Certifiably certified

Network security certs become meaningless

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

A recent issue of SC Magazine, one of the information security industry’s cheerleading trade rags, featured a full-page advertisement with the following emblazoned across the top of the page: “How to increase your salary by 21.39% in 7 days or less.”

At first glance, I thought it was from the same people sending “Get Your Green Card Now” messages to USENET during the 1990s. But to my dismay I saw it was from a firm offering intensive bootcamp-style training to technology professionals to earn their security certifications from ISC2, Cisco, TruSecure, and a suite of other organizations. The advertisement also had the spamorific phrase “Get IT Security Certifications Fast” and cited research reports showing that certified people command higher salaries.

This illustrated one of my latest pet peeves: certifications that are marketed more towards personal advancement and money than to training technology professionals for the demanding and important job of securing networks. Security certifications represent an industry paradox: they’re becoming more numerous and easier to obtain, yet, bucking all laws of supply and demand, they seem to be more valuable on the job market.

Acronyms or Experience

From where I sit, security certifications are nothing more than a cash cow for the companies offering them. Rather than educating aspiring security pros how to secure valuable network resources, the wave of pyrrhic certifications is a means for non-technical recruiters and otherwise clueless corporate officers to separate resumes when hiring security people. The only problem is, the certifications don’t necessarily guarantee that the holder is qualified to secure a network or to react to a potentially costly security incident. Instead of serving as a device for identifying qualified candidates for hiring, certifications are simply a time efficient way to sort resumes.

Through clever marketing efforts of the certifying entity, HR personnel may be led to believe that applicants without such credentials are not legitimate candidates for the job. The other side of this coin is that these efforts will likely lead HR people to conclude that the possession of a cert is evidence of adequate, working knowledge of information security. As a result, a seasoned veteran with years of hands-on experience in hardening systems will be deemed less qualified than a wet-behind-the-ears pup with three or four fancy acronyms behind his name.

Some of these certifications are offered by established credible entities such as SANS. But there are others from more dubious sources that don’t provide much in the way of information about its certification program contents or instructor expertise. All come with fancy diplomas and letters you can use on business cards to look down on other who don’t have the intelligence or ability to accumulate an alphabet soup of letters after their name. But all of these acronyms are so much hollow clanging: sound and fury signifying nothing. Not only that, but most must be renewed every few years – thereby guaranteeing a perpetual stream of income pouring into the coffers of the certificate-granting “authority.” Ka-ching!

Obviously, it’s not about security, it’s about the money, stupid.

Too many people forget that letters after your name don’t make you a better security or technology professional. The problem is that many certifications are simply not stringent enough. The emphasis is not on establishing compliance for rigorous industry standard, but in generating revenue for the certifying body. Given enough time and money to throw at the challenge anyone with half a clue about security can pass a test or write a halfway-acceptable paper, particularly when many certifications are granted on a pass/fail basis, the threshold of which may be as low as sixty per cent. Furthermore, candidate can often challenge substandard marks thereby snatching an undeserved certification from the jaws of failure. Let’s face it, if your security administrator is only capable of protecting against sixty per cent of exploits, your network will be a playground for malicious hackers.

Introducing people into a trusted internal environment and charging them to protect it simply because they appear to be competent in the eyes of a third party is foolish. Haphazardly hiring security personnel on the basis of a certification for which there is not even a standard (such as ISO 17799) is a reckless endangerment of the hiring organization’s resources. Furthermore, given the interconnected nature of the Internet, in some cases, this has the real possibility of adversely affecting security across the Internet in general.

Doing the Time to Prevent the Crime

Having been a Chief Security Officer for a multi-billion dollar company, my hiring philosophy is this: give me someone with an outstanding command of the basics of systems and networks (which includes security fundamentals) and years of demonstrated operational experience “in the trenches” over someone with a few years of training and a few certifications anytime. Expertise and professional competence in anything comes from time doing the work, either professionally or as a hobby. Certifications are great ways to impart theoretical knowledge, but they are no substitute for real-world experience and lessons-learned in the workplace.

If a candidate for a security position is competent, you’ll find that out by due diligence during the interview process and reference checks easily enough. But if they’re truly professional, their successful history in technology security operations and management and ongoing writing, speaking, or teaching activities among their colleagues verifies their security competencies far more effectively than any certification or training regime.

Someone who truly knows how to implement security the right way should be evaluated and respected accordingly by their demonstrated work experience and by a diligent informed interview process conducted by security professionals. They should not be hired by an HR hack who knows nothing about security but the acronyms of numerous half-baked certifications.

Now, for a Limited Time Only...
That having been said, I’m happy to announce that I’m going into the certification business. If anyone cares to send me $500 and copies of their alphanumeric passwords, I’ll return to them a diploma conferring on them the title "Certified Strong Password-Using Professional" (CSPUP) that’s good for four years from the date on their check or money order.

Within weeks, you'll be worth more as a security professional in the eyes of your employer. Trust me.

© 2002 SecurityFocus.com, all rights reserved.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.