Cloud
12/26/2013
11:06 AM
Bob Covello
Bob Covello
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

2013: The Year Of Security Certification Bashing

As security professionals argued among themselves about how useless certifications are, organizations that needed security services had no place to turn for good advice.

It is impossible to listen to a podcast or follow a Twitter feed without hearing jabs, jokes, and downright slanderous language about the various certifications in the information security field.

What are the problems with the certifications, and what is the problem with our industry that we feel the need to denigrate our entire profession to the point of dilution? I may be speaking very liberally by referring to information security as a profession, as the recent findings of the National Academy of Sciences has dictated otherwise. The study concluded that cybersecurity is an "occupation," not a profession.

What are the problems with certifications like CISSP or CompTIA Security+ and others? Many folks will argue that the certification indicates that the person was capable of passing the test at one time, and little more. Others will say that the folks with the certifications stand around in the datacenter with their arms crossed while the "real" workers do the work. Is this necessarily true? I would have to disagree. These negative comments can hold validity in some cases, but not all. In fact, these comments can be said of any professional organization for which an examining body exists.

To a further extreme, similar criticisms with equal venom can be made about every occupation, profession, trade, or even exalted pursuits such as musician or artist. For example, what does an orchestra conductor do other than a bunch of arm-waving while the rest of the musicians do the work? Even within law enforcement circles, there is a mentality that working at the federal level is where the “real” law enforcement professionals exist, and the local police, or a small town police department aren’t doing real police work. Would you honestly be capable of saying that to any police officer in Newtown, Conn.?

Think you're smart? Prove it!
Certifications offer a benchmark through which the average person can be given a level of assurance that the person purporting to do a job is qualified. Are there uncertified professionals who are equally, if not more capable than those with certifications? As in any industry, of course there are. But how is the average person supposed to make that distinction?

The problem with certification bashing is that it creates a cascading series of events that does little to help any of us in the industry, and it damages the industry as a whole. Too many people practice poor security in the first place. These people need security services and they don't know where to turn for good advice. When they finally take the steps to seek advice, they are met with a firestorm of negative commentary within the industry. So, while we are busy bashing each other about how useless the certifications are, the people who need our services retreat back into their land of complacency because of our disunity.

Years ago, Microsoft promoted a certification campaign using the phrase "Think you’re smart? Prove it." While this type of "in your face" marketing has gone away, there is something to be said for that approach. Does the certification offer definitive proof of expertise? Perhaps not. But does it help in the absence of other information. It certainly does.

Tech specialists vs. generalists
Another possible explanation for the bashing is due to the fact that there are too many certifications available for any single one to hold more validity over another? I do not think so. A better reason is that certifications stems from the vast landscape of technology. A programmer is not the same as a hardware engineer, or a network engineer, and within each of these disciplines, there are varying aspects of expertise. You would not necessarily want your scrum master writing code, or your firewall technician troubleshooting a printer malfunction. This would be like asking your pulmonologist about your arthritis. Specialists have a laser-focused area of expertise. This is necessary in a broad landscape.

Are there such things as generalists? Absolutely. My general practitioner knows exactly when to refer me to a specialist. Does that make the general practitioner a bad doctor? Not at all, but I suppose the specialists could say that the general practitioners stand around with their arms crossed. However, I never hear specialists in other professions speak that way about the general practitioners, so why do we do it in InfoSec?

The idea that a certification means that a person was capable of passing the test at one time is a sad statement, as it indicates stagnation in one of the least stagnant of professions. No one who worked with packet filtering firewalls has stayed in that era. The progress of the industry simply will not allow it. Most certifications require either upgrade tests or continuing professional education credits to keep the certification in good standing. This is the same method in use by other professions, such as attorneys, doctors, and accounts.

What can we do to help ourselves? First, we have to act as a community. There definitely are charlatans out there, and maybe places like attrition.org are useful in bringing them to light. But is a public flogging truly the solution? The InfoSec community is small, and it is fairly easy to engage in a private discourse with someone with whom you disagree. We should work together as a community so that we can mature as an industry. As the National Academy of Sciences Report indicates, we are a young industry. But the last thing we need to do is act like a bunch of whiny babies.

Bob Covello is a 20-year technology veteran with a passion is for security-related topics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/6/2014 | 1:18:56 PM
Re: Cost of Certifications
Great list, Bob. as for  your observation that "CIO should be the one "selling" these ideas to upper management," I wonder how often that is actually the case!

 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/6/2014 | 1:13:34 PM
Re: Cost of Certifications
If I had to convince a CIO of the value of a certification, some points that I would present include:

Recognition of specialized knowledge - If you are in a regulated industry, it simply looks good that you have people on staff who have shown that they have succeeded in a particular level of study relevant to their job. This is particularly true of vendor-neutral certifications.  (This is where many certification bashers lose sight that subject-area knowledge can be as valuable as hands-on skill.)

A certification also adds credibility when working with external vendors and especially clients.  Clients like to know that they are working with a person who has a recognized level of knowledge.  This is true of both vendor-neutral and vendor-specific certifications.

Vendor-specific certifications are valuable because they show that the recipient understands the vendors' preferred methods of working with a piece of hardware and / or software.  (This is where the hands-on folks are an invaluable asset.)

A vendor-specific certification usually also entitles the certified individual access to vendor information that is not available to the general public, including free support on the product as well as advanced copies of new products.

In some cases, a vendor-specific certification is required if you are publicly supporting a particular product.

I am confident that most CIOs already know these facts, and the CIO should be the one "selling" these ideas to upper management.

From a CIO's perspective, supporting an employee's career advancement by helping the employee attain new knowledge and skills will increase employee retention and morale.

I hope that helps!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/6/2014 | 9:58:17 AM
Re: Cost of Certifications
Thanks Bob.

Do you have any tips for individuals who are trying to make the case to the  CIOs that paying for a  certification credential for their IT staff is a worthwhile investment?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/6/2014 | 9:50:17 AM
Re: Is the perpetual cycle of certifications effective?
The question of vendor versus general security certifications is tough one. On the one hand, it's most definitely a full time job just to keep up with the technology landscape as vendors develop new versions of products to meet the demandsof enterprise IT customers. But who can argue with product development trends that offer better tools to protect data and systems from attack. And w

On the other hand, who is more knowledgable about getting the most out of security tools than the vendor itself? Or are the general training courses adequate for the majority of experienced security professionals. Interested in hearing more from readers on this issue.
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/3/2014 | 7:05:33 PM
Re: Unfortunate cultural reflection
I sincerely hope that we may rise above the din of negative discourse, and I work every day to promote a spirit of collaboration, rather than criticism.
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/3/2014 | 7:03:15 PM
Re: Is the perpetual cycle of certifications effective?
The point about vendor-specific certifications is correct.  Many of the vendors change their products so often as to make the certification impossibly cumbersome to maintain. It is one of the main reasons why I let one of my early certifications lapse. 

However, the vendor-neutral certifications that do not rely on specific product-based knowledge only require the maintenance of Continuing Professional Education (CPE) credits, many of which may be satisfied at no cost.

 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/3/2014 | 7:01:52 PM
Re: Is the perpetual cycle of certifications effective?
The point about vendor-specific certifications is correct.  Many of the vendors change their products so often as to make the certification impossibly cumbersome to maintain. It is one of the main reasons why I let one of my early certifications lapse. 

However, the vendor-neutral certifications that do not rely on specific product-based knowledge only require the maintenance of Continuing Professional Education (CPE) credits, many of which may be satisfied at no cost.

You may want to examinne some of those to further your knowledge. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/3/2014 | 6:54:29 PM
Re: Splitting hairs....
You are correct. "Certification ...  should indicate intent or goal.  The beginning, not the end."

Achieving the certification is merely the first step in a path of commitment and study.  It lays a solid foundation on which to expand.  Anyone who obtains a certification and stops leraning is failing the ethical obligation of the certification.
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/3/2014 | 6:51:05 PM
Re: Cost of Certifications
I have to agree with Marilyn here.

When I sat for one of my certification exams , my greatest fear about half-way through the exam was "if I fail this, do I really want to spend the money to take it again?"  I then forced myself to re-focus and finish the next 125 questions. 

All of the certifications have an associateed cost, but the benefits far outweigh the cost.  I have studied for 2 other certifications for which I never sat for the exams!  However, the knowledge that I gained far exceeded the cost of the study guides (one of which was over $100).

Knowledge is KING!  Collaboration is its QUEEN!  That was the underlying the sentiment of my article. 

If youu truly understand the material, sit for the exam and reward yourself for your achievement.  Personal growth is the key, and adding something (such as a certification) that is recognized as a sign of that growth should be embraced, not avoided, and certainly not mocked.

-Bob
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/2/2014 | 10:19:15 AM
Re: Cost of Certifications
@LinRoeder. I can see your point about $300 being a large hit for someone just starting out in Tech Support. But I would argue, if you look at that amount over the course of a year, an investment of under $6 a week is pretty small to give you credential that could give you a leg up in getting a better, higher-paid, more responsible position. 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio