Wednesday, May 19

6 Tech Certifications That Will Get You Hired as a Security Pro

I'm not a gigantic fan of Security Certifications, but this is interesting, as it allows you to know your audience, and it allows the audience to know what to look for.

Why am I not a Gigantic Fan of Certifications?

  • Anything that can be bootcamp'ed is worthless.

  • Anything where all the answers can be found in the book for the classware, and you are allowed to take the classware book with you to the test.. worthless

  • Anything that does not require a practical exam.  (Either written or physically typing something) is worthless.  Which is why I am a slightly larger fan of the Gold GIAC certifications.  As they require you to write a practical.  Or the harder Cisco ones, or the Redhat exams.

Personally I'd rather hire someone that can do the job, do it well, and if they don't know the answer, know where to find it.

6 Tech Certifications That Will Get You Hired as a Security Pro |


z9m9z said...

I agree with you about the GIAC certs. I was dismayed when they dropped the practical from the requirements. I feel actually having to *demonstrate* your knowledge instead of just taking a multiple-choice test had a lot of merit.

And I would have left the CISSP out of the list. I know far too many CISSPs who know all of the testable answers (as opposed to the correct ones), and can't manage to apply any of that information.

I decided against going after a CISSP (though I have had the bootcamp training) when a CISSP I work with questioned the need for a practical. "That just proves you can write," he said, something with which he himself has quite a bit of trouble.

Joel Esler said...

I agree on the CISSP point. Like I said, anything you can bootcamp is
worthless. I've seen some really really "unknowledgeable" persons in my
career that have a CISSP. You know, people that claim that they run Windown
98 because it's "more secure".

David said...

I value my CISSP <must be my non-bootcamp requirement for study>. Now, earning my C|EH, well don't get me on a tyrant (login to http://blah to access the portal, WHAT??).

Joel Esler said...

Not sure what was up with the last portion of your note, but okay.

Didier Stevens said...

I've a bunch of certs. I think I took 18 cert exams. My Red Hat exam was the most fun: only hands-on problem solving, and no open book. Until I took The Offensive Security exam for WiFi security. Offensive Security exams are also completely hands-on, but not proctored. You take the exam online, so you can do it from your home, and you can use any info source you want. So it's even closer to real life.

JeffSoh said...

While I get your point about something being "boot camped", and heartily agree a GIAC Gold is far better than Silver, I wouldn't go to the extreme of saying the test-only certs are worthless. With the quality of SANS teaching, and the amount of information presented, you're much better off after having taken the training and studying for the cert, in my opinion. And if you didn't study? Open book or not, you're not gonna pass. There's just way too much information to blow off the classes or the study time and pass a GIAC cert. Again, in my humble opinion (and from the experience of holding three SANS certs)

Joel Esler said...

Okay Jeff I'll agree with that for the most part. My argument is against
certifications like "Security+" where people have just simply posted the
answers online.

markofu said...

Hi Joel,

I sent you an email on this recently :) I've done quite a few GIAC certs, two of which are Gold. I completely agree with you on the value of certifications where the questions are predictive and far too often, many of these folk don't cut it in the real-world.

The Gold element is definitely more difficult in my opinion (though I don't rate my 2002 practical very high :) ) and I cannot recommend the GIAC Gold highly enough and I agree that it marks the person out, which brings me to the GSE.

I hope to be able to sit the GSE next year, though much of that will depend on whether or not there's a European sitting. I just need the GSEC (yeah, I went at it the wrong way) and I'm toying with the idea of doing a GCIA practical if I've time.

I'm not really too worried about the written paper but the practical will be tough, though I wouldn't have it any other way. I think this is what marks the GSE as different - i.e. it's hard and (I believe) people fail. I know whether or not I pass, I will learn and that's what matters to me most!

Enjoying the blog as always :)


Joel Esler said...

Thank you Mark.