Caution, CEH's

Mrock4

Is there a reason you've seemingly only applied to "big name" companies? If it's prestige you're after, I get it, but if you're submitting 100 apps/week, and nothing..then you're either A) NOT qualified for those positions despite what you think, incredibly unlucky, or C) doing something wrong. I genuinely wish you the best of luck, so don't take this as callous- I'm just trying to help.

That being said, every Program Manager I have EVER encountered (in Fortune 100/500 companies) had a mediocre technical ability at best, and a LOT of business ability..if that makes sense. Your problem may not be that you're not technically gifted- you seem to be, but rather that you're lacking on the PM side. Maybe your resume lacks definition- if you show them you're a "Certified Ethical Hacker" and talk all kinds of tech with them, but then tell them you want to manage an entire program, that may show you really haven't decided what side of the house you want to be, which as a hiring manager, may pose a risk.

At the end of the day, although I'd like to say there's engineers who are also great businessmen, it's rare. Generally speaking, you're either one or the other, and it sounds like you're straddling the fence right now.

Quantumstate

Thanks for the input. I understand the skepticism, but you'll just have to accept what I'm saying about my abilities and experience. 14 years as a Sr PM. And I've named the big game companies here, but I have literally applied to every PM job I could find on linkedin, indeed, dice, and even jobs.colorscareers.com, LOL

I am not skipping companies large or small.

Come back if you had the CEH instead of CISSP and have tried to get a job for a few months. I am just trying to save others the pain I've had.

Mrock4

Maybe there's a better question to be asked: What do YOU think is the reason you haven't had any luck in your search?

YFZblu

Mrock4 wrote: »

Maybe there's a better question to be asked: What do YOU think is the reason you haven't had any luck in your search?

It's pretty obvious the OP believes the 'hacker' designation is scaring employers away at some level. I can see this being the case when interviewing with non-technical individuals for a position that is not IT related; however I find it difficult to believe that the 'hacker' designation in a certification would scare away security professionals at a technology company such as Microsoft. I just have not heard of that being an issue for current C|EH certified people.

Either way Quantumstate I wish you luck in your search for the right position.

Mrock4

I understand, and also wish him great luck- but I have many colleagues who hold the same cert, who are employed in high paying positions- so I'm not sure where the disconnect is.

JDMurray

It may be that more than just the cert got them their high-paying positions, or maybe the cert isn't a factor in their high pay at all. You should look at what other professional qualities they have that might be worth earning their high level of pay.

Mrock4

The individuals I know only have CCNP-level certs, this gentleman has an MBA from an Ivy league college, and is a former CIO.

ptilsen

Which just means they would be qualified for completely different jobs. Quantumstate does not have a background in networking, at least from what he's told us. CEH is an obvious mismatch with his career. Hence, it is a turn-off for employers. It doesn't mean that CEH is an inherently bad title for all jobs. But it is obviously a bad title for the jobs for which he is applying.

ivx502

It could be a variety of factors anything from they might think he is overly qualified for the position, or he might ask for a high salary. My soon to be former boss ran into that situation. He was getting sent to interviews that the managers he was interviewing for had less qualifications. If they would give him a job offer it was so low of a salary that it barely qualified as a salary in our job market.

N2IT

Quantumstate wrote: »

All of a sudden... two interviews this week.

Awesome work man! Good luck on those interviews!

Keep the C|EH off the resume for a few months and see what kind of traction you build up.

Mrock4

Hey, if you think that 3,600 recruiters disqualified him based on his CEH, and weighed that over his CIO skills and MBA from an Ivy..that's good enough for me

Quantumstate

ptilsen wrote: »

Which just means they would be qualified for completely different jobs. Quantumstate does not have a background in networking, at least from what he's told us. CEH is an obvious mismatch with his career. Hence, it is a turn-off for employers. It doesn't mean that CEH is an inherently bad title for all jobs. But it is obviously a bad title for the jobs for which he is applying.

No. I have extensive networking, Linux, clustering, and so on. N2IT is the only one here who has seen my resume, and he knows what I'm talking about. In fact he comes from a staffing/HR background and helped me tune up my resume nicely.

I'd bet those in high-paying jobs with CEH, got the CEH after the fact. Like I say, drop your CISSP and try getting a job with that CEH and just see what happens. Try it.

As to CEH not fitting me? Again, the reason I have pursued these certs is to show that I am up to date. My graduate degree is 20 years old. I want to demonstrate that I still have these skills because at my age that could be in doubt. One of my interests and aims was a security PM job, but what I've found is that when I answer hacking questions, I scare the sh1t out of the interviewer, at least in the case of the MS Key Manager and my VA counselor. As the MS recruiter told me that I hadn't done anything wrong, I am confident that the Key Manager ditched me because (as my VA counselor says) 'I must have done this before, to know it in such detail'. This implies a 'trust risk', a risk that he is paid to not take.

With 20-30 applications coming in for each job at companies like Amazon, Facebook, G**gle, etc, they are looking for any little thing to winnow down the field. HR folks are a very risk-adverse bunch, of necessity. I was giving them justification to knock me out, however grand my qualifications. No wonder I never even got a peep out of them.

Actually one of the jobs I interviewed this week for was as Director of a real estate company. (long story) I'd be Director of Office and Industrial for a national real estate company, and would be building that practice area from scratch. Could ultimately mean a seven-figure salary (including commissions), IF the officers decide that I'm a fit and IF I succeed in building the practice area. Not going to explain here why I would be qualified. Of course I did not tell them about CEH, LOL.

Anyway, if you are not willing to try CEH without CISSP to get a job, you just don't know and can not speculate.

Mrock4

Well, those individuals I mentioned all held CEH prior to getting hired with my current employer, so in that case, you're wrong..the CEH didn't stop them. I've also hired two CEH's at my previous employer.

And I rather like my job, so I won't be quitting my job to prove someone online wrong.

I wish you luck in your search- if you think the CEH is poison, drop it off your resume, and see what happens

By the way- I do apologize if you took my comments as inflammatory, I'm just trying to help, and the internet doesn't always convey the true intent behind our words.

ptilsen

Quantumstate wrote: »

No. I have extensive networking, Linux, clustering, and so on. N2IT is the only one here who has seen my resume, and he knows what I'm talking about.

Having not seen your resume or worked with you, I can only take your word. However, it would be disingenuous at best to accept this without question. You have an Ivy League MBA, the extensive project management experience required for the PMP, extensive software development and hardware knowledge, extensive network infrastructure knowledge, extensive server and Linux knowledge? Essentially, you're qualified as top-level in what I would consider four completely different careers (with different specialties within) suited to people of different strengths. That just doesn't quite add up to me. I won't deny that it's possible, but I've never worked with anyone who operated at such high levels across barely-related career areas.

That is not to say I think you are being dishonest -- truly, that is not what I'm trying to say -- but given your listed certifications and credentials, I am baffled that you would have actual deep knowledge of corporate IT infrastructure, particularly of network and server configuration. You have no infrastructure certs (other than CEH, which is sort of an infrastructure cert) and education, certs, and experience that don't align with infrastructure. The CIO role in particular, in my experience, is pretty much completely non-technical. I've yet to work with a CIO who could pass the A+ -- generally speaking, it's a high-level, decision-making position, not a deeply technical one.

Even saying you've had opportunities to work in roles that involved hands-on with network infrastructure, am I at least correct in assuming you're not applying for jobs that involve hands-on configuration of network equipment and that that isn't really your career goal at this stage? My point with the CEH comment was that it might make a lot of sense for someone involved directly in designing or configuring networks, network equipment, and server infrastructures, and that it doesn't make a lot of sense for someone applying for security management, secure software or hardware development, or management jobs in general. I see CEH as truly only applicable to pentesting and securely configuring networks and servers. It does not align with certifications like CSM and PMP or an MBA degree.

One final note I will add is that N2 also helped me with my resume, and it definitely yielded some good results. I was both pleased with the product myself, and the outcome (my current job, which is close to perfect for my short-term and long-term goals and came with a nice raise to boot).

Mrock4 wrote: »

I wish you luck in your search- if you think the CEH is poison, drop it off your resume, and see what happens

He did, and he got two interviews.

I still find the idea that people would actually discriminate against these kinds of skills ridiculous. Not ridiculous in the sense that it's far-fetched or unbelievable (sadly, I believe it), but in the sense that it's misguided. I get the trust issue, but to me, they should be looking for people who have the skills and the intelligence to apply these techniques to help them. Assuming someone with cracking skills is likely nefarious is simply absurd, if only for the reason that someone untrustworthy wouldn't broadcast their ability to break into the prospective employers' systems. Saying "hey, I can do this and could be an asset in helping identify and fix these types of flaws before the product hits market" should be a reason to hire, not a red flag.

Again, this brings me back to my point that someone in a pure networking role is more likely to appreciate this. Someone hiring at a MS or Silicon Valley giant is more likely to be of a culture and disposition that fears this and has a bad perception of it. I've little doubt Mrock would hire Quantumstate, but Microsoft might shy away from the "hacker" title.

Quantumstate

ptilsen wrote: »

Having not seen your resume or worked with you, I can only take your word. However, it would be disingenuous at best to accept this without question. You have an Ivy League MBA, the extensive project management experience required for the PMP, extensive software development and hardware knowledge, extensive network infrastructure knowledge, extensive server and Linux knowledge? Essentially, you're qualified as top-level in what I would consider four completely different careers (with different specialties within) suited to people of different strengths. That just doesn't quite add up to me. I won't deny that it's possible, but I've never worked with anyone who operated at such high levels across barely-related career areas.

I am an old guy. I've been working in many different roles during my 40 years of working life.

You're a young guy. You can't compare us.

That's dynamite that all your friends got high-paying jobs with the CEH. But I HAVEN'T. It is my belief that CEH has harmed me for eight months, and I am acting on it. If you think it will help you, gourd head and use it. I'm not stopping you. But I say you're lying to yourself, if not to us.

ptilsen wrote: »

I still find the idea that people would actually discriminate against these kinds of skills ridiculous. Not ridiculous in the sense that it's far-fetched or unbelievable (sadly, I believe it), but in the sense that it's misguided. I get the trust issue, but to me, they should be looking for people who have the skills and the intelligence to apply these techniques to help them. Assuming someone with cracking skills is likely nefarious is simply absurd, if only for the reason that someone untrustworthy wouldn't broadcast their ability to break into the prospective employers' systems. Saying "hey, I can do this and could be an asset in helping identify and fix these types of flaws before the product hits market" should be a reason to hire, not a red flag.

Of course. Before this MS interview I studied the specific areas involved in the job thoroughly, and learned all the ins and outs of how security has been compromised. I came up with my solutions for how to protect the next generation of products and pitched them to two of the program managers. I pointed out what they apparently hadn't seen before; that their (later) software in this case has never been compromised; hackers had to resort to glitching attacks (hardware reset tricks and timing attacks) in order to crack the systems. This means MS is on the right track with software, and that they have been absorbing all the blame for compromises, when blame really belongs with their hardware vendor. (I am purposely being vague so as not to ID the specific department) They apparently hadn't recognized this before.

I also offered a solution to these hardware attacks, which maybe ppl here would appreciate. Instead of fixed hardware to do the work as they have now, I suggested the Lattice FPGA. An FPGA is a general device which can be programmed to serve almost any function, essentially as a software programmable hardware device. Most FPGAs are programmed by loading a binary file which sets internal lookup tables to configure the device to perform specific functions. A static RAM bit remembers a given decision point in the lookup table, to configure hardware. But Lattice's XP2 FPGA has a flash bit for every static bit, so it is non-volatile and does not have to rely on an external flash to load it. Therefore it's not vulnerable to logic analyzers or other typical attacks. A flaw is found or a hardware glitching attack or buffer overflow? Upload a new binary (encrypted) completely changing the device's configuration, eliminating the compromise and set attackers back to zero. Furthermore the device's functions are now essentially in custom hardware so lightning fast, AND basically zero bootup time. Plus, I checked, same price as their existing hardware. This blew the design engineer away. I offered them several such ideas, and I have a feeling a few of my ideas will ultimately be used.

But there is no getting around the Key Manager's hyper-conservatism. He specifically asked me from my resume how I would penetrate a system. I explained it in detail, and it scared him. I was trapped. I could have handled it better if I hadn't been exhausted at that point, but that was the whole idea. They erred on the side of caution, as apparently I had experience in hacking. Yes they need this knowledge, you and I know, but fear always trumps rationality. Never threaten a frightened man -- he will kill you without a second thought.

N2IT

I'm not going to pretend that I know more about systems than PT or networks than MROCK, but I do know about human resources.

When I graduated back in 2000 the market was stagnant and I was forced to take a pure HR position. I spent ~ 4 years in that position.

Hear me out of this - If the position doesn't seek the requirement of C|EH I would leave it off. Anything with Hacker in the title is going to get some serious visibility and unless you are working up east doing pen testing or some cyber defense or vulernability testing you should not list the certification.

LIke QS mentioned HR are very risk averse, you have to be. Success planning is a very real thing and you want to the best less risky candidates possible. HR folks struggling with this shouldn't surprise anyone. We have had several people get turned down for jobs on this forum because they carried the MCITP certification, but according to HR they didn't have the MCSE or MCSA so their wern't the best candidate.

If that can happen surely alienation due to the C|EH could happen and it is apparantly real.

One last piece, I would never list all of my certifications on my resume. I would only list them if they speak to the job requirements. If there is a complete disconnect I wouldn't list it. (That's just my opinion)

Again all your doing is adding more risk, think less is more.

Mrock4

I'm glad we're all civil again

N2IT- I agree with regards to not including if the position does not include it, but the OP said his interviewers asked about penetration testing, and he was applying for a security position. Would you not think the CEH does not apply there?

N2IT

Security postions no - Pen testing sure but still uncertain.

dorky

CEH is the worst cert ever in the industry. It has a decent name but IT IS A TRIVIAL EXAM and a monkey can do it. Stop appraising this ****.

the_hutch

dorky wrote: »

CEH is the worst cert ever in the industry. It has a decent name but IT IS A TRIVIAL EXAM and a monkey can do it. Stop appraising this ****.

I actually agree with you here. I consider the EC-Council certs more of a novelty than anything. They sound good to someone who isn't familiar with them. But when it comes down to it, EC-Council tests are a joke. I took CEH because of the 8570 CND requirement, and once I realized how easy EC-Councils tests were, I registered to take ECSA and CHFI because I had some extra money laying around. With minimal studying, I managed to pass all three of them, each with 2 weeks of each other. This is in contrast to the 6+ months of studying I had to invest in preparing for CISSP. If I was hiring information security professionals for a company, I personally wouldn't put much stock in CEH.

coty24

Are you tethered to the area, GA could use more people with your skillset IMHO

Quantumstate

I really do want to stay in the PacNW. There is no legitimate reason I shouldn't be able to get a tech job here.

But it gets worse. Two weeks ago I had a phone interview with a different Microsoft department. She asked me whether I was interviewing with any other companies right now, and I told her yes that Amazon was in the process of setting up a phone interview.

She then asked (as always) whether I've interviewed with Microsoft before, and now of course I have to say yes. Well of course she asked for details and I explained, at which point she said she'd now found the prior interviewer's notes. I tried to explain that vuln and pen testing is part of my current job, but she said she would have to check with the prior interviewer.

So Monday of last week Amazon and I arranged for a detailed tech phone interview for that Friday. Tuesday I hadn't heard back from Microsoft so I sent an inquiry. She responded that my candidacy has been terminated; that "it was not a fit for the job". I asked whether I should continue to apply for jobs at Microsoft and she said, "sure you can continue to apply".

Friday rolls around. The Amazon interview was scheduled for 8:00am. That hour rolls around. 9:00 and I wrote an email to the recruiter suggesting that maybe something had come up and they weren't able to call? Friday passes, then Monday, then today, and nothing. Today I wrote another email saying that I had thought we had an interview Friday but haven't heard anything. No reply.

So what conclusions should I draw? Is my any candidacy at Microsoft now poisoned forever? Has the Microsoft recruiter called the Amazon recruiter and blacklisted me? How could that even be possible? Aren't they hypercompetitive within their own respective organizations, much less between each other? If I was not blacklisted, WTH is wrong? Is this really shocking, or is it just me?

Zartanasaurus

I dunno about the Amazon connection, but it definitely seems like you won't be working at Microsoft anytime soon.

Quantumstate

After research, I am glad that after over a thousand applications, I was not accepted at either Microsoft or Amazon...

Check this.

Microsoft’s managers, intentionally or not, pumped up the volume on the viciousness. What emerged—when combined with the bitterness about financial disparities among employees, the slow pace of development, and the power of the Windows and Office divisions to kill innovation—was a toxic stew of internal antagonism and warfare.

“If you don’t play the politics, it’s management by character assassination,” said Turkel.
At the center of the cultural problems was a management system called “stack ranking.” Every current and former Microsoft employee I interviewed—every one—cited stack ranking as the most destructive process inside of Microsoft, something that drove out untold numbers of employees. The system—also referred to as “the performance model,” “the bell curve,” or just “the employee review”—has, with certain variations over the years, worked like this: every unit was forced to declare a certain percentage of employees as top performers, then good performers, then average, then below average, then poor.

“If you were on a team of 10 people, you walked in the first day knowing that, no matter how good everyone was, two people were going to get a great review, seven were going to get mediocre reviews, and one was going to get a terrible review,” said a former software developer. “It leads to employees focusing on competing with each other rather than competing with other companies.”

Supposing Microsoft had managed to hire technology’s top players into a single unit before they made their names elsewhere—Steve Jobs of Apple, Mark Zuckerberg of Facebook, Larry Page of Google, Larry Ellison of Oracle, and Jeff Bezos of Amazon—regardless of performance, under one of the iterations of stack ranking, two of them would have to be rated as below average, with one deemed disastrous.

For that reason, executives said, a lot of Microsoft superstars did everything they could to avoid working alongside other top-notch developers, out of fear that they would be hurt in the rankings. And the reviews had real-world consequences: those at the top received bonuses and promotions; those at the bottom usually received no cash or were shown the door.

Maybe I'd be better off dead, than working for one of these...

N2IT

QS great post I appreciate the time to post this.

N2IT

dorky wrote: »

CEH is the worst cert ever in the industry. It has a decent name but IT IS A TRIVIAL EXAM and a monkey can do it. Stop appraising this ****.

I've actually heard this from several security professionals. Infact one failed security + 2 times and passed C|EH on the first try. Just saying......

instant000

I've learned a few things from this thread:

1 - C|EH can be a strong negative when applying to certain positions (the negative connotation of the term "hacker")
2 - EC-Council certifies morality "ethical"
3 - Microsoft's internal ranking system has employees competing with each other?!
4 - N2IT used to work in HR, and is the go-to guy for resume help/HR questions ... wonder how much he charges

Quantumstate

N2IT is a plain nice guy who knows his stuff. Recommended. I've started getting responses (after 8 months of trying) since he overhauled my resume -and- I took off CEH!


Well I've FINALLY heard from Amazon last night. She deeply apologized for not letting me know that the position has been filled internally, but has shared my resume with several other hiring managers to see if they have a similar position. After reading that VF article though (Amazon also uses Stack Ranking), and all 680 reviews of Amazon on GlassDoor consistently stating 60-80 hour workweeks, I have to be very circumspect.

colemic

Quantum, can you clarify a few things - you said your résumé was reviewed by your VA voc rehab counselor, are you retired military? And your alma mater is actively assisting you in your job search? I wouldn't have expected that from a school of that caliber, honestly. Not doubting you it just stuck out to me. Last thing, you stated you were a CSM - were you referring to certified scrum master?

Quantumstate

colemic, not retired military, but a vet. I'd applied for VA voc rehab but was denied because I'm not disabled, but there is a special federal program called WIA (Workforce Investment Act) which has alot of support here in WA, and my local WIA counselor specifically handles vets. In WA, workforce services (and other parts of the social safety net) are still intact, unlike in other states. WIA paid for my Agile and Scrum classes, plus the exams, as I'm unemployed. (~$5,000)

BTW if you are a vet, YES you do still get medical care. Apply for it at the local VA hospital, clinic, or at HealthEVets. Thank God for the VA.

My alma mater has helped me in the past with counseling and job search. Ask at your uni. They have a job placement services, and mine has one specifically for MBAs. (altho geared for new grads)

Yes Certified Scrum Master. Worth about a bucket of spit, but better than getting poked in the eye with a sharp stick...