The 80/20 rule of security certifications

TheEnforcer

Hi all,

I came to the conclusion that most IT certifications are BS. You spend lot of time reading or doing stuffs just to pass the certification.

Some bosses or clients are impressed by guys with lot of certifications so I want to get some in order to have a good CV.

Do you know certifications that are easy and fast to get (20% effort) and that will impress bosses or clients?

I did some researches on Linkedin and CEH seems to be the certification to get : really easy to get and people who don't know what security is like it...

Any idea of other easy certifications with a really good ROI? (time/price VS reward in the eyes of HR, Bosses, clients)

Thanks All!

the_Grinch

Interesting tactic to come on a certification forum and say that certifications are BS. Most of the people here will tell you the knowledge is the end game and the certification is the byproduct.

TechGuru80

TheEnforcer wrote: »

I did some researches on Linkedin and CEH seems to be the certification to get : really easy to get and people who don't know what security is like it...

Sigh...you should really check your research. 20% certifications that will impress people don't exist.

TheEnforcer

the_Grinch wrote: »

Interesting tactic to come on a certification forum and say that certifications are BS. Most of the people here will tell you the knowledge is the end game and the certification is the byproduct.

The problem with certifications is that you have to pay xxxx USD just to pass a multiple-choice exam. If you are interested in knowledge, you can buy a book, do labs, watch videos. This will be cheaper and you can choose what you want to learn. Also I don't want to spend time and energy to learn how to answer questions the way they want (CISSP style). I prefer to spend time on the real skills I need in my day to day career.

I know this post seems like a *****. I'm just trying to figure out how I can hack the certification market. 20% of effort for 80% results on the paper!

Thanks

cyberguypr

This thread is so full of fail. You can always take my buddy's approach and **** your way through certs.

Edit: whoever gave the negative rep didn't get the sarcastic tone of my message.

TheFORCE

When you discover that rule, please let us know too.

Everyone feels so entitled these days, they want more and more with less and less effort. Then complain the government isn't helping them. Must be one of those millennia kids.

Danielm7

TheEnforcer, do you actually have your CISSP? The way i'm reading your posts is that you didn't do it yet.

No_Nerd

TheFORCE wrote: »

When you discover that rule, please let us know too.

Everyone feels so entitled these days, they want more and more with less and less effort. Then complain the government isn't helping them. Must be one of those millennia kids.

TechGuru80

Danielm7 wrote: »

TheEnforcer, do you actually have your CISSP? The way i'm reading your posts is that you didn't do it yet.

Even if he did...how could he come to the conclusion that certs are "BS" with only one?

Infosec85

This post is clearly taking the P***. Or this guy just has some nerve. Let's all "hack" are way, while the rest of us work hard and scrape and save, sacrifice family life and a life altogether. Guys like the above that bring the value of certifications down.

RomeoJett

My take on it is, a certification does not an expert make. In this industry or any, you can become real jaded if you believe too much of the hype that surrounds your industry. Like stated above it’s about acquiring the knowledge more than the paper. The paper, just states you met the required set of criteria to prove you know the core concepts. That said, I have learned a lot chasing certifications, but there is always more to learn. I have learned most, by doing it, in the lab, and on the job. In IT education is a must to stay up to date, it’s not a vacuum. What's hot today won't be tomorrow, things change. Repetition is the mother of all skill, so study your cert, get your paper, and get the job, then put what you learned to use learning how things work in the production environment. Certs will always be there, they mean a lot to some, not as much to others. Getting certified for me was a challenge to prove I could do it. Don't worry so much about a paper, if you love what you do in IT, your vocation will feel like your vacation. Be a sponge, and absorb it. Chase the certs, but do it because you love it, not because you want a paper, or you think it will gain your more income, only then will you be fulfilled in your career, and if you lucky you might learn something, and have a career not a job.

Sheiko37

TheEnforcer wrote: »

If you are interested in knowledge, you can buy a book, do labs, watch videos. This will be cheaper and you can choose what you want to learn.

How do you plan on proving your skills and knowledge to a potential employer? Would your thin resume even make it to the people deciding who to interview?

Also I don't want to spend time and energy to learn how to answer questions the way they want (CISSP style). I prefer to spend time on the real skills I need in my day to day career.

"they" in this case is the established world of information security.

CCNTrainee

#Inb4Close???? 0_0

Fadakartel

TheEnforcer wrote: »

The problem with certifications is that you have to pay xxxx USD just to pass a multiple-choice exam. If you are interested in knowledge, you can buy a book, do labs, watch videos. This will be cheaper and you can choose what you want to learn. Also I don't want to spend time and energy to learn how to answer questions the way they want (CISSP style). I prefer to spend time on the real skills I need in my day to day career.

I know this post seems like a *****. I'm just trying to figure out how I can hack the certification market. 20% of effort for 80% results on the paper!

Thanks

Well not all cert exams are multiple choice some have sims, labs etc like CCIE, JNCIE and HCIE. Also good luck passing HR with just your name and address on your resume.

OctalDump

Getting back to OPs question - the easiest certs are the ones you don't have to study hard for, because you know it already. Like for a Senior Network Engineer, Network+ and CCNA are going to be fairly easy, maybe even CCNP isn't too hard. For someone in that position, they'd probably maximise their return by looking at closely related, high demand, specialities. For example, wireless.

Now, for security land, what move you make is going to depend very much on where you are at the moment. If you have lots of experience, and can prove it, then the certifications which require experience are probably a good bet - most of ISC2 and ISACA are in this group. The experience requirement makes it more naturally in short supply, and again if you have the experience then getting the certification might not be so difficult.

CEH is a good cert to get if you already have that kind of technical knowledge, but it's a bit of an anomaly in terms of (low) difficulty and (high) 'prestige'. That 'prestige' is mostly among people who don't know what the certification actually is (or that there are two higher levels offered by EC Council). CCNA Security might fit roughly into this mould, but I suspect more people are aware of what it actually is.

The other areas to consider are the soft skills. If you've been working running projects for a year or two, then getting a Project Management certification like Prince2 or PMP or Scrum, is a great move. It shouldn't be too hard if you have the hands on, and the softskills can help in more senior roles. Cobit and ITIL are also good for the same reason - if you've been working in them, it's not so hard to get certified.

Seriously, for anything that you have more than a year or two hands on experience, getting a certification shouldn't be more than a week's study.

The hard stuff is when you are trying to learn totally new skills. Then you spend weeks or months studying.

CCNTrainee

You can always pick up programming... it is a skill that will always have a need and requires no certs to "waste money" on. The down side is that it will require more time and effort then you are willing to put in yourself, so good luck. Obvious is super obvious...

TheEnforcer

Hi all,

Thanks for your replies. I'm not lazy. I just prefer to focus my time on what I really need in my day to day job: hand on skills like pentesting, system hardening and monitoring, incident response and a little bit of malware analysis. For that I created labs, I test new products, I write audit scripts, etc.

I spent 6 months learning for the CISSP in detail (may be I went too deep in each subject). This experience disgusted me because I feel like this time would have been better invested doing hand on labs. I went to the conclusion that most professionals/clients don't really know security certifications. They want a guy with a CISSP and ad-hoc experience. If this guy have the alphabet soup then it's better because they think the guy is an expert (I saw that... whoooo this guy is CEH!!! We should pay him 30k to run leebaird's discover script and do a report).

Thanks OctalDump and Romeo for your good and intelligent replies. Based on you replies, I will focus on what certification are really easy for me at this time. I will spend 3 weeks per exams for CEH/CHFI/ITIL and ISSAP (CISSP concentration) then professional experience and human qualities will be more important than certifications.

Some answers were really funny to read. I did not recognized me at all in your replies. May be I have to be more like a politician when I speak about the value of certifications on a certifications forum. What I wanted to say is that certifications don't make you an expert. To be an expert you have to actually do the job and train in front of your computer/clients, etc. This is what I want to do. I want to be good so I'm focused on things that give value to my organization and clients. I prefer spending my time working on stuff I need right now on a project, create tools to speed up my work. I always try to be better and faster thus my idea of spending 20% of my energy to get 80% of perceived value of certifications.

Thanks all,

Sheiko37

If you like labs then do the OSCP.

TechGuru80

TheEnforcer wrote: »

I will spend 3 weeks per exams for CEH/CHFI/ITIL and ISSAP (CISSP concentration) then professional experience and human qualities will be more important than certifications.

Ok...somebody write this down. You have to take the exam and post your results within 3 weeks of each other to "show how fantastic you are." I am pretty sure if you don't pass them all, you will get severely flamed.

adrenaline19

I think you are in the wrong line of work. Go back to Reddit, that's where they teach l33t anon skillz so you can hack your ex-girlfriends facebook.

The vast majority of this forum community would happily trade their certifications for additional knowledge. People like you are what separates B.S. certs from respectable ones. If it's too hard for you, I'm interested in learning from it.

I'd hire anybody on this forum over some idiot with a bunch of certs but no thirst for knowledge.

On a related note, is anybody hitting up BlackHat Asia at the end of this month?

OctalDump

CCNTrainee wrote: »

You can always pick up programming... it is a skill that will always have a need and requires no certs to "waste money" on. The down side is that it will require more time and effort then you are willing to put in yourself, so good luck. Obvious is super obvious...

Oh, there are programming certs - they've just not taken off in the same way because of lack of vendor proprietary. There's MCSD, Java, Zend, there's a bunch of secure programming certs, there's devops, and then there's all the frameworks (Agile, Scrum) and PM.

OctalDump

Sheiko37 wrote: »

If you like labs then do the OSCP.

I'd second a vote for this, too. It has at least some respect (if not universally) in the pen tester world. And because it is hands on, it encourages more practical skills.

There's also the CCIE with its lab component. And Red Hat certifications. I think I'm missing another sort of major one which has a huge hands on component.

adrenaline19

OctalDump, I really didn't even know programmer certs even existed until you wrote that post, lol.

TechGuru80, I've made a note, if he fails, we'll definitely flame him.

I'd take any of you in a CTF team over a bunch of idiots with certs. This fam is chasing the real dragon, not just fancy letters or paychecks.

UnixGuy

OctalDump wrote: »

... I think I'm missing another sort of major one which has a huge hands on component.

eLearnSecurity are all lab based. There is also Penetration tester academy (but I haven't tried them yet)

TheEnforcer

the_Grinch wrote: »

Interesting tactic to come on a certification forum and say that certifications are BS. Most of the people here will tell you the knowledge is the end game and the certification is the byproduct.

I said that MOST certifications are bullshit. Not all. Good certifications are hard to get (need of professionnal experience and months of hard work).

TheFORCE wrote: »

When you discover that rule, please let us know too.

Everyone feels so entitled these days, they want more and more with less and less effort. Then complain the government isn't helping them. Must be one of those millennia kids.

I'm trying to be efficient with certifications in order to spend more time on stuffs that need my real attention (not the HR's attention).

I won't use my CEH knowledge to launch nmap -p- -sT -sV -sC on a /16 subnet. I prefer to use the knowledge I obtained after countless hours on github, Youtube, working extra hours to test the security of my company.
I'm not speaking about reading a book 5 times to remember all the differents options of some outdated tools to answer a multiple choices exam.

TechGuru80 wrote: »

Even if he did...how could he come to the conclusion that certs are "BS" with only one?

MOST certs. Not all.

adrenaline19 wrote: »

I'd hire anybody on this forum over some idiot with a bunch of certs but no thirst for knowledge.

I have thirst for knowledge. Not certification books knowledge. Real life and relevant knowledge yes.

adrenaline19 wrote: »

I'd take any of you in a CTF team over a bunch of idiots with certs. This fam is chasing the real dragon, not just fancy letters or paychecks.

Do your CTF, use armitage to attack 10 boxes running metasploitable while your friend is busy trying to monitore the boxes with netstat and kill processes he doesn't know because they are not in the Linux certification book.

And after that you tell me to go on reddit....


Only some peoples were trying to help me. Thanks for your help!

Now I won't ask any questions. I will find my answers typing key words on Linkedin and do some stats to decide what certifications I need to impress HR. Then my hands-on knowledge will do the rest with the end clients or my bosses.

This will be faster and will free me important time to focus on real security stuff and family.

TheEnforcer

LinkedIn results in my future geographical area:

CISSP : 41
GIAC : 11
CEH : 4
CHFI : 1
OSCP : 0

I know what I have to do now

adrenaline19

Congrats, this forum just showed you how to stop being lazy and enumerate.

Good luck in the future.

Bye

Danielm7

TheEnforcer wrote: »

LinkedIn results in my future geographical area:

CISSP : 41
GIAC : 11
CEH : 4
CHFI : 1
OSCP : 0

I know what I have to do now

Start applying for a new job? Sounds like you already have the cert that is the most asked for by a wide margin.

OctalDump

Danielm7 wrote: »

Start applying for a new job? Sounds like you already have the cert that is the most asked for by a wide margin.

I read that as these are the numbers of people in that area with those certs. In which case you can't say much about what is 'in demand'. What you really want to know is something like what's the supply vs the demand.

Maybe there's a huge oversupply of CISSP. Maybe there's no OSCP because no one wants to hire OSCP. Or maybe there's a huge demand for both. Who knows?

It's a common trap (not really a trap, but sort of) to think "Oh, there's lots of jobs asking for MCSE. If I get an MCSE, it will be easy to get a job" and not realise that everyone and their cat has an MCSE.

What you want are the jobs that they have trouble filling, the jobs that they end up compromising on the candidate because they can't find anyone, the jobs that they offer you a starting bonus just because they are desperate for your skills.

TheEnforcer

OctalDump wrote: »

I read that as these are the numbers of people in that area with those certs. In which case you can't say much about what is 'in demand'. What you really want to know is something like what's the supply vs the demand.

Maybe there's a huge oversupply of CISSP. Maybe there's no OSCP because no one wants to hire OSCP. Or maybe there's a huge demand for both. Who knows?

It's a common trap (not really a trap, but sort of) to think "Oh, there's lots of jobs asking for MCSE. If I get an MCSE, it will be easy to get a job" and not realise that everyone and their cat has an MCSE.

What you want are the jobs that they have trouble filling, the jobs that they end up compromising on the candidate because they can't find anyone, the jobs that they offer you a starting bonus just because they are desperate for your skills.

This was the result for job offers in Europe.

You are 100% right. If you want a 'really' good infosec job they ask for CISSP/OSCP/OSCE/GIAC/MCSE/CCIE. (good infosec guys want to hire good infosec guys)

I will be opening my consultant shop in Europe in about 6 months. My clients will be CEOs who just barely know CISSP. The reason I was looking for other certs is that nowadays everybody is CISSP + bunch of small certs. I don't want to be at risk when the CEOs will compare my CV to the CVs of other guys with CISSP and a bunch of small certs with impressive name like CEH/CHFI.

I will do OSCP/OSCE when i will have more free time. I needed an 'easy' plan for the next 6 months.Today I'm busy with the website, lines of service, contact potential partners, etc.

Thanks all for you help!

Danielm7

You're correct, I read it wrong, that's what I get for posting when I'm still barely awake.