Why so many certifications for the security field?

Correct me if I am wrong....

So I can see this scenario.

You get an entry level certification to begin brand yourself entry level security, looking to break in the field. Security +

You work 2 - 5 years doing your low level role and now you want to become a "pro". You get your CISSP or maybe one of those upper level pen testing certifications. Seriously.... If you have 5 years of security experience with a Security + and the CISSP or OSCP or something similar aren't you positioned to take off in the security field?

Here is where I get confused, why do a lot of you get 8+ certifications as a professional. Project management for instance isn't like this. At MAX you would get 4 certifications, PMP, CSM, ITIL (for service management) and maybe six sigma, that would be TOPS (sorry left out prince 2, so replace one of the others). Still over the course of a project management professional (let's say 10 years, you only need to get 4 certifications to keep up with the Jones.

But security is a different beast or so it seems. You have sooooo many certifications it has become ridiculous. Almost a joke from the outside looking in. Of course I say this with the utmost respect, knowing from you all that a lot of these are VERY challenging which makes it even more perplexing.

Can some one shine some light on this? It seems security has surpassed systems and networking, and I'll be honest. In "real" life I know very few system guys with certifications, most of them had A+ many moons ago and it never expired and they still keep it as badge of honor of sorts. But once they get into the Unix/Linux/MS infrastructure ranks you don't see certifications that much. ***I've worked in 3 fortune 500 companies and even managed a infrastructure team for a short period of time. So my visibility into this has been from multiple angles.

Find more posts tagged with

Comments

kurosaki00

Why so many colleges? private colleges? private "education" institutions? $$$$$$$$$$$$$$$

soccarplayer29

There's so many because each tool/vendor has come out with their own: AWS, Google, Microsoft, F5, Splunk, Palo Alto, Solarwinds, etc.

Then there all the vendor neutral ones: SANS, ISC2, ISACA, CompTIA, etc.

It's fragmented but obviously there's a market for it and employers ask for specific skillsets and those certification bodies pop up new focuses/certs to fill those needs. Technology is constantly changing and evolving and so is the security cert market

trojin

Vendor neutral vs vendor oriented certs. Other story is different security jobs: network security, pentesting, SOC analyst, sec management. It's hard to find one cert or vendor covering all areas of interest.

Ertaz

DatabaseHead wrote: »

Correct me if I am wrong....

So I can see this scenario.

You get an entry level certification to begin brand yourself entry level security, looking to break in the field. Security +

You work 2 - 5 years doing your low level role and now you want to become a "pro". You get your CISSP or maybe one of those upper level pen testing certifications. Seriously.... If you have 5 years of security experience with a Security + and the CISSP or OSCP or something similar aren't you positioned to take off in the security field?

Here is where I get confused, why do a lot of you get 8+ certifications as a professional. Project management for instance isn't like this. At MAX you would get 4 certifications, PMP, CSM, ITIL (for service management) and maybe six sigma, that would be TOPS (sorry left out prince 2, so replace one of the others). Still over the course of a project management professional (let's say 10 years, you only need to get 4 certifications to keep up with the Jones.

But security is a different beast or so it seems. You have sooooo many certifications it has become ridiculous. Almost a joke from the outside looking in. Of course I say this with the utmost respect, knowing from you all that a lot of these are VERY challenging which makes it even more perplexing.

Can some one shine some light on this? It seems security has surpassed systems and networking, and I'll be honest. In "real" life I know very few system guys with certifications, most of them had A+ many moons ago and it never expired and they still keep it as badge of honor of sorts. But once they get into the Unix/Linux/MS infrastructure ranks you don't see certifications that much. ***I've worked in 3 fortune 500 companies and even managed a infrastructure team for a short period of time. So my visibility into this has been from multiple angles.

First, you shut your mouth when you're talking to me database boy.

Second, to answer your question, there is no monopoly on security technology. Where MS and Oracle are the big players in the RDBMS world, there are constant changes in the players and technologies in the security field. You're mainly learning a methodology in most of these certifications. The upside is that you get an understanding of a lot of technologies along the way, the downside is useless crap that fills your head (Two fish vs AES anyone? https://en.wikipedia.org/wiki/Twofish ) I'm guilty of trying everything to figure out where my niche is.

Hornswoggler

Because there is a lot to learn.

DatabaseHead

Hornswoggler wrote: »

Because there is a lot to learn.

Isn't that the case in IT in general?

@Ertaz

Wow, my manager this morning and now you!

Ertaz

DatabaseHead wrote: »

@Ertaz
Wow, my manager this morning and now you!

That's how you know you're challenging them. There's nothing wrong with a little adversarial dialogue every now and then.

Danielm7

DatabaseHead wrote: »

Isn't that the case in IT in general?

Yes, and security is about as wide as all of IT. "I'm in security" can mean anything from someone who does cloud access, to someone else who does only auditing and policy to someone else reverse engineering malware, it's all over the map. A PM can do more focused training, looking at ALL the security certs isn't really fair comparison. If you said pen testing for example you might say, oh they have the OSCP, and maybe something a little more general like a CCNA just to show other skills, and they're good. They don't need the CEH (for smart hiring managers anyway), the elearnsecurity ones, SANS GPEN, etc. If you're into forensics, maybe a SANS cert and something vendor specific like encase and you're likely good to go as well.

bigdogz

DatabaseHead,

A great deal of us Infosec folks come from IT Administration where we are jack of all trades. We may grab some MCSE, Cisco, Juniper, Linux, or RedHat certification.
When someone obtains a Vendor Neutral certification, he/she is required to maintain that credential with CPE's. 40 CPE's a year is needed. One week of training will cover the CPE's. The mindset is changed to always learn because of how the credential is maintained and the constant change within Infosec. Most people do not choose to take the exam over every 3 years because it is a pain and easier to obtain additional training.

Ertaz

bigdogz wrote: »

DatabaseHead,

A great deal of us Infosec folks come from IT Administration where we are jack of all trades. We may grab some MCSE, Cisco, Juniper, Linux, or RedHat certification.
When someone obtains a Vendor Neutral certification, he/she is required to maintain that credential with CPE's. 40 CPE's a year is needed. One week of training will cover the CPE's. The mindset is changed to always learn because of how the credential is maintained and the constant change within Infosec. Most people do not choose to take the exam over every 3 years because it is a pain and easier to obtain additional training.

This. Now I'm looking at going technical with an MCSE/CCNP/OSCP over the next 3 years.

PC509

In addition to the security field being huge, it's also because the demand is increasing. There are a lot of people wanting part of that security cert pie. Get a cert out there, get some recognition, and more people will take that exam, bringing in more money. It's a for profit gig for them. Some are worth more in the workforce, and others are resume points... others are a laughable thing, but if it's in a job listing it's probably worth it if you want that job.

bigdogz

Ertaz wrote: »

This. Now I'm looking at going technical with an MCSE/CCNP/OSCP over the next 3 years.

Good Luck Ertaz !!!

UnixGuy

Because we live in a credentialist world; everyone wants to get into the new cool thing...smart companies will release certs to make profit..why not

I find it a bit odd coming from a Unix background where no one gave a damn about certs

Remember when IT was the new cool thing and every wanted an MCSE/A+/CCNA ?

EnderWiggin

In project management, there is usually a requirement for at least a bachelor's degree, which means roughly forty classes completed. In IT, degrees typically aren't required. Certifications are about equal to one college class though, in that you study for a while, then pass one test. It really just validates you have knowledge, in a similar way that other fields do so with degrees.

DatabaseHead

UnixGuy wrote: »

I find it a bit odd coming from a Unix background where no one gave a damn about certs

In your experience, your peers in the Unix field didn't care about certifications? If so that is what I found as well, not that I am worth a dang at Linux/Unix but working hand in hand with these folks, it was like once they locked into Unix/Linux that was it and certifications had no place.

Sorry just wanted to follow up with you in regards to this, I find it interesting.

bigdogz

Most Unix people do not care about the certs. I also know a great deal of people who know unix that have a great deal of certifications (mainly infosec) and don't have the certs. It's just a different set of folks.

When everyone wanted their MCSE and CCNA, there was no certification for Unix. If you knew Unix, you were not questioned. If you said you knew Unix and didn't, you were found out quickly and out on the street.

I am certified because I work for a MSP. This is just to help our company with discounts on sales and priority on support.

CryptoQue

The information security field is just scratching the surface and will continue to evolve as business are now ensuring it's incorporated into their business strategies. 10 years ago, there were 75% less security related hacks, leaks, and vulnerabilities. In today's world, everyone must be connected to their cell phone, social media, online banking, smart home devices, etc. All of these systems are vulnerable to security attacks. Certain fields like Project Management may change some of the years, but the core emphasis is still the same. A person that's has 20 years of project management experience can still be relevant in today's job market without having PMP certification. However, someone with 20 years of IT experience and no certifications can easily be beat out of a job by a person with 5 years of experience and 5 top tier IT certifications. I'm not saying that someone should go get 25+ certifications, but having relevant certifications to your field are extremely helpful for InfoSec professional in today's market.

bigdogz

That person with 20 years of IT may look to be inactive or stale even though they are working on new technology. The company's now are looking for those certifications. The motivated person with the certifications will emerge the winner.

CryptoQue

Agreed bigdogz. Having certifications shows employers that you're a continuous learner.

JDMurray

From the opposite perspective, there is no ethical requirement to publicize the certifications that you have earned. Getting all the certs you want and not telling anybody is fine too.

Ertaz

JDMurray wrote: »

From the opposite perspective, there is no ethical requirement to publicize the certifications that you have earned. Getting all the certs you want and not telling anybody is fine too.

Never thought about buying a pageant dress just to wear it around the house. One could, I suppose...

ITHokie

It's likely because "the security field" is a much bigger animal than you think.

https://taosecurity.blogspot.com/2017/03/cybersecurity-domains-mind-map.html

ITSec14

Some people are fortunate to have employers who push training down their throats and want them to be certified. Hell, I wouldn't pass up those opportunities either.

bigdogz

Ertaz wrote: »

Never thought about buying a pageant dress just to wear it around the house. One could, I suppose...

Maybe one could wear the dress when looking for a new job that could be more challenging and make more $$$ so in time you could buy another dress.

JDMurray

Ertaz wrote: »

Never thought about buying a pageant dress just to wear it around the house. One could, I suppose...

Unlike a pageant dress, the enduring purpose of certification is the increased knowledge it gives you. Except for getting you a first-round interview and the envy/awe of your friends the paper is quite useless.

DatabaseHead

ITHokie wrote: »

It's likely because "the security field" is a much bigger animal than you think.

https://taosecurity.blogspot.com/2017/03/cybersecurity-domains-mind-map.html

All this shows is how vast the security space is (very cool I might add), however it has nothing to do with an individual getting 10+ security certifications.

Information technology can be broken down into that many groups as well. You wouldn't get certified in all the domains / areas, it wouldn't make sense.........

I've come to the conclusion like others have stated, there is a market to be exploited and people are willing to spend dollars in this area.....

PS awesome map, thanks!

Ertaz

JDMurray wrote: »

Unlike a pageant dress, the enduring purpose of certification is the increased knowledge it gives you. Except for getting you a first-round interview and the envy/awe of your friends the paper is quite useless.

If you use it... Biba vs Bell–LaPadula anyone? That's knowledge I can't get rid of and brain cycles I'll never get back. (I can't seem to find my car keys consistently now.) I suppose if I had superbowl rings I'd wear them every chance I could.

To me certs either say you're dedicated, or you just love a whooping. I suppose I love a whooping. MCSE is next for me unless I get redirected to OSCP.

ITHokie

DatabaseHead wrote: »

All this shows is how vast the security space is (very cool I might add), however it has nothing to do with an individual getting 10+ security certifications.

It has everything to do with multiple certifications. If someone wants training and knowledge in some of the many facets of security, one option at their disposal is multiple certifications.

As you said, this is similar to IT. It's not unusual to find accomplished engineers with Microsoft, Cisco, Red Hat, VMWare, project management and other certs. Often you'll see that security folks with "10+" certs have a number of technology certs - not just security-centric ones. This makes sense because the best security practitioners have a deep knowledge of the technologies they work with.

Chalking all of this up simply to the fact that people have money and are willing to spend it is shallow thinking. It's obviously not just because people have money. Do you honestly think people are willing spend hundreds of hours of their life studying, giving up fun, giving up time with friends and family, etc just because they have the financial resources to purchase the training?

cyberguypr

It makes a ton of sense to certify in multiple areas. Have you seen the laundry list of requirements for some security roles? It's not uncommon to see practitioners that float between these areas on a daily basis, especially in smaller companies. That doesn't mean that they are experts, just that they understand baseline concepts and have a desire to expand their knowledge. Besides, there's so much movement in Infosec that they guy doing GRC work may decide to pursue a forensics or vulnerability management role. If he has the right certs he may cause a good impression on the hiring manager and get a chance at the role. You gotta tip the odds in your favor. This is how you keep the universe of potential future jobs open.

xxxkaliboyxxx

This is the main reason DoD Approved 8570 Baseline Certifications

Get on that list, you become a money making machine.

PS: How in the hell did CFR get on there LOL. Best believe it will bring up their net worth.