Did some profile stalking on LinkedIn (Security)
DatabaseHead
Member Posts: 2,754 ■■■■■■■■■■
I spent a while reviewing security LinkedIn profiles and noticed that most heavy hitters only had 1 - 2 sometimes no certifications listed.
The government sector security resources did carry IAPP (I believe), not that many though. Saw a couple of Security + out there as well.
Most had CS degrees from top Universities. Interesting enough, none had masters in security ( I did notice multiple bachelors though ). Most of these folks were influencers on LinkedIn, posting articles with a lot of followers. Not sure what the take away was, except that the top notch followed "security pros" listed very few if any certificates.
Looks to be badge of honor with no major value, especially in aggregate.
It seems the truly talented / bright security professionals are almost exempt from certificates while the 3rd tier etc, seems to really leverage them.
The government sector security resources did carry IAPP (I believe), not that many though. Saw a couple of Security + out there as well.
Most had CS degrees from top Universities. Interesting enough, none had masters in security ( I did notice multiple bachelors though ). Most of these folks were influencers on LinkedIn, posting articles with a lot of followers. Not sure what the take away was, except that the top notch followed "security pros" listed very few if any certificates.
Looks to be badge of honor with no major value, especially in aggregate.
It seems the truly talented / bright security professionals are almost exempt from certificates while the 3rd tier etc, seems to really leverage them.
Comments
-
TechGuru80 Member Posts: 1,539 ■■■■■■□□□□1. Government anything usually abide by 8570 so it depends on the contract and the requirements for the position. CISSP/Security+ are going to be the most common whether they list it or not...the requirement does exist for everybody in government.
2. Security degrees are a new idea, thus these will be more common in people around 7 or less years experience (that's about when they started coming out). Traditionally CS, CIS, and MIS were the traditional options. That means somebody who is a 15 year expert is very unlikely to have a Security degree. Also, most people will go for an MBA type degree if they have a technical undergraduate degree and want to get a masters.
Certifications show a baseline of knowledge and the ability to commit to learning...nothing more and nothing less. You will see that when people reach a certain point that they really start to focus on where they want their career to be, which in turn requires less certifications instead of every Associate level certification. -
Iristheangel Mod Posts: 4,133 ModDefine "Heavy Hitters." Because I could show you quite a few security heavy hitters that are certed up and are the opposite of what you just stated
-
Ertaz Member Posts: 934 ■■■■■□□□□□Iristheangel wrote: »Define "Heavy Hitters." Because I could show you quite a few security heavy hitters that are certed up and are the opposite of what you just stated
I think he was talking about how portly I look in my profile pic. -
DatabaseHead Member Posts: 2,754 ■■■■■■■■■■Iristheangel wrote: »Define "Heavy Hitters." Because I could show you quite a few security heavy hitters that are certed up and are the opposite of what you just stated
There are a ton of 2nd and 3rd tier security professional that load up, but what's interesting is the 1st tier pro's seem to be exempt from the certifications or have very few.
Again like I said before, certifications in aggregate don't seem to carry much more punch that someone with one or two. It's basically like having multiple degrees, the law of diminishing returns most certainly comes into play eventually........
Heavy Hitter is someone who is an influencer (as I mentioned before) who has a lot of followers in the security space..... Think of the creme dela cremeI think he was talking about how portly I look in my profile pic.
You are just big boned. -
DatabaseHead Member Posts: 2,754 ■■■■■■■■■■Just a follow up....
In lieu of certifications they write publications and speak at large engagements.
As I do more research, it's not always a CS degree, but a lot of these folks have engineering degrees. Pretty interesting findings.....
Another component is military experience. A lot of them have officer level intelligence experience in the security space. Even some local CISO in the privately owned companies have military experience, usually....
Maybe I'll start to tally these folks on a few variables and provide some analysis. -
LordQarlyn Member Posts: 693 ■■■■■■□□□□It's possible that they don't list their certifications, for whatever reason. I don't put all mine on my profile. They may also, as you pointed out, use their published materials as their credentials, thus didn't feel the need to invest in the certifications.
That said, I tend to side with Iristheangel, all the "heavy hitters" in my network do have industry certs and alphabet soups at the end of their names. -
DatabaseHead Member Posts: 2,754 ■■■■■■■■■■LordQarlyn wrote: »It's possible that they don't list their certifications, for whatever reason. I don't put all mine on my profile. They may also, as you pointed out, use their published materials as their credentials, thus didn't feel the need to invest in the certifications.
That said, I tend to side with Iristheangel, all the "heavy hitters" in my network do have industry certs and alphabet soups at the end of their names.
That maybe so, which I am not disagreeing with, but.....
***Update
I haven't seen one security degree listed yet and I looked at dozens of CISO's and other high level security professionals. Just to be clear I am not saying they don't have certifications, it's probably 70 don't (at least list) and 30 do, with that count being around 1 maybe 2, never more that 2.
There actually could be a negative correlation coefficient between security position level and the quantity of security certifications......
The security certification seem to align more with the worker bee and not the visionary or leader. -
LordQarlyn Member Posts: 693 ■■■■■■□□□□That is curious.
In all fairness, the CISO is a relatively new C-level position, it could be that most of the initial CISO positions were filled by people with more executive backgrounds as opposed to information security backgrounds, thus would be without certifications. Also, certifications are no means needed to head an organization's information security or protect IT assets.
I do agree, for those wanting to move up in ISM leadership, we probably need the certs to establish credibility and get noticed. Someone at the top would less need the certifications because, they already have the CISO and investing in certs would provide minimal returns. No doubt they do invest in education, i.e., attend executive seminars relating to information security, but if they made it without certifications, then they probably won't get them.
I would be interested to see correlation of security breaches versus ISMs/CISOs who have or don't have certifications, and see if those who are not certified have more breaches than those who are.DatabaseHead wrote: »That maybe so, which I am not disagreeing with, but.....
***Update
I haven't seen one security degree listed yet and I looked at dozens of CISO's and other high level security professionals. Just to be clear I am not saying they don't have certifications, it's probably 70 don't (at least list) and 30 do, with that count being around 1 maybe 2, never more that 2.
There actually could be a negative correlation coefficient between security position level and the quantity of security certifications......
The security certification seem to align more with the worker bee and not the visionary or leader. -
Iristheangel Mod Posts: 4,133 ModI don't know if CISOs are the same as "security heavy hitters." Maybe in a way but not in the same way I would be thinking. For example, I know one major company that created a CISO position and hired someone who worked at the FBI in a NON-TECHNICAL capacity in a part of the FBI that didn't deal with cyber crimes but white collar crimes instead. Why? Because he dealt with security, incident response and forensics all his professional career up until the time he was forced to take his mandatory retirement from the FBI and he knew how to build a team who could do the rest underneath him. One could argue successfully that his role didn't need certs and he definitely if a "heavy hitter" in your eyes given the size of the company he works at and what he does but if you asked him about the Angler exploit (or any specific malware by name), he'd probably have no idea what you're talking about.
-
UncleB Member Posts: 417Don't forget that these CISO level jobs are for positions far removed from the front lines and they are probably going to spend more time meeting with board level and senior management or with suppliers / business relations than they are with the grunts in front of the keyboards.
They don't need to know the ins and outs of the info from the knowledge gained from studying certs - they have staff and managers who should be capable of giving them the management summary version of what is needed, and so long as they have been working in the field for a while they will have a good understanding of the context for this all.
If they are effective managers then they don't need to have dogs and bark themselves. Their main skills should be keeping IT security aligned with the business strategy, keeping best practice for security embedded in working practices, keeping their managers running their teams effectively and keeping abreast of new initiatives in the security arena.
Not much there that certs would help with. In fact getting bogged down in the minutia of detail of the latest releases of threats can be a counterproductive for them so it is far more effective for the lower levels to do this and just keep them informed of what is going on and what the recommendations are.
Just pointing out that the higher you go in the management chain, the less important tech certs are and the more important people skills and negotiation abilities are. -
LordQarlyn Member Posts: 693 ■■■■■■□□□□I don't agree, you are describing more a CEO and not a CISO role. Yes, CISOs are not hands on, in the front lines. But they should be thoroughly knowledgeable in information security, they need to keep abreast with the latest threats and trends, to include business continuity, regulatory issues, and risk management. They need to evaluate the latest trends, use judgment to determine if they are applicable to the organization, and make the business case if they are. CISOs need to be the information security experts for their organization so they can create effective policies, implement the most cost-effective solutions, and ensure the organization is in regulatory compliance. The board and senior level meetings are discussing those issues.
Tech certs may be less important, but being well-informed in information security is very important for CISOs. And people & negotiation skills are extremely useful for anyone regardless of level.Don't forget that these CISO level jobs are for positions far removed from the front lines and they are probably going to spend more time meeting with board level and senior management or with suppliers / business relations than they are with the grunts in front of the keyboards.
They don't need to know the ins and outs of the info from the knowledge gained from studying certs - they have staff and managers who should be capable of giving them the management summary version of what is needed, and so long as they have been working in the field for a while they will have a good understanding of the context for this all.
If they are effective managers then they don't need to have dogs and bark themselves. Their main skills should be keeping IT security aligned with the business strategy, keeping best practice for security embedded in working practices, keeping their managers running their teams effectively and keeping abreast of new initiatives in the security arena.
Not much there that certs would help with. In fact getting bogged down in the minutia of detail of the latest releases of threats can be a counterproductive for them so it is far more effective for the lower levels to do this and just keep them informed of what is going on and what the recommendations are.
Just pointing out that the higher you go in the management chain, the less important tech certs are and the more important people skills and negotiation abilities are. -
LordQarlyn Member Posts: 693 ■■■■■■□□□□Here's a CISO job I stumbled on, in addition to preferring experience in the company's sector, and experience in information security leadership roles, they are requiring at least one ISC2/ISACA certification.
https://www.naukrigulf.com/chief-information-security-officer-jobs-in-muscat-oman-in-client-of-headhonchos-com-15-to-25-years-jid-220417500147
Certs are not the end all be all, but they can certainly get you noticed, and they prove at least a fundamental external confirmation of one's claim of expertise. -
LordQarlyn Member Posts: 693 ■■■■■■□□□□On another job search engine I searched for CISO positions. While only the first few hits are actual CISO jobs, most, but admittedly not all, are preferring or requiring a CISSP or CISM or other ISACA certifications.
https://www.my.jobs/jobs/?q=%22Chief+Information+Security+Officer%22#1
Bottom line, if you aspire to be a CISO, certifications will not hurt or stop you from that goal. -
Danielm7 Member Posts: 2,310 ■■■■■■■■□□Interesting thread, I like to see the data trends. With that said, I agree with Iris and the others saying defining who the "heavy hitters" are is really difficult. There are tons of people in the security space who are probably even too paranoid to put themselves on linkedin. Also agree that in most places even if a CISO might require a CISSP I doubt it's a hard requirement and that in no way means you know very much about security.
The CISOs that I've seen hired might have been technical 10+ years ago but have been heavy into management and planning since, I don't in any way consider them on the same level a top notch security person.
Also, if you define the top level security folks differently you get people who do research and have been doing defcon presentations for 15 years, most of them don't need certs. They can walk into any security minded company and get hired on their name alone, most of us are not there and never will be, so we need things to differentiate ourselves. -
DatabaseHead Member Posts: 2,754 ■■■■■■■■■■Essentially what I did was very unscientific, let's be honest but.... LinkedIn made it very possible to look at not only > 50 CISO positions but also look at other security professionals who most people would consider a heavy hitter. Some of these folks had security publications and others speak at seminars others owned security consultant firms, it was more than the CISO at a fortune 500. (Although it started off that way).
Most certainly not saying certifications hurt, that's silly if anything you can remove it to scale for the position. Keep in mind I am not talking about a worker bee security engineer, of course certifications help for most of those positions.
In fact I did some research about a year ago using some automation and excel and was able to identify which certifications and degrees tie back to certain security jobs. While some certifications were high sought after for certain positions, others came up less than 5% of the time. In fact most certifications weren't listed as required or preferred.
Exception CISSP for most positions, ~50% and OSCP for Pen testing positions, along with the CISSP. C|EH was another certification that was some what highly sought after. -
EANx Member Posts: 1,077 ■■■■■■■■□□CISOs in small companies might have technical roles, in the same way that a CTO at a small company might also be the lead programmer. By the time you're looking at any of the top 1000 largest companies, those CISOs are business people first. Their role is regulatory compliance, reporting and auditing, understanding how the customer would react in the case of a data breach so they can direct dollars where they do the most good, etc. At most, they are business security architects and risk managers.
-
LordQarlyn Member Posts: 693 ■■■■■■□□□□Actually I thought your approach was quite scientific, you had a hypothesis; if certifications help make a heavy hitter. You researched the heavy hitters, the leading IT security pros on a professional networking site, and tallied their certs. You reported your findings, that many of them had none, and a few of them only had one or two certifications. You came to the conclusion that for at least the top tier, certs are not necessary.
Not knowing the names you looked at, it is entirely possible some of these guys established themselves by other means, and thus didn't need the certs because they are at the top. I can't imagine Kevin Mitnick having IT certs, for instance. Others could have got established in less nefarious ways, publications, blogs, or just plodded along upwards until they reached the top. For them, getting certified at this point would provide little in returns.
Today, for those starting off, certs are more value, if no other reason to get notice and provide external validation of experience and knowledge.
Certs can work against you of course, having a broad spectrum of certs none of them high level, one could appear unfocused or not very skilled any one thing. Having tons of certs, it looks like one just spends their time studying to pass cert exams, and rightly others would wonder their real skills - the infamous paper certs. Indeed my own recommendation to my guys who have a lot of certs is only list the ones on their CV relevant to the job posting they want to apply.DatabaseHead wrote: »Essentially what I did was very unscientific, let's be honest but.... LinkedIn made it very possible to look at not only > 50 CISO positions but also look at other security professionals who most people would consider a heavy hitter. Some of these folks had security publications and others speak at seminars others owned security consultant firms, it was more than the CISO at a fortune 500. (Although it started off that way).
Most certainly not saying certifications hurt, that's silly if anything you can remove it to scale for the position. Keep in mind I am not talking about a worker bee security engineer, of course certifications help for most of those positions.
In fact I did some research about a year ago using some automation and excel and was able to identify which certifications and degrees tie back to certain security jobs. While some certifications were high sought after for certain positions, others came up less than 5% of the time. In fact most certifications weren't listed as required or preferred.
Exception CISSP for most positions, ~50% and OSCP for Pen testing positions, along with the CISSP. C|EH was another certification that was some what highly sought after. -
LordQarlyn Member Posts: 693 ■■■■■■□□□□At this point, CISOs in small companies are the CTOs/CIOs. Few companies right now have a separate CISO position, and those that do have a CISO, even then the CISO reports to the CIO rather than directly to the CEO/COO.CISOs in small companies might have technical roles, in the same way that a CTO at a small company might also be the lead programmer. By the time you're looking at any of the top 1000 largest companies, those CISOs are business people first. Their role is regulatory compliance, reporting and auditing, understanding how the customer would react in the case of a data breach so they can direct dollars where they do the most good, etc. At most, they are business security architects and risk managers.
-
DatabaseHead Member Posts: 2,754 ■■■■■■■■■■I appreciate the feedback.
My hobby, other than drinking wine, making money, being a respectable husband and good father is to ask questions and to follow up. The hype machine can get out of hand especially in the certification market.
I like to attempt to look at jobs, roles, certs, education, social factors in a different light and see if the way the masses think is incorrect or if in fact there is some legitimacy to it. I have a limited statistics background, QBA 336 and 337, AKA Statistics 1 and 2 at the University level along with some additional training.
In other words it's what I like to do....
Thoughts on a good way to poll some data? I'm looking at using a stratfication for my sampling techniques. I have a full SSIS/SSAS environment at home I can use to run some cross correlation on data sets and have strong SQL skills so modeling the data should be a breeze.
The capture would be the challenging part.
I really need to put the stat books down and start to familiarize myself with API's for these social sites.