Infosec Certifications, Worth The Paper They Are Printed On?
A few months ago I was reading a lot of posts about the value, (or lack thereof), of degrees in infosec. That really got me thinking. What value does education have that comes with a little piece of paper?
To start with, a little of my background. I come from a fairly tried and true infosec path. I went to university and received my Bachelor of Science with Computer Science. I didn't like programming (as was the focus of Comp Sci degrees of the day) so I decided to go the System Admin route. I spent a number of years in this field (including *shudder* management) and by all accounts was quite successful. Eventually though I felt the 'pull to the light' of infosec. I started doing more and more security duties and eventually worked my way into full time. At that point I studied, and got my CISSP, and eventually moved on to SANS where I obtained a number of certifications including the coveted GSE. Anyone who looks at my profile will note, I have quite an alphabet behind my name. With this, most people would automatically expect me to be on the high road of infosec certification.
But here is the kicker, I am really not. As a person who has done a lot of hiring over his years, I have hired the majority of my best people, without ANY (at least without a LOT) infosec certifications. Ok, I know I am a Gemini, but why the discrepancy? It all goes down to a few things that will become clear further down. For now, let us dive into the types of certifications, and different purposes for getting them.
Types of Paper:
- Comp Sci/General University Degrees
- Infosec Degrees
- Vendor Specific Certifcations
- Vendor Neutral Certifications
1. Again, my personal experience is with the first one. In my day (and location), a comp sci degree was all that was available to me. And as a whole, it was worth it. I learned a lot, and not just about computers. I learned HOW to learn. Discovered my own particular learning style and why high school was such a hard time for me. Some of the most important lessons I took from my time in university were how to use logic, how a microprocessor worked, and the design of the Unix operating system. These skills are not directly used in my current job, but the learnings obtained, are the foundation for just about everything I do. Many of my colleagues ask me how I manage to figure out some very complex items, and I am almost always telling them about what I learned in university.
2. Ok, now this one I have no personal knowledge of, so please forgive me if I butcher or say stuff that is totally out of line. Infosec degrees are a relatively new phenomenon. Yes I do realize that many have been around for over a decade, but in my day, they did NOT exist. I have mixed feelings about them. And I think a lot of this 'mixture' has to do with the varying quality I see in programs. In some cases, I see a "Master's" level program that appears to teach the very basics of Cisco firewalls and IDS', and other "Bachelor" level ones that appear to get into the theoretical side of threat and risk. In one case, I have been told by the dean of one of the Master's degrees, that I would not learn anything from it. So in essence it would be an (highly) expensive piece of paper. Yet I have been turned down from opportunities because I did not have it.
3. Many people have experience with this one. And not all 'vendor specific' training needs to be just product specific. Cisco, Microsoft, {insert security appliance vendor name et nausium} often do a very good job at explaining the 'why' part of the equation rather than just the 'what'.
4. Lastly, we come to vendor neutral. Many times vendor neutral certifications are very similar to good quality vendor specific ones, just without relying on one particular vendor. I find they often focus more on the why than the what. This to me is a big benefit, however for many others, can be quite the opposite. Some of this might become clearer later on as well.
Why Certify?
Like there being many different types of certifications, there are many different reasons for certifying. I will talk about the types I have discovered. Many times people are a mixture of more than one as the need may encompass various requirements.
- HR Filter Bypass
- Technical Filter Bypass
- Financial
- External Bragging Rights
- Internal Bragging Rights
1. HR Filter Bypass is relatively straight forward. In many cases, HR and hiring companies have teams of people, who's only job is to screen candidates and put forward those who meet the minimum filter. If candidate X does not have N years of experience with technology T, drop 'em. Seems unfair to many of us but this is simply how business works. There may be companies more forward thinking and able to see beyond this, however they are VERY few and far between. A good example of a HR Filter Bypass certificate is the CISSP (sorry ISC2). In my 12 years of having it, I have never learned anything in getting it (save some level-setting on some terminology), and have only ever used it as getting past HR. As far as I am concerned, it is useless for everything else, yet I will keep renewing it until it is no longer needed.
2. Technical Filter Bypass is the next level up. You have gotten past the HR stiffs (sorry my friends in HR), and now have your resume sitting in front of someone that at least knows something about infosec. Likely this will be the hiring manager or team lead. They likely have 20-100 resumes sitting in front of them. And as we humans are naturally lazy, we will want to find the quickest way to go through the list to narrow it down. Examples of this are varied depending on the position. Items like Security+, CISA/CISM, GSEC etc are some that I often see used as this. Doesn't mean they cannot describe a valuable skill or knowledge, but are used to trim down the pile until the hiring manager gets to people they want to at least interview.
3. Financial is quite easy. In some organizations (which I find shrinking as time goes on), certain level of certifications or degrees, come with a financial benefit. This can be a bonus, higher base base, or even ability to move upwards through the infosec ladder. I usually find this more in the upper regions of education like MBA and a Master's in Infosec. Nuff said on this one.
4. External Bragging Rights again is quite easy. This is to satisfy the need to try to show that a person is smart, better than someone else, or a person who just likes to justify why everyone should listen to them. Please note though, this is not always a bad thing. Human beings are competitive creatures by their very nature. We like showing the fact that we have achieved a certain level or milestone. After all, we (usually) put in a lot of effort, time, and money to get their. I will even admit to this one myself. I like others to know what I can do, and yes I do think that sometimes my ego needs to be a lot more humble (something I am actively working towards). This is not a problem unless it becomes the ONLY (or main) reason for certifying. If you only obtain something for the benefit of telling others, you are REALLY in the wrong field. We have a lot of legitimate 'rockstars' in infosec, fakers are quickly called out and shunned (*cough* Simon Smith *cough*).
5. Lastly, Internal Bragging Rights. I know what you are thinking, "What the F**K is he talking about?". I have included this one for a couple of reasons. First, not many people would understand what this is about, and two, I am a 'victim' of it as well (and can be referenced in my previous postings. (ImNotWorthy). I personally suffer from Imposter Syndrome in a huge way. In fact my whole thought process around starting to blog was my attempt to overcome it. I constantly find myself doubting my own skills, knowledge, and even experience. I was even told (with my parents present) by my vice principal that I would not succeed in any academic venue, and should just accept the fact that I would only be good at manual labor. Talk about killing any dreams of a future. So based on this, I found myself wanting to constantly learn new things. I am not happy anywhere I am not learning. But learning is only part of the battle for someone who feels they are just 'faking it'. So I often use certifications to try to prove to myself that I can actually do this. That I ACTUALLY know something. This past fall I even received the GSE (GIAC Security Expert) certification after a long and hard lab. Less than 200 people have EVER been awarded this in the past 13 years of the certifications existence. Yet, even after all of that, I still feel I need to prove to myself, that I am not the 'Imposter'.
Last Thoughts
I know this subject, has a lot of different opinions. And in online threads and discussions, has some very passionate and heated feelings. I hope my ramblings might help others see that different ideas about certification are often based on who you are, where you come from in infosec, and where you are trying to go. No one answer is right for anyone else, but can be used to help others decide what is right for them.