Certifiably certified

Network security certs become meaningless

A recent issue of SC Magazine, one of the information security industry’s cheerleading trade rags, featured a full-page advertisement with the following emblazoned across the top of the page: “How to increase your salary by 21.39% in 7 days or less.”

At first glance, I thought it was from the same people sending “Get Your Green Card Now” messages to USENET during the 1990s. But to my dismay I saw it was from a firm offering intensive bootcamp-style training to technology professionals to earn their security certifications from ISC2, Cisco, TruSecure, and a suite of other organizations. The advertisement also had the spamorific phrase “Get IT Security Certifications Fast” and cited research reports showing that certified people command higher salaries.

This illustrated one of my latest pet peeves: certifications that are marketed more towards personal advancement and money than to training technology professionals for the demanding and important job of securing networks. Security certifications represent an industry paradox: they’re becoming more numerous and easier to obtain, yet, bucking all laws of supply and demand, they seem to be more valuable on the job market.

Acronyms or Experience

From where I sit, security certifications are nothing more than a cash cow for the companies offering them. Rather than educating aspiring security pros how to secure valuable network resources, the wave of pyrrhic certifications is a means for non-technical recruiters and otherwise clueless corporate officers to separate resumes when hiring security people. The only problem is, the certifications don’t necessarily guarantee that the holder is qualified to secure a network or to react to a potentially costly security incident. Instead of serving as a device for identifying qualified candidates for hiring, certifications are simply a time efficient way to sort resumes.

Through clever marketing efforts of the certifying entity, HR personnel may be led to believe that applicants without such credentials are not legitimate candidates for the job. The other side of this coin is that these efforts will likely lead HR people to conclude that the possession of a cert is evidence of adequate, working knowledge of information security. As a result, a seasoned veteran with years of hands-on experience in hardening systems will be deemed less qualified than a wet-behind-the-ears pup with three or four fancy acronyms behind his name.

Some of these certifications are offered by established credible entities such as SANS. But there are others from more dubious sources that don’t provide much in the way of information about its certification program contents or instructor expertise. All come with fancy diplomas and letters you can use on business cards to look down on other who don’t have the intelligence or ability to accumulate an alphabet soup of letters after their name. But all of these acronyms are so much hollow clanging: sound and fury signifying nothing. Not only that, but most must be renewed every few years – thereby guaranteeing a perpetual stream of income pouring into the coffers of the certificate-granting “authority.” Ka-ching!

Obviously, it’s not about security, it’s about the money, stupid.

Too many people forget that letters after your name don’t make you a better security or technology professional. The problem is that many certifications are simply not stringent enough. The emphasis is not on establishing compliance for rigorous industry standard, but in generating revenue for the certifying body. Given enough time and money to throw at the challenge anyone with half a clue about security can pass a test or write a halfway-acceptable paper, particularly when many certifications are granted on a pass/fail basis, the threshold of which may be as low as sixty per cent. Furthermore, candidate can often challenge substandard marks thereby snatching an undeserved certification from the jaws of failure. Let’s face it, if your security administrator is only capable of protecting against sixty per cent of exploits, your network will be a playground for malicious hackers.

Introducing people into a trusted internal environment and charging them to protect it simply because they appear to be competent in the eyes of a third party is foolish. Haphazardly hiring security personnel on the basis of a certification for which there is not even a standard (such as ISO 17799) is a reckless endangerment of the hiring organization’s resources. Furthermore, given the interconnected nature of the Internet, in some cases, this has the real possibility of adversely affecting security across the Internet in general.

Doing the Time to Prevent the Crime

Having been a Chief Security Officer for a multi-billion dollar company, my hiring philosophy is this: give me someone with an outstanding command of the basics of systems and networks (which includes security fundamentals) and years of demonstrated operational experience “in the trenches” over someone with a few years of training and a few certifications anytime. Expertise and professional competence in anything comes from time doing the work, either professionally or as a hobby. Certifications are great ways to impart theoretical knowledge, but they are no substitute for real-world experience and lessons-learned in the workplace.

If a candidate for a security position is competent, you’ll find that out by due diligence during the interview process and reference checks easily enough. But if they’re truly professional, their successful history in technology security operations and management and ongoing writing, speaking, or teaching activities among their colleagues verifies their security competencies far more effectively than any certification or training regime.

Someone who truly knows how to implement security the right way should be evaluated and respected accordingly by their demonstrated work experience and by a diligent informed interview process conducted by security professionals. They should not be hired by an HR hack who knows nothing about security but the acronyms of numerous half-baked certifications.

Now, for a Limited Time Only...
That having been said, I’m happy to announce that I’m going into the certification business. If anyone cares to send me $500 and copies of their alphanumeric passwords, I’ll return to them a diploma conferring on them the title "Certified Strong Password-Using Professional" (CSPUP) that’s good for four years from the date on their check or money order.

Within weeks, you'll be worth more as a security professional in the eyes of your employer. Trust me.

© 2002 SecurityFocus.com, all rights reserved.

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018