Interesting rant over on InfosecIsland — I Am Certified – You Are Secured — by J. Oquendo.
Mustering up as much arrogance as I possibly could, I slowly inhaled in order to make my chest stick out, fixed my tie and uttered “I am certified, you are secured.â€
Knowing damn well I could not make good on that promise, it sounded good and for a second there with my who-knows-how-many certifications, I almost believed myself.
Aside from lying to my client, I also lied to myself but its all good because the money is in the bank and I’m walking out the door.
I’m really of several minds on this one.
If you’ve met me, you know I rail against the shitty paper certs – and have for a long time – since back when CNE meant something and HRDC (Human Resources Development Canada – a branch of the Canadian gov’t) was paying out of work steel-workers to learn about Novell Netware.
I did a talk called Security Heresy (full version at SecTor, shorter version at DEF CON Fail Panel) available on http://www.vimeo.com/myrcurial that goes into a ton of detail — and is 4 years old.
I have a cert… CISA to be specific.
I just “grandfathered” into another… CRISC (assuming they grant it – they probably will, they cashed the cheque).
I am being pressured to get a CISSP by both current job and HR departments who cannot see that 17+ years of infosec with a previous background in audit might make me more qualified than someone who wants to get into this security thing straight out of school.
Heh, I should get my CCSK, since I helped write the source material, helped build the training material and do a ton of cloudy stuff in my day-to-day. But which proves more – that I did that development work (as a resume line item) or that I have the cert? Now ask an HR department.
At this point in my career, they’re a way to show completely inexperienced people that I know what I’m doing and not much else.
The solution to certs is to fix something fundamental about the granting orgs — they exist for the sole purpose of “increasing brand strength” by getting the NEXT guy/girl certified. They do not exist to distill the pool to higher quality. They do not exist to protect your economic viability.
Can we get a cert that is about quality rather than quantity?
Can we get a cert that recognizes experience counts?
Can we get a cert willing to apply the “Good Housekeeping Seal of Approval” to their cert holders such that you can know categorically that you are protected if you hire based SOLELY on the cert?
That’s the kind of cert I’d work towards. And even with my background and experience, I’d suggest that it should take some serious time.
Right?
Image CC from Twodolla’s Flickr Stream