Career Advice Tuesday – The Least Common Denominator

September 22, 2009

Dear Mike and Lee.

Most HR people seem like they always recommend security professionals with CISSP or CEH….but the sad thing is that not all certified are really good at practical application or have skills in the real world.

I bumped into this new training offered by a company that creates an important penetration testing toolset. Would this cert get me into an infosec job?! The way I see it, the people who passed this skill based exams would know really what they are doing. As an similar excample, the RedHat Certified Linux Engineer (RHCE) is a like a 8 hour exam just to trouble shoot a linux machine. With this training class, I figure I’ll get actual knowledge and ability to use it, unlike with something like the CEH.

Anyways any updates on this cert would really give good feedback for people like me.

Confused About Certs

Hi Confused,

I left out the name of the new training that you mentioned because it really doesn’t matter – while the training in question is a good one and provides some good skills, the entire point of the question misses the point.

Certifications do not get you jobs nor provide you with skills.

Without going in to a large dissertation on Signal Theory, the point of a certification is to assert one thing (and one thing only): “Person X knows a certain base of material to a certain basic and fundamental level.

Certification is an indication that someone has some ability within a domain and is able to navigate within it. For example, regardless of what the certification bodies and training companies say in their marketing material, having a certification like the CISSP does not make one competent to practice information security. What it does assert is that the person in question identifies himself/herself as an information security professional and is conversant and aware of the fundamental concepts that underlie the domain (e.g. risk, network security, fire suppression, physical security, etc.).

Beyond the marketing, this is as it should be. A CEH no more qualifies you to break in to a bank than a driver’s license qualifies you to race in the Daytona 500. However, it says that you have a certain fundamental skill set that allows someone to identify you as belonging to the group of “ethical hackers”.

Where we (as an industry) get in trouble is that we tend to believe that certification and training are supposed to convey formal competence (and, in some cases, excellence). This is impossible – a certification that only proved that someone was an above-average professional wouldn’t ever have enough members to make the certification a worthwhile signal – if the test was too tough to pass, too few people would ever take it to make HR people and management accept it as a useful signal of base knowledge.

If you don’t believe me on this one, look at all the “hard” certifications that have gone by the wayside or been ignored over the years. SANS dropped their practical requirement. The CISSP went from a very low (30-40%) pass rate in the early years to a much higher pass rate today. ImmunitySec has a phenomenal cert, but how many people reading this even knows what a CNOP is (without clicking on the link)?

The point of a certification isn’t to get you a job. It’s to admit you to the club of people who claim competence within the field. Note that I didn’t say “the club of people who ARE competent” – that you took and passed a certification is a self-declaration that you want to be considered to be part of the club. The certification is only the ticket to the door – what will make you successful is what you do once you’re inside.

In short, I’d advise working on your skill set in almost every case and considering the certification secondarily. There are some times when certification is the most important career investment at a given moment, but that number of times is about three orders of magnitude less than most people in the industry think that it is. If you think you might be in that situation, directly. We can help guide you in the right direction.

Note: as a point of full-disclosure, Mike is also the lead trainer and curriculum developer at The Hacker Academy, a leading training and certification company.

Mike and Lee

Posted by mmurray | Filed Under Career Advice Tuesday 


Comments are closed.