.

Experience vs Certifications

<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Wed Aug 03, 2011 8:34 pm

Re: Experience vs Certifications

Here's my take even though it echos what most have already said.

Sure it's a game but if you want to get past HR it's a game you have to play.

True knowledge and experience is more important but that's difficult to put down on paper. A cert shows that at least you're trying to prove you have at least some skills. The CISSP  has been described as a mile wide and an inch deep and that's true. It's also a damn tough exam. Does it prove you're a security expert? No. However, it does show that you can remember vast amounts of information and maybe, just maybe you'll remember some of it when the time comes for when it's needed.

I do it because it's a challenge and I love learning. Occasionally you'll come across a cert that will actually help you in your job. The one I'm working on now comes to mind, CWDP (great book). Security is a lot like wireless. It's constantly changing and learning new stuff is part of the job. Nine years ago, we were using FHSS. Look how much has changed since then. 802.11b then 802.11g, now 802.11n, mesh networks, WNMS/WIPS/WLAN controllers....all changing constantly.

I guess it really depends on what you make of it. A cert may get you on the racetrack but you still have to drive the car.
Last edited by WCNA on Wed Aug 03, 2011 8:41 pm, edited 1 time in total.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Aug 08, 2011 12:53 pm

Re: Experience vs Certifications

sil wrote:Your doctor whom you trust most is about to perform life or death surgery on you. How would you feel it the hospital board simply said: "Trusted, I see your certificate" without ever determining whether this Dr went to med school? In the industry of say government contractors, this is exactly what is happening. Voodoo security doctors. All paper based with no experience. As a taxpayer it costs both you and I more when taxes are raised.


I always loved the quote/saying

"A student who graduates med school with a C average is still a doctor" or something of that effect. 

Certs help hiring managers and HR feel warm and fuzzy.  It documents that someone is SUPPOSE to adhere to an ethical code in some cases (ISC2, GIAC, etc...).  I agree they are great for helping you get in the door.  I also agree that they help prove that you have taken the time to invest in your career.  After all we should be doing this because we love it not because it makes us good money.  I always like to say that the money is a perk for doing something I love. 

I don't agree with companies forcing their staff to obtain certs just to say our staff is certified.  The only exception are vendor partners.  Many vendors require their partners to hold a certain level of certifications.  If a conulting company is a Microsoft Gold partner, then they need to have a certain amount of MCITPs, MCSEs, MCPs etc...  Now what I don't agree with is making the current employees flip the bill themselves for certification exams and training, reimbursement is fine, but offering to pay for training up front is better.  This shows the company wants to invest in you and your abilities as much as you do. 

My last job the CIO or CEO (not sure who made the ultimate call in the end) decided that they would take the advice of a hack consulting firm who recommended that they have fully certified staff for their internal tech support.  This prompted a full review of the current operations of the technical support department and eventually lead to the decision to outsource our duties to contractors.  They began by bringing in a number of consultants to "help" with planning our enterprise projects.  It consisted of project manager with a CISSP but no relevant experience related to the projects and another person who again had no real experience.  But hey they are certified so all is well right?  Then they began bringing in consultants to help fill the help desk seats.  Again no relevant experience but they were certified.  Supposedly they had someone coming in experienced with our Patch management system, alas, that was a myth.  Neither of the consultants even heard of it.  2 days later after I resigned, I got a call to work a 2 week contract in the city for the exact system.  I had to chuckle.  So they brought in all these consultants to replace the 8 fully qualified full timers, user issues are falling by the wayside, nothing is getting done and overall moral is crap.  But hey, its ok, they are all certified. 

Ok one more good one, they didn't even vet these consultants, one was coming in stinking like alcohol every day, he was eventually let go.

Certs are important, I enjoy going for the ones that will benefit my knowledge rather than fill a quota.  When I finally did take my first SANS course, I thought it was excellent!  For one it forced me to study, otherwise I get distracted when I try to self study and for two, I got to learn some things I didn't know.  Its also nice to gauge my success and even better utilize what I learned.  Just wish the SANS classes would have some form of student loan program, you are not always lucky to find an employer who will dole out 3500 for a 6 day course.  I also agree that certs do not make the individual.
Certs: GCWN
(@)Dewser
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon Aug 08, 2011 1:04 pm

Re: Experience vs Certifications

My last job the CIO or CEO (not sure who made the ultimate call in the end) decided that they would take the advice of a hack consulting firm who recommended that they have fully certified staff for their internal tech support.


One of the CISAs here (tturner?) would know better about this but I seem to remember reading that a lot of auditors want (require?) companies to have some sort of certified staff even though the present staff may have superior knowledge.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Aug 08, 2011 1:50 pm

Re: Experience vs Certifications

Let's face it. Humans are not geared for making rational and intelligent decisions about risk. We are notoriously bad at it. It comes down to risk management of your human resources.

A certified person is a somewhat known entity. There is still the possibility that they may be incompetent, but they were at least validated against the set of requirements that earned them the cert. When trying to build mature processes, it helps to have as many known quantities as possible. Variance is the enemy of maturity. Using "qualified" employees also provides some level of defensibility (is that even a word?) when things go wrong.

The uncertified person may well be more capable, and often is but how do you validate that? What do you tell management when you choose an uncertified person over the vastly more qualified candidate (on paper) and then he proceeds to delete your AD domain?

The intelligent choices will factor in multiple criteria including problem solving skills, experience, available resources, certifications, education, etc., but auditors often like to see those credentials because they indicate uniformity and maturity and that's how they structure their reports. I really don't think anyone is wrong, but we don't live in a world of absolutes and there's a lot of gray area here.

Oh and I'm a CISA only so I know how to deal with auditors. I'm not an auditor. I do security testing, not blind checkbox compliance (except when it's the only way to pay for security control X)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 08, 2011 3:12 pm

Re: Experience vs Certifications

Funny you guys are talking about CISA. I just had an interview (literaly 2 hours ago) by a guy who is extremely knowlegeable in security. After the interviewer had a chance to verify my experience, he asked me if I had CISA. He said it is often written in RFPs that at least one person in the team be CISA certified.

So as I said, it's good to have certs. It's hard to have a career as a consultant without any certs since you are constantly applying for contracts. Full time employees, on the other hand, may not need letters next to their name. In both cases however, experience is always a big thing...

Oh and tturner:
Let's face it. Humans are not geared for making rational and intelligent decisions about risk. We are notoriously bad at it. It comes down to risk management of your human resources.

You are so right!!  ;D
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

idr0p

Newbie
Newbie

Posts: 49

Joined: Fri Jun 17, 2011 8:46 pm

Post Wed Aug 10, 2011 4:29 am

Re: Experience vs Certifications

I think certifications are very powerful when used correctly. Much like Masters Degrees, I feel people need to gain experience first then use the Cert/Degrees to augment their development. I hate it when i see "newbs" come into our company with a M.S. straight of or College and No experience. It is often much less effective because you don't have experience to reflect your learning's off of in your masters degree. Thats why it is called a Masters... you are mastering your field. you can master something without being involved. There is no such thing as a Boxer with no hands.
GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP
<<

kennut

User avatar

Newbie
Newbie

Posts: 46

Joined: Thu Apr 16, 2009 10:41 pm

Post Wed Aug 10, 2011 5:03 am

Re: Experience vs Certifications

I think it's being debated here in the topics for so long.

the final word on this -> when it comes to certification, yes, if you have it, congrats and it's easier for you to get an "interview" not necessary a guaranteed job!

I have CISA, CISM and CEH, so what? the point as some have mentioned, company are looking for people who can do work and do it properly. you may have CISA, but if you cannot do IT Audit work (which is what my previous supervisor had full credentials but cannot do IT Audit work!). and you have lot of CISAs in big four companies, but they don't care about the work, they just need the CISAs word printed on their name cards to look good (quote - financial auditors!)

again, I was in an interview not long ago, yes, certs does get you to the interview, at the end, it's your experience and attitude that gets you the job. the paper collection is just that.....collection, but it does "help" you to get pass those who "dont" have it.

before I got the certs, there are times the clients would ask me, "why should I listen to you?", but when you have the certs to back you up, you know what you're doing, and you can tell them off, well, I'm a CISA and that shut their mouth!

;D
Last edited by kennut on Wed Aug 10, 2011 7:14 pm, edited 1 time in total.
Done all 3 certs, now going for CISSP.....
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Mon Oct 10, 2011 1:01 am

Re: Experience vs Certifications

I'm going to continue with everyone, yes certs will get you an interview..but once you sit down for the interview and the questions start coming out..they will know if you're legit.

I remember going in for my first networking interview..I had the Network+ and CCNA ( home lab experience) and to be honest..I thought I was going to kick ass. BAM all hell broke lose.

We started talking about my education and certs, then technical questions started. I think I might of answered 2 out 10 questions right. Yeah I have certs and decent knowledge of networking but I was put in place and realized I need actual experience not just certs.
OSCP in progress
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Fri Oct 14, 2011 5:13 pm

Re: Experience vs Certifications

I am living proof of the certs debate.  I have my BA as well as CEH, CHFI, Sec+ but no experience.  I still can't find a job that says entry level.  I also have a security clearance...

So I recently signed up for my Master's degree and start in a few days.  That should help me a bit I hope also. 

Experience is so highly sought after that I wish I approached things differently in the past but I can't change the past and can only look forward and move in that direction.
Security+, Network+, C|EH, CHFI, CPT
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Fri Oct 14, 2011 7:45 pm

Re: Experience vs Certifications

Do you have any IT experience? and have you had any interviews?
OSCP in progress
<<

millwalll

Post Sat Oct 15, 2011 12:09 pm

Re: Experience vs Certifications

I think having experience is more important than any qualifications. That is one of the biggest problem in the UK at the moment there are not enough people breaking into pen testing  because they don't have any experience but the only want to get that is to work as pen testing.

This one most frustrating things I found when trying get a job as junior hardly any companies will take on junior as when they do they are running at a loss. So you get companies just stealing pen testing from other companies by offer them more money.

I also think that no course can really give you true experience in the real world.
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Sat Oct 15, 2011 12:37 pm

Re: Experience vs Certifications

Yuck,

Very little.  I do tech support at my job for 4 yrs.  Very little actual computer work.  I volunteer at a Computer Forensics lab but it's only after hrs and after my FT job.  I can't go down there every day as they are testifying, or go home.  So its maybe once a week.

If I had no bills I would not be in this situation.  I could quit my FT job and go down there every day like the owner wants me too.

I have had a few interviews.  The most recent was a DoD job in FT Huccuica.  It's that base in AZ.  They said they didn't like my personality and that's the reason I didn't get the job....Really WTF...

There is a Jr computer Forensics position that I am being recruited for in VA but they need to hire a senior Forensics director and they will interview me.

So the only thing I can do is get certs, prove that I can learn and learn quickly and then hopefully find a person that was in my position until he got hired and then hopefully will hire me.

But in the mean time I keep plugging away one day at a time.
Security+, Network+, C|EH, CHFI, CPT
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Sat Oct 15, 2011 1:49 pm

Re: Experience vs Certifications

Josh,

They actually said they didnt like your personality? Wow that's ruthless, WTF?
In about a 12-18 months, I'll be in almost the same situation. I'll have B.S, in IT..hopefully finish MS in Info Assurance, and a hand full of certs but no security experience.

I hear its rough out there without any security experience. Are you willing to relocate anywhere (from your post it seems like you are)?

Are you looking for forensics or just any job in security?

I would say definitely get the masters, keep on doing the certs, and eventually you'll get a job. There's not stopping with security. You're doing everything you can, keep up the good work and let us know of any good news!
OSCP in progress
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Sat Oct 15, 2011 4:18 pm

Re: Experience vs Certifications

Yes they said they didn't like my personality.  That's the only reason.  The interview went great. I was friendly and answer all of the questions.  I was astonished that they said that to me.  Yes I am willing to move all over the world.  Looking at some jobs in Afgan/Kuwait now.

I will take anything anywhere.

Ya I figure having a Master's degree can't hurt.
Security+, Network+, C|EH, CHFI, CPT
<<

YuckTheFankees

User avatar

Sr. Member
Sr. Member

Posts: 332

Joined: Fri Apr 08, 2011 3:07 pm

Post Sat Oct 15, 2011 6:25 pm

Re: Experience vs Certifications

Can you take of any reason they would of said that?
OSCP in progress
PreviousNext

Return to General Certification

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software