Why so many certifications for the security field?

Correct me if I am wrong....

So I can see this scenario.

You get an entry level certification to begin brand yourself entry level security, looking to break in the field. Security +

You work 2 - 5 years doing your low level role and now you want to become a "pro". You get your CISSP or maybe one of those upper level pen testing certifications. Seriously.... If you have 5 years of security experience with a Security + and the CISSP or OSCP or something similar aren't you positioned to take off in the security field?

Here is where I get confused, why do a lot of you get 8+ certifications as a professional. Project management for instance isn't like this. At MAX you would get 4 certifications, PMP, CSM, ITIL (for service management) and maybe six sigma, that would be TOPS (sorry left out prince 2, so replace one of the others). Still over the course of a project management professional (let's say 10 years, you only need to get 4 certifications to keep up with the Jones.

But security is a different beast or so it seems. You have sooooo many certifications it has become ridiculous. Almost a joke from the outside looking in. Of course I say this with the utmost respect, knowing from you all that a lot of these are VERY challenging which makes it even more perplexing.

Can some one shine some light on this? It seems security has surpassed systems and networking, and I'll be honest. In "real" life I know very few system guys with certifications, most of them had A+ many moons ago and it never expired and they still keep it as badge of honor of sorts. But once they get into the Unix/Linux/MS infrastructure ranks you don't see certifications that much. ***I've worked in 3 fortune 500 companies and even managed a infrastructure team for a short period of time. So my visibility into this has been from multiple angles.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

ITHokie

xxxkaliboyxxx wrote: »

This is the main reason DoD Approved 8570 Baseline Certifications

Get on that list, you become a money making machine.

PS: How in the hell did CFR get on there LOL. Best believe it will bring up their net worth.

Yeah, that certainly contributes. But you only need CISSP for IAT III and C|EH for all CCSP categories. Those are the categories that generally apply to technical roles on the contracts I've worked on.

Ertaz

ITHokie wrote: »

Yeah, that certainly contributes. But you only need CISSP for IAT III and C|EH for all CCSP categories. Those are the categories that generally apply to technical roles on the contracts I've worked on.

Don't you usually need a CE (Computing Environment) cert to go with that like CCNP or MCSE?

ITHokie

Ertaz wrote: »

Don't you usually need a CE (Computing Environment) cert to go with that like CCNP or MCSE?

Yes - CE is also necessary, but that is a separate requirement from IA (what was linked above).

bigdogz

DatabaseHead wrote: »

All this shows is how vast the security space is (very cool I might add), however it has nothing to do with an individual getting 10+ security certifications.

Information technology can be broken down into that many groups as well. You wouldn't get certified in all the domains / areas, it wouldn't make sense.........

I've come to the conclusion like others have stated, there is a market to be exploited and people are willing to spend dollars in this area.....

PS awesome map, thanks!

Now more than in the past 10 years there are more facets of Information Security.
Let's apply this to a real world scenario.

Your accounting team discovers that your online orders were sold for a quantity of 400,000 for -$10.00 instead of $100.00 1 month ago.
You are going crazy blaming the web guy and his boss for this extremely aberrant mistake. They swear that everything was done correctly and inspect some code changed by the owner of r00t or systam32.
The Web manager goes to the IT boss and ask who the ID is. They respond, by 'We never created that account' meanwhile your website is still dolling out $1.00 to someone names Miss Moneypenny because that hacker likes James Bond and has a sense of humor.
Both the Web and IT manager discover that you have been hacked and come to you.
What do you do?
Do have a security team?
No. Because you felt that there 'is a market to be exploited' and find no need for one.
Take down the website because you are bleeding BAD. You tell the IT and Web guys to bring back a new website with only a simple text line that shows your site is 'Under Construction'.
You also have a meeting with the board... fun, fun, fun.

Since you are a private company you decide to keep this on the down low and have all of your employees sign some form of NDA about the issue.
It was too late, one of the IT guys posts a some sarcastic comment on twitter with a 'pants on the ground' reference. You fire him and have him remove his post and give him a 2 week severance check.

You bring in the IT and web teams and start to see what 'we' can do to solve the problem.
One of the IT guys, Tom, who on his own paid for a few of very technical Infosec certs raises his hand up and upon being acknowledged tells you the following should have been in place, a WAF's, a SEIM, someone who knows how to look through a SEIM, some more pen testing software and forensics hardware, have someone secure the code and test each change, run quarterly VA and Pentests.
You stand up and yell 'Why the hell didn't we have these in place?'
He comes back with 'My boss didn't see this as a priority and too be honest, we are really busy just trying to keep things up and running'.
You shake your head in disbelief and start to develop the Yosemite Sam version of tourette's syndrome.
You asks if he wants a new security position to take care of this and other issues like it if you double his salary.
He comes back with this is going to be challenging....'You know what I make. Triple my salary, give me a team of 5 and give me 10k in training a year each'.
' FU%&ing Sold', you reply still with Yosemite Sam version of tourette's syndrome
Tom then decides to call the FBI because he is a part of HTCIA and friends with some people in the bureau.
The next day they show up and start their investigation. They also start their forensics. This takes 2.5 weeks to find the attack and another 3 or 4 days to reverse engineer the new exploit.
The special agent and Tom walks into your office and wants to speak to you. Tom shows you the report generated by the FBI.
The FBI special agent comes up to you and tells you the best practices.
They also tell you that the person was a 14 year old kid in Santa Monica who did it by using Malware that would create zombies in your network that would slowly send information and just hacked your web servers because he wanted something better than a XBOX One and a 32' screen and was bored.
Luckily you had decent backups that were not contaminated but it will take your company 3 months to get back to normal.

In cases that may be smaller or are out of the FBI's jurisdiction, your organization may end up losing the money.

This is an example that I have seen happen. The names have been changed to protect the innocent.

TheFORCE

You need all kinda certs, not only security certs because of things like this Verizon Breach: 6 Million Customer Accounts Exposed

UnixGuy

DatabaseHead wrote: »

In your experience, your peers in the Unix field didn't care about certifications? If so that is what I found as well, not that I am worth a dang at Linux/Unix but working hand in hand with these folks, it was like once they locked into Unix/Linux that was it and certifications had no place.

Sorry just wanted to follow up with you in regards to this, I find it interesting.

That's right, specially with Unix(Solaris/AIX/HP-UX/SCO-Unix) even before Linux was a popular server choice. You either knew what to do (or knew HOW TO FIGURE IT OUT) or you didn't. Lots of dinosaurs looked at certs as a waste of time, they wanted to see that you had experience migrating servers and configure stuff and troubleshooting obscure software that you haven't seen before rather than passing an exam - but it's subjective. I always did both, played hands on and took certs.

Security seems to over do it...but I'm pro certs in general so it doesn't bother me. I'm lazy when it comes to passing those certs exams unfortunately, need to get off my ars and work harder

Ertaz

UnixGuy wrote: »

That's right, specially with Unix(Solaris/AIX/HP-UX/SCO-Unix) even before Linux was a popular server choice. You either knew what to do (or knew HOW TO FIGURE IT OUT) or you didn't. Lots of dinosaurs looked at certs as a waste of time, they wanted to see that you had experience migrating servers and configure stuff and troubleshooting obscure software that you haven't seen before rather than passing an exam - but it's subjective. I always did both, played hands on and took certs.

Security seems to over do it...but I'm pro certs in general so it doesn't bother me. I'm lazy when it comes to passing those certs exams unfortunately, need to get off my ars and work harder

If you do the things and study the things you are almost unstoppable. I was really proud of my HP-UX CSA, then I left the job that used it and went back to Solaris. Some how my csh scripting has gotten rusty.

UnixGuy

Ertaz wrote: »

If you do the things and study the things you are almost unstoppable. I was really proud of my HP-UX CSA, then I left the job that used it and went back to Solaris. Some how my csh scripting has gotten rusty.

agreed, the certification material was extremely useful eventhough people in the field didn't care much

bigdogz

My point was in #17.... Learning Linux was something that did not have certifications at the time.

...SCO... now you are taking me back!
At the time there was no Google, you had to spin up a box on your own and play with it to learn unless you went to a college where you were taught some programming languages Basic, Fortran, Pascal.... not so much the OS.

I don't consider myself just a 'Linux guy' since I work on different OS's, but I did work on the certification for my company and learned a few things. I shared them with our team and we are stronger from it. If you do not use it frequently you may tend to forget some of the material or tools to perform the job.

E Double U

I get them because:

- employers want them (so they foot the bill)
- it is fun (I enjoy the continued learning)

EnderWiggin

bigdogz wrote: »

*Wall of text*

Having someone with a bunch of certifications and having a knowledgeable security team are not the same thing. It is entirely possible to learn technical skills without taking a multiple choice test afterwards.

Your story also looks like it has nothing to do with certifications, and everything to do with leadership that didn't prioritize security.

kurosaki00

UnixGuy wrote: »

Lots of dinosaurs looked at certs as a waste of time

Now sometimes is the opposite. I recently worked as a contractor for a company, I helped them with a lot of asset management issues and developed processes for them. Their manager, who had like 10 years of management experience, had like 10x10 frame of A+ in his office wall.
I do not mind people wanting to exhibit their achievements but c'mon... 10 yrs management in IT and displaying A+ on your wall, cards, emails.
This same person hired someone who had barely any experience as a network admin, as a "senior network admin" because he had CCNA. Spoiler alert, he had to hire someone else with more experience to manage the company's network. I asked him WTF, why hire someone without experience for a position requiring a lot of in dept network skills? He said that he had CCNA and that was a very difficult certification. He assumed he had the skills.

I finished my contract, delivered my sh1t and off I went to a new gig.

PJ_Sneakers

xxxkaliboyxxx wrote: »

This is the main reason
PS: How in the hell did CFR get on there LOL.

I agree 100%. I attended an official CFR class, and it had nothing to do with IR. It was about as deep as Security+ and had a very short and inadequate section on forensics. The courseware had very little to do with being a first responder to a cybersec incident.

E Double U

kurosaki00 wrote: »

Their manager, who had like 10 years of management experience, had like 10x10 frame of A+ in his office wall.

"Don't act like you're not impressed." - Ron Burgundy

ramrunner800

DatabaseHead wrote: »

If you have 5 years of security experience with a Security + and the CISSP or OSCP or something similar aren't you positioned to take off in the security field?

Probably not. The idea that security is one field is a misconception. It is actually a number of distinct fields requiring diverse skill sets to perform in each one. People get multiple certifications in order to demonstrate proficiency in different fields.

If someone applied to my SOC with Sec+ and CISSP they're not getting interviewed without significant directly applicable experience. A GCIA or GCFA, on the other hand, will almost automatically get an interview. When it comes to technical security roles, CISSP brings nothing to the table. If you follow the infosec Twittersphere at all, you'll note that #notacissp trends pretty hot, and a lot of folks have put it in their tag line. CISSP isn't exactly a negative bullet on a tech person's resume, but I do wonder what value calculation they made that made them decide to waste time getting it, rather than studying something that would improve their skills. That will get ferreted out in the interview.

This isn't just to rag on CISSP. There are specific certs that are applicable to specific parts of the field, and indicate different levels of skill. Just having a four letter cert that starts with G isn't going to set you up to work wherever you want either. You need to have the right ones that demonstrate skill and training in the specific area for that job role. You could have OSCP, OSCE, GPEN, and GXPN, and still have no idea how to do lots of basic blue team things. (though you will have demonstrated that you know how to learn, which is REALLY important)

The last thing I'd say is, as others have said, multiple certs demonstrates continuous study and improvement. In security that's more important than in many other areas of IT. Things in security change from week to week, or sometimes even day to day. Keeping up with the state of the art is very important to being able to perform the job. My org sends everyone to SANS at least once a year for this reason. This keeps everyone abreast with the latest and greatest tech and trends, and leads to racking up some certs.

MitM

While I'm pro cert, I'm tired of them at the same time. I always want to be learning something, but doesn't mean I need to certify to do it. There are times I feel that I'd learn more, if I wasn't studying something so specific. For instance, right now my plans are finishing the the remaining 3 exams for CCNP Security and CISSP. Do I really need both? Probably not. I could probably get away with just the CISSP. If I did that, I could still study every day, but change it up often. learn Cisco ISE one week, learn ethical hacking the next week, etc etc

xxxkaliboyxxx

ramrunner800 wrote: »

Probably not. The idea that security is one field is a misconception. It is actually a number of distinct fields requiring diverse skill sets to perform in each one. People get multiple certifications in order to demonstrate proficiency in different fields.

If someone applied to my SOC with Sec+ and CISSP they're not getting interviewed without significant directly applicable experience. A GCIA or GCFA, on the other hand, will almost automatically get an interview. When it comes to technical security roles, CISSP brings nothing to the table. If you follow the infosec Twittersphere at all, you'll note that #notacissp trends pretty hot, and a lot of folks have put it in their tag line. CISSP isn't exactly a negative bullet on a tech person's resume, but I do wonder what value calculation they made that made them decide to waste time getting it, rather than studying something that would improve their skills. That will get ferreted out in the interview.

This isn't just to rag on CISSP. There are specific certs that are applicable to specific parts of the field, and indicate different levels of skill. Just having a four letter cert that starts with G isn't going to set you up to work wherever you want either. You need to have the right ones that demonstrate skill and training in the specific area for that job role. You could have OSCP, OSCE, GPEN, and GXPN, and still have no idea how to do lots of basic blue team things. (though you will have demonstrated that you know how to learn, which is REALLY important)

The last thing I'd say is, as others have said, multiple certs demonstrates continuous study and improvement. In security that's more important than in many other areas of IT. Things in security change from week to week, or sometimes even day to day. Keeping up with the state of the art is very important to being able to perform the job. My org sends everyone to SANS at least once a year for this reason. This keeps everyone abreast with the latest and greatest tech and trends, and leads to racking up some certs.

You are 1 out of 100 hiring authorities that do not see it that way. CISSP is required by the contract or hiring agency to just get interviewed. In those cases, doesn't matter if you are a hacking child prodigy who hacked the national bank at 15 years old, but doesn't have a BS or CISSP, you won't get the interview.

Commendable for your point of view, but just not valid for a lot of agency jobs or companies trying to work with the government in the US.

ramrunner800

xxxkaliboyxxx wrote: »

You are 1 out of 100 hiring authorities that do not see it that way. CISSP is required by the contract or hiring agency to just get interviewed. In those cases, doesn't matter if you are a hacking child prodigy who hacked the national bank at 15 years old, but doesn't have a BS or CISSP, you won't get the interview.

Commendable for your point of view, but just not valid for a lot of agency jobs or companies trying to work with the government in the US.

I definitely agree with you when it comes to the government and hiring agencies, I've observed it myself. We don't use recruiting agencies anymore for that reason. I think that those certs get you in the door for those jobs, which is why we don't throw away resumes with CISSP on them. You can't knock someone for doing what it takes to get past HR and through the hiring requirements. I'm not trying to say, don't go get your CISSP, but responding to OP's questions about being set for life once you get it, and why people would go seek more. My experience is also limited to large corporate industry, and we can pretty much hire who we want. In the government it's a whole different ballgame. (I used to work in government) That all being said, in my limited personal experience, the CISSP holders working at the analyst level in the SOC's/IR Teams I have worked in have generally been less technically skilled, and prone to making poor technical security decisions. I am sure the reasons for those things are very complex, so YMMV.

ITHokie

EnderWiggin wrote: »

Having someone with a bunch of certifications and having a knowledgeable security team are not the same thing. It is entirely possible to learn technical skills without taking a multiple choice test afterwards.

Your story also looks like it has nothing to do with certifications, and everything to do with leadership that didn't prioritize security.

Agreed, leadership did not prioritize security. But that's a necessary component, not a sufficient one. Beyond prioritizing security various skill sets are needed to execute it. I completely agree that certifications are not necessary to having a knowledgeable and skilled security team. I will say that, having performed many technical interviews, people with multiple technical certifications correlate more reliably with better skills than people with no certifications at all, but that certainly is not always the case.

More importantly, I think what the poster is alluding to is that there are many facets of security requiring diverse skills. Having certifications corresponding to those various skills is useful. Being certified in all of those various areas isn't necessary but it makes sense as it gives employers an indication that that one has some baseline level of knowledge there. Individuals with backgrounds in multiple areas are especially valuable because they have idea of how various components of security operations should work together.

ITHokie

xxxkaliboyxxx wrote: »

You are 1 out of 100 hiring authorities that do not see it that way. CISSP is required by the contract or hiring agency to just get interviewed. In those cases, doesn't matter if you are a hacking child prodigy who hacked the national bank at 15 years old, but doesn't have a BS or CISSP, you won't get the interview.

Commendable for your point of view, but just not valid for a lot of agency jobs or companies trying to work with the government in the US.

Sadly, this is an accurate portrayal of of the general state "cyber" security in government and the corporate world. That really needs to change. I wish more organizations would take ramrunner800's approach.

UnixGuy

kurosaki00 wrote: »

.... I asked him WTF, why hire someone without experience for a position requiring a lot of in dept network skills? He said that he had CCNA and that was a very difficult certification. He assumed he had the skills.

I finished my contract, delivered my sh1t and off I went to a new gig.

Oh dear...why am I not even surprised. I've seen way too many stupid hiring decisions that nothing surprise me anymore.

DatabaseHead

Sadly these stories seem to be the norm.

I've seen other tech positions hiring strictly because of certificate. Some people can't get the idea that the whole package is what you look at not some subset......

This can swing the other way as well, just degree or just experience. I understanding weighting from your personal experiences or what you feel best aligns with the position or company itself, but to just isolate one piece is strange.

bigdogz

EnderWiggin wrote: »

Having someone with a bunch of certifications and having a knowledgeable security team are not the same thing. It is entirely possible to learn technical skills without taking a multiple choice test afterwards.

Your story also looks like it has nothing to do with certifications, and everything to do with leadership that didn't prioritize security.

No. They are not but the IT guy that chooses to look into infosec as a hobby or another interest will have some motivation to join other groups and attend CTF conferences where we can build a foundation of knowledge. Most of these people who have this type of interest of infosec excel within the field.

Actually it is about the one IT guy who did not save everyone's bacon but knew how to react because he knew how to respond to an incident, especially when everyone else does not look at security as a priority until it happens to them.

bigdogz

ITHokie wrote: »

More importantly, I think what the poster is alluding to is that there are many facets of security requiring diverse skills. Having certifications corresponding to those various skills is useful. Being certified in all of those various areas isn't necessary but it makes sense as it gives employers an indication that that one has some baseline level of knowledge there. Individuals with backgrounds in multiple areas are especially valuable because they have idea of how various components of security operations should work together.

...and this was my second point. Correct.

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of