Fun bit on security certifications

by Anton Chuvakin

Related link: http://www.sockpuppet.org/tqbf/log/2005/06/how-about-dont-be-evil.html



If you are thinking of getting a CISSP security certification, read this essay by Thomas Ptacek (you know who that is, don't you?). Here is a quote: "a certificate that is held by less than 10% of the most respected practitioners in the industry, but that is held by more than 90% of third-string consultants and entry level IT secops, lacks some credibility."


He might be a bit harsh, since his judgement seems biased by his personal perspective, but - you know what? - he has a point. So far, I am pretty happy that I avoided this cert.


3 Comments

funkatron
2005-06-20 17:37:35
Why?
Can you explain why *you're* happy you've avoided it?
anton_chuvakin
2005-06-21 06:57:53
Why?
Well, its a long story that has a chance of degrading into a rant :-) One of the reasons is that way too many of my friends will lower their professional opinion of me if I get it. An example is in order. I have a friend who was hired for a new job recently. One of the requirements was that he does not have a CISSP, since he was supposed to actually DO things, rather than talk ABOUT things. That was the perception that his boss had. There is nothing wrong with 'talking about things', but there is something wrong with talking if what you need is to do them :-)


Email me if you want more details.

tmo9d
2005-06-22 00:08:34
Dead on
Although not a security professional, I've had similar experience. Back in Winter 2001 when the economy was in the bucket and getting worse, I could find a job for maybe four months. There were just too many programmers for each job that people were requiring Java certification or they would just throw your resume into the can.


Now, the Java certification is useful if you want to try to guarantee the most minimal set of skills you can find. Really, the Java certification exams are just a cakewalk, if someone has certification it usually means that they can read and take tests. These tests rarely get into critical reasoning or problem solving (although I have heard the Cisco tests are legit).


Like you, I had a job interview about two years back where someone mentioned that they almost DIDN'T hire me because I had listed my Java certs on my resume. I've since removed them - certifications are a waste.