Did some profile stalking on LinkedIn (Security)
DatabaseHead
Teradata Assc 16, Querying Microsoft SQL Server 2012/2014, CSMMember Posts: 2,724 ■■■■■■■■■■
I spent a while reviewing security LinkedIn profiles and noticed that most heavy hitters only had 1 - 2 sometimes no certifications listed.
The government sector security resources did carry IAPP (I believe), not that many though. Saw a couple of Security + out there as well.
Most had CS degrees from top Universities. Interesting enough, none had masters in security ( I did notice multiple bachelors though ). Most of these folks were influencers on LinkedIn, posting articles with a lot of followers. Not sure what the take away was, except that the top notch followed "security pros" listed very few if any certificates.
Looks to be badge of honor with no major value, especially in aggregate.
It seems the truly talented / bright security professionals are almost exempt from certificates while the 3rd tier etc, seems to really leverage them.
The government sector security resources did carry IAPP (I believe), not that many though. Saw a couple of Security + out there as well.
Most had CS degrees from top Universities. Interesting enough, none had masters in security ( I did notice multiple bachelors though ). Most of these folks were influencers on LinkedIn, posting articles with a lot of followers. Not sure what the take away was, except that the top notch followed "security pros" listed very few if any certificates.
Looks to be badge of honor with no major value, especially in aggregate.
It seems the truly talented / bright security professionals are almost exempt from certificates while the 3rd tier etc, seems to really leverage them.
Comments
2. Security degrees are a new idea, thus these will be more common in people around 7 or less years experience (that's about when they started coming out). Traditionally CS, CIS, and MIS were the traditional options. That means somebody who is a 15 year expert is very unlikely to have a Security degree. Also, most people will go for an MBA type degree if they have a technical undergraduate degree and want to get a masters.
Certifications show a baseline of knowledge and the ability to commit to learning...nothing more and nothing less. You will see that when people reach a certain point that they really start to focus on where they want their career to be, which in turn requires less certifications instead of every Associate level certification.
Blog: www.network-node.com
I think he was talking about how portly I look in my profile pic.
There are a ton of 2nd and 3rd tier security professional that load up, but what's interesting is the 1st tier pro's seem to be exempt from the certifications or have very few.
Again like I said before, certifications in aggregate don't seem to carry much more punch that someone with one or two. It's basically like having multiple degrees, the law of diminishing returns most certainly comes into play eventually........
Heavy Hitter is someone who is an influencer (as I mentioned before) who has a lot of followers in the security space..... Think of the creme dela creme
You are just big boned.
In lieu of certifications they write publications and speak at large engagements.
As I do more research, it's not always a CS degree, but a lot of these folks have engineering degrees. Pretty interesting findings.....
Another component is military experience. A lot of them have officer level intelligence experience in the security space. Even some local CISO in the privately owned companies have military experience, usually....
Maybe I'll start to tally these folks on a few variables and provide some analysis.
That said, I tend to side with Iristheangel, all the "heavy hitters" in my network do have industry certs and alphabet soups at the end of their names.
That maybe so, which I am not disagreeing with, but.....
***Update
I haven't seen one security degree listed yet and I looked at dozens of CISO's and other high level security professionals. Just to be clear I am not saying they don't have certifications, it's probably 70 don't (at least list) and 30 do, with that count being around 1 maybe 2, never more that 2.
There actually could be a negative correlation coefficient between security position level and the quantity of security certifications......
The security certification seem to align more with the worker bee and not the visionary or leader.
In all fairness, the CISO is a relatively new C-level position, it could be that most of the initial CISO positions were filled by people with more executive backgrounds as opposed to information security backgrounds, thus would be without certifications. Also, certifications are no means needed to head an organization's information security or protect IT assets.
I do agree, for those wanting to move up in ISM leadership, we probably need the certs to establish credibility and get noticed. Someone at the top would less need the certifications because, they already have the CISO and investing in certs would provide minimal returns. No doubt they do invest in education, i.e., attend executive seminars relating to information security, but if they made it without certifications, then they probably won't get them.
I would be interested to see correlation of security breaches versus ISMs/CISOs who have or don't have certifications, and see if those who are not certified have more breaches than those who are.
Blog: www.network-node.com
They don't need to know the ins and outs of the info from the knowledge gained from studying certs - they have staff and managers who should be capable of giving them the management summary version of what is needed, and so long as they have been working in the field for a while they will have a good understanding of the context for this all.
If they are effective managers then they don't need to have dogs and bark themselves. Their main skills should be keeping IT security aligned with the business strategy, keeping best practice for security embedded in working practices, keeping their managers running their teams effectively and keeping abreast of new initiatives in the security arena.
Not much there that certs would help with. In fact getting bogged down in the minutia of detail of the latest releases of threats can be a counterproductive for them so it is far more effective for the lower levels to do this and just keep them informed of what is going on and what the recommendations are.
Just pointing out that the higher you go in the management chain, the less important tech certs are and the more important people skills and negotiation abilities are.
Tech certs may be less important, but being well-informed in information security is very important for CISOs. And people & negotiation skills are extremely useful for anyone regardless of level.
https://www.naukrigulf.com/chief-information-security-officer-jobs-in-muscat-oman-in-client-of-headhonchos-com-15-to-25-years-jid-220417500147
Certs are not the end all be all, but they can certainly get you noticed, and they prove at least a fundamental external confirmation of one's claim of expertise.
https://www.my.jobs/jobs/?q=%22Chief+Information+Security+Officer%22#1
Bottom line, if you aspire to be a CISO, certifications will not hurt or stop you from that goal.
The CISOs that I've seen hired might have been technical 10+ years ago but have been heavy into management and planning since, I don't in any way consider them on the same level a top notch security person.
Also, if you define the top level security folks differently you get people who do research and have been doing defcon presentations for 15 years, most of them don't need certs. They can walk into any security minded company and get hired on their name alone, most of us are not there and never will be, so we need things to differentiate ourselves.
Most certainly not saying certifications hurt, that's silly if anything you can remove it to scale for the position. Keep in mind I am not talking about a worker bee security engineer, of course certifications help for most of those positions.
In fact I did some research about a year ago using some automation and excel and was able to identify which certifications and degrees tie back to certain security jobs. While some certifications were high sought after for certain positions, others came up less than 5% of the time. In fact most certifications weren't listed as required or preferred.
Exception CISSP for most positions, ~50% and OSCP for Pen testing positions, along with the CISSP. C|EH was another certification that was some what highly sought after.
Not knowing the names you looked at, it is entirely possible some of these guys established themselves by other means, and thus didn't need the certs because they are at the top. I can't imagine Kevin Mitnick having IT certs, for instance. Others could have got established in less nefarious ways, publications, blogs, or just plodded along upwards until they reached the top. For them, getting certified at this point would provide little in returns.
Today, for those starting off, certs are more value, if no other reason to get notice and provide external validation of experience and knowledge.
Certs can work against you of course, having a broad spectrum of certs none of them high level, one could appear unfocused or not very skilled any one thing. Having tons of certs, it looks like one just spends their time studying to pass cert exams, and rightly others would wonder their real skills - the infamous paper certs. Indeed my own recommendation to my guys who have a lot of certs is only list the ones on their CV relevant to the job posting they want to apply.
My hobby, other than drinking wine, making money, being a respectable husband and good father is to ask questions and to follow up. The hype machine can get out of hand especially in the certification market.
I like to attempt to look at jobs, roles, certs, education, social factors in a different light and see if the way the masses think is incorrect or if in fact there is some legitimacy to it. I have a limited statistics background, QBA 336 and 337, AKA Statistics 1 and 2 at the University level along with some additional training.
In other words it's what I like to do....
Thoughts on a good way to poll some data? I'm looking at using a stratfication for my sampling techniques. I have a full SSIS/SSAS environment at home I can use to run some cross correlation on data sets and have strong SQL skills so modeling the data should be a breeze.
The capture would be the challenging part.
I really need to put the stat books down and start to familiarize myself with API's for these social sites.