoped to see until I have interviewed them and determined their technical skill level as it related to the position I am filling.  A certification will not prove to me that they have the ability to actually apply the knowledge they learned or that they even still have the knowledge, but the interview will hopefully show them whether or not they are qualified (and if it doesn't I clue them in as politely as possible).

Again, my hiring decision is not based or even related to the certification(s) they may or may not have.  It is a cost of admission, though.  If a great candidate otherwise has no certifications they may well be capable of doing the work.  They may have a multitude of reasons they could not get some certification or degree (lack of experience, lack of money, whatever the issue is), but the fact remains that they have not taken the opportunity to invest in themselves to make themselves more marketable, even if it adds little or no technical skill.  If someone comes in with no experience, but has a couple of relevant certifications, and does a good job on the technical (and non-technical - don't forget about this part) interviews, then I would not hesitate to hire them.  If a candidate applies, has nothing to put on a resume to show me how important setting themselves apart or bettering themselves is, then I probably do not have a reason to interview them, all things being equal.

This works for me in this economy and situation.  If things change, and it appears they will, we may end up with more security openings in the industry than we have applicants, things may change.  We may have to lower the threshold of applicants to review because we have more time available to review each applicant.  In that situation, I will adjust requirements accordingly.  There is a huge difference between wading through 100 applications than there is 1,000 applicants.

The second point in Sil's article, hiring consultants who appear qualified solely based on their certification than actual ability, is a similar shortcoming for the hiring manager.  That being said, if you are involved a court case or being audited, right or wrong, you will get more traction if you have externally validated (read certified) staff than if you have self-taught, non-certified staff.  Now, some will whine that it is not fair, but life is not always fair.  Sometimes it just "is."  Again, the point, though, is not to have a certification for window dressing but to really understand what is behind the window.

For the people who have all heard of or know that have been hired solely based on their certification and not on their ability, is that really the fault of the employee?  Maybe.  Does it show an obvious problem in the hiring process?  Definitely.

Sorry for the rant today and long post today, but I get tired of hearing the complaints.  Seriously, add a certificate or two to get in the door and consider it an investment in your future.
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Jul 19, 2011 5:59 pm

Re: Experience vs Certifications

I agree with both sides.  hell_razor does make a valid and understandable argument for his point, and sil also duly notes that the certification doesn't 'make the man'. I tend to side with sil, in my personal beliefs, but have to give a nod to hell_razor for the reality, at least in MOST cases.

That said, I do agree, however, that having even simpler certs is worth getting the second look in interviews, even though, in the end, it might mean the lesser 'truly qualified' guys get a job.  While costly in many cases, at least it does truly BUY you a second glance... (literally buy, in many / most cases)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Jul 20, 2011 12:23 am

Re: Experience vs Certifications

I have a B.S. degree, 17+ years of exp in IT (only 6 or so in IT Security) and a truckload of certs (more than you see in my sig). When I interview, I find my certs become a topic of conversation for the interviewer far more frequently than my degree. My experience is gauged based on the questions I'm asked but I rarely have an interviewer ask me about a specific job unless it's my current one. Certs on the other hand become a topic for discussion because the interviewer is often curious what all the letters after my name are for.

The sad reality is that most of the jobs I interview for are conducted by hiring managers who do not understand what they need or what it is an infosec guy even does. Last 3 interviews I went on they got blinded by my certs and acted like giddy schoolchildren at the prospect of me working there when I know for a fact they have current staff that make me look like a moron. Certs are also the reason I suspect why I get at least 5 recruiter contacts weekly. It's seriously messed up but whatever, I play the game like everyone else. It's an investment in "me".
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

dbest

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Jun 23, 2011 1:14 pm

Post Wed Jul 20, 2011 2:14 am

Re: Experience vs Certifications

Certificates open doors for you in terms of job opportunities and its the experience that can help you win the job.

The level of awareness in the company that is gonna be hiring you is something that needs to be considered as well.

When I tend to look at resumes with loads of certs, I tend to get put off, but that's just me. Sometimes its better to retain only the relevant certs on your resume and discuss the rest if required.
CISM, CEH, CISA, ISO 27001 LA
<<

nonexistententity

Newbie
Newbie

Posts: 15

Joined: Tue Jul 19, 2011 11:32 am

Post Wed Jul 20, 2011 8:14 am

Re: Experience vs Certifications

tturner wrote:It's seriously messed up but whatever, I play the game like everyone else. It's an investment in "me".


I think tturner nailed it on the head here. I think the OP's desire mirrors everyone who genuinely wants this industry to grow properly: to have those responsible for hiring InfoSec professionals looking for the right things. But the simple fact is, that's not happening in the vast majority of cases.

Experience is the most important thing any of us can possess to be good at our jobs and to be productive, contributing members of the Information Security community. But we still have to put food on the table and that generally requires playing the game to some degree. And I think if you actually attempt to derive value from the study process then a certification isn't just a necessary evil.

Great discussion, everyone!

-N33
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Jul 20, 2011 8:53 am

Re: Experience vs Certifications

dbest wrote:
When I tend to look at resumes with loads of certs, I tend to get put off, but that's just me. Sometimes its better to retain only the relevant certs on your resume and discuss the rest if required.



I completely understand that mentality and have in fact been turned down before because the prospective employer was concerned I would be too focused on getting my next cert and not enough on doing the job I was being paid for. It's a valid concern I suppose but if you hire the right person and keep them engaged with relevant and exciting work than that's usually not a problem.

Most of the time people who have an issue with certs are old fogeys who "didnt have no goshdarned certifications back in my day, less'n your a M.D", people who never invested in their own careers and are angry because they got overlooked in favor of a certified guy sometime in their past or people who actually have enough competence in the job tasks being interviewed for that they understand just how poorly certification prepare the average worker to perform the job duties they will be engaged in. There are of course some exceptions here, but that's been my experience.

People are by and large judgmental in nature. We all have criteria we use to quickly evaluate a situation, person, place, etc. This is party based on our personalities and what we are looking for as well as past negative and to a lesser degree, positive experiences. Most of us have had exposure to a "paper tiger" at some point in our careers and it's easy to let that prejudice form future decisions. You will have mixed reactions because everyone is different. We all have different experiences and different requirements. So for one employer, my 15 or so certs is going to be a fantastic thing, and for another it's not. There's no reliable way of knowing before you apply to the job unless you have an inside track with the hiring manager and then it probably doesn't matter what you put on your resume.

My rule of thumb these days, is to put every credential and job on my resume that is *relevant* to the job I'm applying for. I don't include my A+ or my iNetvu Satellite Repair Technician or my 27 FEMA/ICS/CDC/Red Cross certs on resumes for security jobs but I definitely put all the security related ones as well as some others depending on the exact nature of the position. Pentest job probably does not care about ITIL, but for the security manager job it's probably relevant, unless of courses it's an ITIL shop and then it's applicable for any job. Don't just have the one resume, you need to tailor it and your cover letter for the job you are applying for.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jul 20, 2011 10:04 am

Re: Experience vs Certifications

The main point of my rambling was few fold: 1) I wanted to expose some of the certification bodies for allowing nonsense to go on via way of unqualified candidates devaluing certifications that once meant something. 2) I wanted to expose many-a-mentality of douchebag wanna be security professionals who once obtain that cert, forget the term and concept of "security" 3) I wanted to expose the douchebag who knows nothing about security but enough about studying that passed a cert exam and is now passing off bogus security services.

In the #1 for far too long many of the organizing bodies ISC, ISACA, etc., have been promising or alluding to vetting qualified candidates. This was never the case in fact as far back as 1999 I know of COMPANIES that were re-creating the CISSP in order to label all of their contractors as "security capable." This was then one of the big four accounting firms. This practice is still present and evident today. If you've ever set out to take the CISSP in DC/VA you will have a better chance of hitting the powerball. This is because 2-3 companies continuously buy up all of the seats. Now, these companies collectively don't have enough security people to fill these seats, so ask yourself why bother buying them.

FACT Certain certifications are mandatory in government and it is far easier to get contracts pushed through GSA shenanigans when all your guys are CISSPs. FACT: Not all of those guys can qualify FACT: It would be easy with enough test takers to re-construct this exam I don't care how big your question pool is.

On #2, for all of the certified guys at Booz what happened? 400+CISSPs, 150 CISMs, 100+ CISAs, 50-100 SANS (GCED, GPEN, etc) and so on. You mean to tell me collectively they couldn't have secured that network? Something is wrong with that picture. With all of the NIST, NSA, etc., templates, read mes, etc., they couldn't lock it down? What happened to GAP, SWOT and other "methods" and standards they swear by. Not to mention business continuity and disaster recovery. What happened to encryption for data at rest. Its all a charade of AV*EF nonsense.

On #3 I have seen so many people with certs out the wazoo that know close to nothing about security. In my forensics and analytic mood, I can track down far too many to see FACTUALLY that they shouldn't have even been allowed to take that exam. Of those that do, you can be sure that their credentials were NEVER checked. There was zero due diligence from the certifying bodies (ISC2, ISACA, etc.)

Finally, I wanted to show the frustration of someone in the industry who had no choice BUT to get certified even though he'd be doing the SAME EXACT work for years. In order for him to maintain his livelihood, he had to succumb to the idiocy of certifying. The article wasn't an attack on any one specific, it was to point out the obvious frustrations across the board. From HR, to the candidate, to the prick wanna-be.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Jul 20, 2011 10:17 am

Re: Experience vs Certifications

All I can say is, I fully (continue to) agree with sil, and AMEN!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Wed Jul 20, 2011 10:31 am

Re: Experience vs Certifications

Not to jump on the bandwagon, but ultimately I agree certs do not equal qualification and are mainly used for getting past the HR process.

However, I like having certs. :)  It feels like quantifiable method of judging accomplishment.  This feeling is 90% water vapor, 9% test taking ability/memorization, 1% actual useful knowledge... but I still like it.

The question remains: how is it possible to quantify a quality when qualities are inquantifiable by definition?

Sil (et al.) - point to as many objections as you want, businesses want a number.  Your worth as an employee, contractor, whatever is based on this number.  Certs make the number go up.  It's business.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jul 20, 2011 10:51 am

Re: Experience vs Certifications

Yatz, everything is a business period when you break it all down to science. When it comes to security in certain arenas, the professionals in charge should be properly vetted. Someone at Infosecisland tried to associate pilots and doctors in his response, so I will follow suit here.

Your doctor whom you trust most is about to perform life or death surgery on you. How would you feel it the hospital board simply said: "Trusted, I see your certificate" without ever determining whether this Dr went to med school? In the industry of say government contractors, this is exactly what is happening. Voodoo security doctors. All paper based with no experience. As a taxpayer it costs both you and I more when taxes are raised.

It is not as difficult as one thinks to validate whether or not someone has experience. Simple onsite tests prior to hiring work. Simple "Googling" helps as well however, many are in a rush to "hire right now!" where candidates aren't vetted as they should be.

As for having certs, I prefer the challenging ones exams that consist of practical versus the typical multichoice nonsense.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Aug 02, 2011 10:46 pm

Re: Experience vs Certifications

I think there are several deeper issues that you've alluded to.

First, it's scary how advanced our knowledge is compared to most human resources personnel, and even technical hiring managers who are generally considered to be quite savvy. When I tell people I've walked through banks dressed as a pest inspector, they act like I'm a spy. When I demonstrate that I can analyze a simple packet in hex, it's like I'm Neo decoding The Matrix in real-time. Mention Nmap and Metasploit, and their eyes glaze over. I'm not bragging, and I know I'm extremely far from the best. However, I'm light years beyond the vast majority of people (as are most of you). The others are just grasping at "tangible" items, such as certifications, for concepts and knowledge that they can get their head around. There's often no other way to really relate.

Second, I think demand is a major issue. I know a lot of people are struggling to break into the industry, but on the flip side, it's extremely difficult to find qualified people. It's difficult to find people who are genuinely passionate about security; it seems like a lot are simply drawn to the glamour of it. I know of several companies who haven't filled all their positions over the course of years, despite bringing on warm bodies who have no genuine security experience. Most companies aren't willing to hire just anyone, despite being desperate, but having a few letters behind your name really draws attention to yourself and provides some level of comfort for the people hiring you.

I have more certifications than anyone I know (although it seems like tturner would be able to best me if it came down to it), and I have recruiters pinging me almost daily. Sometimes I respond and decline to be polite, saying something about how I wouldn't feel right about leaving my current employer after only seven months, and they literally beg me to reconsider. I absentmindedly complained about this in front of a coworker, and in a dejected tone, he said, "Must be nice." I felt kind of bad, but got over it quickly when I remembered he also had to dump his way through the Security+.

In the end, and like everything else, you get out what you put in. I pursue certs because they're a challenge, and having to become proficient enough with a technology in order to pass an exam forces me to learn things beyond what I find interesting. I think this approach has made me a significantly more well-rounded and knowledgeable professional overall. I don't think I could have progressed as much as I have without taking this approach.

Having said that, people like me are an extreme minority. I'm not disagreeing with the points that others have made, but I did want to share another perspective. The market is what it is (as much as I hate that saying), so I encourage you to get better, not get bitter. A few letters won't genuinely differentiate you from your peers and other truly skilled professionals, but it makes you stand out from the herd. I think certifications, for better or worse, are undeniably a critical component of career development and stability.
The day you stop learning is the day you start becoming obsolete.
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Wed Aug 03, 2011 5:10 am

Re: Experience vs Certifications

Great post dynamik,  I wish I had to fend off employers like you.

I have no commercial experience, and despite having few certs I don't even get an interview :(
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Aug 03, 2011 7:32 am

Re: Experience vs Certifications

I agree with dynamik:
In the end, and like everything else, you get out what you put in. I pursue certs because they're a challenge, and having to become proficient enough with a technology in order to pass an exam forces me to learn things beyond what I find interesting.


@Sil: You have to realize that you are almost one of a kind. The vast majority of people in the field won't do what you do: spend countless hours reading, learning, practicing and trying to stay on top of their game. In a word, they have a life!  ;)

So other than for an handful of superstars, certs is useful to:

1) For you to learn something that you would otherwise not look at because it doesn't interest you (basicaly, what dynamik said).

2) It gives you a goal and forces a schedule on you.

3) It opens doors. But on this point, all not certs are equal. CISSP, CISM, CISA and a few others open doors big time. GSEC, GPEN and the other GIAG certs open doors too, but not as much as the other ones I mentioned. OSCP and OSCE for example barely open any doors. They are excellent certs (arguably the best ones for a pentester), but they are not recognize by HR.  And finally, Security+, CEH and the like are entry level certs, showing the candidate know the basics.

So we cannot put all certs in the same basket here. CEH is not CISSP when it comes to HR...

Last thing, I am sorry guys, but these letters are usually written in something called a resume. Certs use only a few lines in a multi-page document covering your experience. Like hell_razor said, it takes a while to go through resumes and to me, a superstar with no certs means nothing. Because if you are so good, why don't you go just take a day and write an exam (like the well known CISSP) and have the best door opener for the remaining of your career?

The opposite is also true. I have 4 certs and not much experience and I have an hard time finding a job in security. But when I reach the interview, I know my answers. Not like Sil, but I do know the answer...

Oh and to conclude, regardless of how many certs or experience you have, it's often who you know that makes all the difference...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Aug 03, 2011 7:56 am

Re: Experience vs Certifications

TheXero wrote:Great post dynamik,  I wish I had to fend off employers like you.

I have no commercial experience, and despite having few certs I don't even get an interview :(


Hang in there. I spent six years working my ass off trying to get into security; it didn't just happen. I started off by taking over the IT responsibilities of a company of five people (it wasn't my primary responsibility), moved to a company of about 30 people, and then went to a managed services provider before I finally got a full-time security position. You need to start wherever you can get your foot in the door and work your way into what you want from there. 
The day you stop learning is the day you start becoming obsolete.
Next

Return to General Certification

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software