The truth about cybersecurity certifications

The truth about cybersecurity certifications | Network World

I'll just set this right here and walk away...

Thoughts?

Find more posts tagged with

Comments

From the author's opinion to my own... (especially as a current IT instructor):

Practical work experience is always going to trump education and certifications. Beyond that, I don't get IT certifications for anyone but myself, unless it is for a job requirement. I happen to believe that a lot of the certifications are very technically difficult, and I have a lot of respect for those that have passed the difficult ones successfully. I also have a lot of respect for those that are successful at their jobs without the certs, and those who have completed formal education. It's like they have said before: "Beauty is in the eye of the beholder."

My two cents, because I'm broke.

bigdogz

The guy looks like Data from Star Trek NG. ...just sayin'.

My take is YMMV. Certifications help but you need experience and education to be a triple threat.

People obtain certifications for different reasons: to learn and grow, a requirement for work, or a requirement for a new job.
There are some certifications needed just to get past HR because the manager or C level writes the requirement for the job and as we have seen on this board, some people will cut corners to get the job.

IT / InfoSec folks take different paths. It was more difficult for the older farts like myself because there wasn't the information, the CTF's, websites / resources, books, and InfoSec groups as there are today. Some may obtain a certification based on their current job duties or to learn new technologies.

There are some books out that can assist and are a good read. They may be used as a foundation or to accent knowledge. But if you want to hack, its hands on work that gives you the chops and understanding of protecting or hacking a host or environment.

chrisone

The authors best bet was to write about how **** and non lab certs are watering down the certification path. Even the certifications with non labs are useful and book knowledge is better than no knowledge.

BlackBeret

The article's not loading for me, but based on the same topic coming up on a regular basis...

I believe ertifications are meant to be a measuring stick for what you know. Too many people go out and buy a book like "How to pass X certification" so that they can pass that certification test without having any experience in the area. While studying for the test they may gain some knowledge (usually very specific to the test and the field in general), they lack the breadth of understanding that actual experience gives them on a topic. Very few things in IT, especially security, are ever textbook. The original process was for people who have experience in X topic to go and take the test to prove they have the knowledge in the area. Being able to study and prepare just for a test without having experience has killed the value of the certification.

No_Nerd

chrisone wrote: »

The authors best bet was to write about how **** and non lab certs are watering down the certification path. Even the certifications with non labs are useful and book knowledge is better than no knowledge.

I gave a presentation on this when I was getting my MBA. People outside of IT found it crazy that you could essentially download copies of exams to get certs needed for a well paying job. I went to point out that this is why the interviewing process is so important.

YFZblu

The article only states the obvious:

"...certifications should be thought of as supporting rather than replacing real-world experience."

There really isn't anything to see here.

NetworkNewb

YFZblu wrote: »

There really isn't anything to see here.

That and the article pretty much says get your CISSP and Sec+, the others are pretty much worthless. And to put in his words they just "add a false sense of pride"

chrisone

YFZblu wrote: »

The article only states the obvious:

There really isn't anything to see here.

agreed 100%

636-555-3226

I downloaded and skimmed the whitepaper he summarized. A few takeaways:

people who answered the questions:

45% of answerers have been employed as a cybersecurity pro for 10+ years. I find that hard to believe since cybersecurity has barely been a profession except for the past 4-5 years. Sure, people did it, but sure as hell not 45% of a general IT population.

22% of people started their IT career as a cybersecurity professional. huh? since when is cybersecurity an entry-level job? if you're responding they could have done something besides IT then gotten directly into cybersecurity, that's a double huh?huh? - since when do random non-IT people (butcher? baker? candlestickmaker?) get roles in cybersecurity?

56% of answerees have the CISSP. I know most cybersecurity people in my geographic area, and i'd say maybe 10% TOPS have the CISSP.

3% of people have the "GIAC certified penetration tester" - what the heck is that?

44% of responders say their org provides the infosec team with the right level of training. HA!

32% of people are contacted by recruiters more than once a week. I get my fair share of headhunters, but i'm nowhere near a few times a week every week basis. if i averaged it out over a month i'd say maybe once a week at best

40% of small companies (less than 100 employees) have a dedicated 100% security team - WTF?

67% of orgs have a CISO or executive-level equivalent - huh?

the only thing this report is missing is calling out that 87% of Security+ certification holders have an income greater than $115k per year!

(not knocking Security+)

BlackBeret

636-555-3226 wrote: »

45% of answerers have been employed as a cybersecurity pro for 10+ years. I find that hard to believe since cybersecurity has barely been a profession except for the past 4-5 years. Sure, people did it, but sure as hell not 45% of a general IT population.

People have worked in IT security since IT was around. It used to be called network security, system security, network security analysis, etc. "Cyber" is a new word to encompass all of it, but it's not new.

636-555-3226 wrote: »

22% of people started their IT career as a cybersecurity professional. huh? since when is cybersecurity an entry-level job? if you're responding they could have done something besides IT then gotten directly into cybersecurity, that's a double huh?huh? - since when do random non-IT people (butcher? baker? candlestickmaker?) get roles in cybersecurity?

I know many analysts who went from working in other areas such as marketing analysis, real estate analysis, intelligence analysis, etc. over to security analysis for IT system, networks, "cyber", etc.

636-555-3226 wrote: »

56% of answerees have the CISSP. I know most cybersecurity people in my geographic area, and i'd say maybe 10% TOPS have the CISSP.

This actually seems low. 100% where I work (contract requirement).

636-555-3226 wrote: »

3% of people have the "GIAC certified penetration tester" - what the heck is that?

You're commenting on a paper about security certifications and have never heard of SANS, GIAC, or GPEN?

636-555-3226 wrote: »

44% of responders say their org provides the infosec team with the right level of training. HA!

If yours doesn't find a better company. Plenty do.

636-555-3226 wrote: »

32% of people are contacted by recruiters more than once a week. I get my fair share of headhunters, but i'm nowhere near a few times a week every week basis. if i averaged it out over a month i'd say maybe once a week at best

Multiple times a week is normal in my area. Even you admit that you average once a week, is it so far off to think that 32% aren't contacted more than you?

shochan

Yeah, the article fails to mention CASP, which is fairly newer...CISSP vs CASP...I have read mixed reviews of the difficulty and which is the better cert. Don't you have to be endorsed to take the CISSP, unlike the CASP? Most are going to say CISSP is the champion and better cert...I was just curious George, just like everyone else on here.

Having my Sec+ has headhunters contacting me daily...either by phone or email.

Cheers!

bigdogz

...it is only Part 1.

...never heard of GIAC... you should. I'm on my way of certing up with one of those credentials... not cheap but it is worth it.

Another thing to mention is that most vendor neutral certifications is to provide CPE/ECE/EU's in order to maintain the credentials. This includes conferences, webcasts and other forms of keeping up with technology. I normally have more than needed but I find ways to get them in the case of an audit.

mbarrett

I'm sure the reason Sec+ is so prevalent is that it's the simplest way to maintain the dod 8570 baseline requirement. It's mostly a check in the box for people doing more technical stuff, or for entry-level Infosec folks a lot of the time...

Mike7

On that page are related links of which one is Essential certifications for smart security pros

Best to have both experience and certification. Unless you use brain ****; you do learn new things when studying for that certification. The more you learn, the more you realize you do not know. For example, not many people I know have experience in all 8 CISSP CBK domains.

DoD jobs require certification. Certification do provide some level of credibility when I was a vendor in a previous job; customers do not ask that many questions. And that alphabet soup of initials puts you in recruiters' spotlight; I experienced it first hand the day I added CISSP to my LinkedIn profile. Beyond that, you do not have to show off that list of certs to others.

JDMurray

This article appears to be based on the points of view of the cybersecurity professionals who have been hired for cybersecurity jobs and not the managers who are actually hiring the cybersecurity professionals. This means the opinions used in this article are purely speculative, because these people were not part of the decision-making process that determined which cybersecurity professionals to hire.

I have a CISSP, but I have no idea how it was a factor in hiring me for any the jobs that I have held. To know that, you would have to ask the HR and managers that hired me. I did not see the decisions being made behind the scene, so my opinion is a wild-ass-guess as to the factors considered that lead to me being hired. I should have been interviewed for this article too.

OctalDump

I'm surprised that so few have Security+. If you look at the methodology and its approach, then the fact that CISSP is highly rated is completely expected. It's like if you asked all IT professionals to agree on the best IT certification/qualification. Probably it would be something like a generic Bachelor degree in IT or CS. However, in any specific speciality, there'd be different responses - in networking you might see the CCIE, in programming maybe a CS degree, in system admin maybe MCSE etc etc. So within the broad field of Info Sec (or even Cyber Sec), there'd be different responses from those dealing with network defence to those doing forensics to those doing incident handling or penetration testing or auditing/compliance or management etc etc. And that doesn't even deal with industry or geographic specific concerns.

So the conclusion that CISSP is more worthwhile than, say, CCIE Sec, for any specific role is bunk. It's not really a sound conclusion.

The actual study is here. It is survey based, and the respondents were all ISSA members (taken from the ISSA membership list). That alone might colour the responses, and might not be a fair and accurate representation of the broader field. Also, although this is marketed as "global", 86% of the respondents are in North America. About a third are in Senior Management, about a third are "grunts", and the rest is 14% other management and 20% "other".

It takes a little digging, but 86% have some kind of certification. They don't seem to report on who has "generic" vs "specific" certifications, which is central to the issue I mention in the first paragraph: the more specific the certification, the more specific its use and benefit.

It's quite frustrating that they don't look at qualifications, since being qualified is central to being a professional. There needs to be some baseline qualification of role specific skills and knowledge that differentiates you from someone who simply asserts that they are a professional. It's also true that for many roles, a diploma or degree might be sufficient qualification and certifications are less relevant. For example, if you had a choice between someone with high school and a CCNA and someone with a Master's degree in network engineering for a Network Engineer role, who might you pick? Could the person with the Master's get through their career based on that Master's and experience more easily than some could get through a whole career with any single certification? Who knows. They didn't ask questions that might illuminate that difference.

I'm not that impressed by the methodology of the study. It basically tells you what Cyber Sec professionals "think", rather than actually qualifying that against reality. To put it in another way, if the majority of respondents thought that there was no value in any training or qualification would that mean that there actually is no value in training or qualifications? What if the majority of respondents have no qualifications? Might that colour their response?

These surveys are really popular in business academia, but ultimately aren't always a good tool. They tend towards an epistemology that is more constructivist (stories we tell ourselves and each other) than empiricist (cold, harsh reality measured in facts and numbers).

The question that needs to be answered, and I don't think this methodology can answer it, is: do professionals with qualifications/certifications deliver better outcomes for their clients/employer? And maybe, is that difference the result of the qualifications themselves? ie can I take a random IT person, get them to take certain qualifications/certifications and then have a better employee?

Those are pretty fundamental questions, and goes to the heart of the real value of these certifications, rather than the perceived value. If you have good evidence of this real value, then you can reshape whatever the perceived value is.

JDMurray

OctalDump wrote: »

Those are pretty fundamental questions, and goes to the heart of the real value of these certifications, rather than the perceived value. If you have good evidence of this real value, then you can reshape whatever the perceived value is.

The only real value of IT certifications in the hiring process is that they greatly aid hiring managers in deciding which candidates to pick for a first-round interview. Once in that interview, certifications are irrelevant; the candidate's knowledge, experience, and personality is what will shine through.

It is also worthwhile to consider the competency--or lack thereof--of the managers conducting the hiring process. Too many managers unfamiliar with specific certs will tend to either over-regard them or dismiss them. This leads to good candidates being passed over, and bad candidates being chosen because they have an impressive list of certs.

whoknew

I disagree with the author's base premise. While he correctly points out the fact that the magic trifecta is education, certification & experience, he fails to recognize the value of the first 2.

A case in point: I really wasn't involved with Cisco ASA firewalls very much until 3 or 4 years ago. A local community college where I was pursuing an AAS degree (part-time) in IS Security, required a network security course that was based around the CCNA Security course via the Cisco Network Academy course & in-class, hands on learning. So I was introduced to 5505, 5510 & 5520 ASAs in a lab setting while completing the CNA coursework and a course requirement for my degree.

The knowledge I picked up in the course & from the cert led to my company asking me if I wanted to do some FW work in addition to my regular responsibilities. So there it is: education, certification & experience. And to that end, the CCNA Security certification was central in leading me to Cisco FW opportunity & experience.

beads

@636-555-3236;

I do not recognize security as being a "profession" as we are not licensed to practice anything but with our home networks.

What we refer to as the "first generation security people" started in the early to mid 1990s. Some of these people went on to create, for better or worse, the CISSP exam to compete against the likes of the then popular CNE. They were so happy to reach 500 examinees! Second or follow generation transferred to or from most infrastructure in the late 90s and early 2000s. I myself stated in 1998 when I couldn't find anyone competent to help with network worms and firewalls, policy, etc. All very basic at the time compared to what we do today. Security+ was very popular and made you 'a security person'. Still not many dedicated positions but it was becoming the "big" thing even back then. The CISSP was around 2500 only because Shon Harris was teaching people something about security. SANS was started and going by the long form of Systems Administration Networking and Security (SANS) Institute. Don't have the immediate dates but close enough.

From there things either snowballed or went avalanched downhill as training and certification has become today more synonymous with get rich quick schemes than measuring capability on the job but that's at the tolerance of management and less by the peers themselves.

All and all it depends on whether your glass is half full or half empty. Having worked my way through a career in IT and waiting til I had every possible detail correct before hitting an exam - others seem to be quite happy taking a shortcut and failing later on the job - or should. Management's reaction to all this is to do more contracting or contract to hire type opportunities as the reaction. But we have more "qualified" people as a result, right?

Yeah, I am looking at Tipton's comments over the years and grinding my teeth.

- b/eads