Interesting rant over on InfosecIsland — I Am Certified – You Are Secured — by J. Oquendo.
Mustering up as much arrogance as I possibly could, I slowly inhaled in order to make my chest stick out, fixed my tie and uttered “I am certified, you are secured.â€
Knowing damn well I could not make good on that promise, it sounded good and for a second there with my who-knows-how-many certifications, I almost believed myself.
Aside from lying to my client, I also lied to myself but its all good because the money is in the bank and I’m walking out the door.
I’m really of several minds on this one.
If you’ve met me, you know I rail against the shitty paper certs – and have for a long time – since back when CNE meant something and HRDC (Human Resources Development Canada – a branch of the Canadian gov’t) was paying out of work steel-workers to learn about Novell Netware.
I did a talk called Security Heresy (full version at SecTor, shorter version at DEF CON Fail Panel) available on http://www.vimeo.com/myrcurial that goes into a ton of detail — and is 4 years old.
I have a cert… CISA to be specific.
I just “grandfathered” into another… CRISC (assuming they grant it – they probably will, they cashed the cheque).
I am being pressured to get a CISSP by both current job and HR departments who cannot see that 17+ years of infosec with a previous background in audit might make me more qualified than someone who wants to get into this security thing straight out of school.
Heh, I should get my CCSK, since I helped write the source material, helped build the training material and do a ton of cloudy stuff in my day-to-day. But which proves more – that I did that development work (as a resume line item) or that I have the cert? Now ask an HR department.
At this point in my career, they’re a way to show completely inexperienced people that I know what I’m doing and not much else.
The solution to certs is to fix something fundamental about the granting orgs — they exist for the sole purpose of “increasing brand strength” by getting the NEXT guy/girl certified. They do not exist to distill the pool to higher quality. They do not exist to protect your economic viability.
Can we get a cert that is about quality rather than quantity?
Can we get a cert that recognizes experience counts?
Can we get a cert willing to apply the “Good Housekeeping Seal of Approval” to their cert holders such that you can know categorically that you are protected if you hire based SOLELY on the cert?
That’s the kind of cert I’d work towards. And even with my background and experience, I’d suggest that it should take some serious time.
Right?
Image CC from Twodolla’s Flickr Stream
I currently work with someone similar to you. He has tons of experience and no certifications. I on the other hand, am pretty green to the industry and am hungry for certs. I think together we make a pretty good team. He has the experience and I am considered more “current”. <-Heavy quotes there :p
I agree with you… and am amazed at how “nice” the wording is in this post.
However, I doubt that much will change since it (a) took a year’s worth of conversations with a nice HR person I knew at one company just to get them to understand that just cause they had a 6 inch high stack of IT resumes that they could “just replace any of the IT people when ever it was needed”… and (b) that all the headhunters, excuse me: recruiters I know say to me “I know it is a meaningless cert… but can you get it?”
With far more attention being paid to to PR (i.e.: certs) compared to the nearly zero attention paid to actual ability is it any wonder that the overall security posture around the world is so low?
You get the certifications not prove what you know or don’t know – you get them to make it easier to get your next job. That is the value of the cert.