I completely agree, coming from someone who has enough knowledge to get a
decent security job, but has no certifications. I am taking the opportunity
this year to get a few certs under my belt to round-out my resume. On the
other hand, in our hiring process, whenever there is a security-related job
that comes up we back it with a very tight technical interview.
I personally enjoy it when I have people who are CISSP, GCIH, CEH, etc. come
in for interviews for either sys-admin type work or for more of a QA role,
and not understanding the basics of how an attacker will cover their tracks
to how to analyze exploits. In fact, if I see someone with 4 initials behind
their name, I make an even more honest effort during the technical
evaluation to make sure that people think twice before swaggering into my
office waving their CISSP number around....for the record, not one of the
people who had certs got hired here because they didn't survive our
technical eval, you may get into the lion's den but you won't survive if you
don't understand.
On that note, I am studying for the Security+ which is a very newbie-like
baseline certification, and for someone who DOES have experience you have to
realize that if you take the studying seriously and you really want to
understand how everything works, you WILL get something out of it. I am
learning something new everyday in studying for the Security+ :) And for the
love of the lord Jesus above people, I encourage you to list your
certifications at the BOTTOM of your resume behind all your relevant
experience, the hardcore technical people are going to eat you alive
otherwise.
JS
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of nomail@hotmail.com
Sent: Monday, April 30, 2007 9:48 AM
To: security-basics@securityfocus.com
Subject: Re: RE: Value of certifications
There are some good points in this thread. I think the
current schema of IT related certifications is broken. The
certs that exist are largely irrelevant or overly broad or
narrow in focus. They are also ridiculously expensive. I took
the CISSP last year and went into the test sweating bullets.
After the test, I realized how painfully easy it was, and was
thankful that my employer had paid for it rather than myself,
because the test was not worth $500. If a vendor wants to
limit the number of people that take and pass a test, then
they should do so by making the test challenging, not
expensive. SANS is also guilty of this, as James has
illustrated. I am confident that I have the knowledge to pass
several of their tests, but I am not going to try unless my
employer pays, as they are also expensive. Especially if one
wants to take a test without attending one of their classes.
It is clear that SANS is out to make money, and while they
should make some coin on their certificatio n and training
program, their current cost model is prohibitively expensive
for all but the independently wealthy and those with generous
employers.
Add in some of the other cert programs, like EC Council and
some vendors, and you get cheaper certifications, but the
tests for these certs are often poorly written and not very
challenging, either. And vendor tests often test for the
"vendor answer," which in most cases is not necessarily the
right answer. As the saying goes, "there is the right answer,
the wrong answer, and the Microsoft answer..."
Furthermore, the recertification process for many
certifications is a circus. While I understand the need to
maintain a current level of knowledge to keep current in the
industry, trying to use that as a measuring stick for
maintaining a certification is counterproductive (as in the
CISSP). Especially when a person is presented with few actual
formal training opportunities. Retesting is also ineffective,
because it requires the tests to be revised at the pace of
the technology they are based on, and in most cases a current
certification holder will crash the week before the test (or
get a braindump) and pass. At that point, are they being
tested on their knowledge of the industry, or on their
ability to quickly memorize some key facts?
But if we take away the certifications, then there is no real
way for an employer to gauge a prospective employee's
knowledge and experience level. While placing all of one's
stock in a candidate's ability to pass a test is admittedly
flawed, it is also admittedly hard to compare a candidate
with a lot of initials after their name with one who hasn't
one cert. With the increase in emphasis in certs, the problem
is going to only get worse, not better. Everyone in our
industry needs to realize that certs are not the end-all,
be-all that their purporters claim, and more importantly, we
need to act on this knowledge just as we do other snake oil
salesmen and knock the importance of these tests down a few notches.
Certifications have their place, but they need to be fairly
priced, accurately represented, not used as a marketing tool,
and industry-recognized.
I like the ASE analogy. Too bad it won't happen here.
