Iristheangel wrote: » Define "Heavy Hitters." Because I could show you quite a few security heavy hitters that are certed up and are the opposite of what you just stated
I think he was talking about how portly I look in my profile pic.
LordQarlyn wrote: » It's possible that they don't list their certifications, for whatever reason. I don't put all mine on my profile. They may also, as you pointed out, use their published materials as their credentials, thus didn't feel the need to invest in the certifications. That said, I tend to side with Iristheangel, all the "heavy hitters" in my network do have industry certs and alphabet soups at the end of their names.
DatabaseHead wrote: » That maybe so, which I am not disagreeing with, but..... ***Update I haven't seen one security degree listed yet and I looked at dozens of CISO's and other high level security professionals. Just to be clear I am not saying they don't have certifications, it's probably 70 don't (at least list) and 30 do, with that count being around 1 maybe 2, never more that 2. There actually could be a negative correlation coefficient between security position level and the quantity of security certifications...... The security certification seem to align more with the worker bee and not the visionary or leader.
UncleB wrote: » Don't forget that these CISO level jobs are for positions far removed from the front lines and they are probably going to spend more time meeting with board level and senior management or with suppliers / business relations than they are with the grunts in front of the keyboards. They don't need to know the ins and outs of the info from the knowledge gained from studying certs - they have staff and managers who should be capable of giving them the management summary version of what is needed, and so long as they have been working in the field for a while they will have a good understanding of the context for this all. If they are effective managers then they don't need to have dogs and bark themselves. Their main skills should be keeping IT security aligned with the business strategy, keeping best practice for security embedded in working practices, keeping their managers running their teams effectively and keeping abreast of new initiatives in the security arena. Not much there that certs would help with. In fact getting bogged down in the minutia of detail of the latest releases of threats can be a counterproductive for them so it is far more effective for the lower levels to do this and just keep them informed of what is going on and what the recommendations are. Just pointing out that the higher you go in the management chain, the less important tech certs are and the more important people skills and negotiation abilities are.
DatabaseHead wrote: » Essentially what I did was very unscientific, let's be honest but.... LinkedIn made it very possible to look at not only > 50 CISO positions but also look at other security professionals who most people would consider a heavy hitter. Some of these folks had security publications and others speak at seminars others owned security consultant firms, it was more than the CISO at a fortune 500. (Although it started off that way). Most certainly not saying certifications hurt, that's silly if anything you can remove it to scale for the position. Keep in mind I am not talking about a worker bee security engineer, of course certifications help for most of those positions. In fact I did some research about a year ago using some automation and excel and was able to identify which certifications and degrees tie back to certain security jobs. While some certifications were high sought after for certain positions, others came up less than 5% of the time. In fact most certifications weren't listed as required or preferred. Exception CISSP for most positions, ~50% and OSCP for Pen testing positions, along with the CISSP. C|EH was another certification that was some what highly sought after.
EANx wrote: » CISOs in small companies might have technical roles, in the same way that a CTO at a small company might also be the lead programmer. By the time you're looking at any of the top 1000 largest companies, those CISOs are business people first. Their role is regulatory compliance, reporting and auditing, understanding how the customer would react in the case of a data breach so they can direct dollars where they do the most good, etc. At most, they are business security architects and risk managers.
