I Am Certified - You Are Secured

Monday, July 18, 2011

J. Oquendo


Mustering up as much arrogance as I possibly could, I slowly inhaled in order to make my chest stick out, fixed my tie and uttered “I am certified, you are secured.”

Knowing damn well I could not make good on that promise, it sounded good and for a second there with my who-knows-how-many certifications, I almost believed myself.

Aside from lying to my client, I also lied to myself but its all good because the money is in the bank and I'm walking out the door.

Being certified alludes to me having a clue and fully understanding all of the finer gears inside the machinery of the company I just performed security work on. Not only do I not need to prove that I can actually do anything productive, I can provide in-depth critical coverage of any subject or question I am asked. I know this all too well from many-a-nights of cramming security content down my throat while studying to make more money.

Security? I don't care for it. I learned a long time ago that companies do not want security. They do not want assurance, they simply want a framework to ensure that they did no wrong. My goal is simplified ten-fold and my aim, ensure that someone on the C-level can cross their T's dot their I's and get on with their game of golf. Obviously golf is the only association to the word Ping [1] many will ever come to know.

Now many reading this are wondering how did it come to this. What is he saying, security heresy!!! The reality and fact of the matter is, industry made me what I am. In fact, recruiters and HR personnel without a cause made me this way. You see, a long time ago, I sought to defend networks from attacks.

I spent many hours on end studying attacks, counter attacks and developed accurate and robust methodologies to prevent attackers from “owning” your asses, however, you wouldn't listen.

At the time I didn't have my CISSP or CISM or CISA or CCIE and the reality is, none of those certifications have anything to do with penetration testing. None has anything to do with deploying firewalls, none have much to do with anything as their either too broad or too narrow. I told you then and you wouldn't listen.

You the business owners forced me into a corner like a dog and gave me a few options: CISSP, CISM. Only when I sought one of these options would I be able to effectively: 1) configure firewalls and SIEM 2) properly perform penetration testing 3) perform network audits 4) perform network and security assessments.

Forget the fact I had been successfully doing so for years without them, businesses doesn't need security, don't be fooled. Businesses need to imply they took the appropriate security measures. Cross those Ts and dot those I's.

No longer would I have been able to deploy routers, firewalls and IDS like I had been doing during the course of normal business hours for years. I now need my CCIE to do so, forget the fact that I could configure, deploy and troubleshoot them – again I have been doing so for years – management needs to prove that I can do so.

So why not hire a candidate who could read a book, memorize content, pass a test and call it a day? Makes sense. The aftermath? The aftermath is me. Here I am in all my glory, strolling in drinking my latte, checking my Blackberry, wondering if I brought the right pie charts to feed you my BS.

Wondering if the colors will wow and impress those coming into this conference room. I'm hip, I'm in the game and did I forget to mention – I am certified? Not only that, when you see my bill! How else do you think I got this CLS55 AMG?

So how did we get here? How did security come to this? While many read this initially performing the obvious facepalms, the reality is, this is where many companies have gone when it comes to security. Who is to blame? Is it the certification vendors doing what businesses do – marketing and making money?

Is it the human resources departments that throw certs like the CISSP, CISM, CISA or CCIE into a position whenever the word security comes into play? Is it the individual who now has to pass a test just to get a foot in the door? Where is the industry headed? Obviously certifications aren't the cure. While they may help, they aren't the cure.

Imagine for a moment I was interviewing for a position at your company. Fresh out of school, I obtained my Masters in Information Security. Scratch that, I aimed high and walked away with a PhD. What experience do I actually have? Realistically speaking, by the time I finished up school for a PhD, technologies would have changed at least three times. So what are you getting out of me as a business by hiring me?

With zero experience in the field, never touched anything enterprise outside of a rental car, honestly, what are you getting? This is not to knock anyone who earned their PhD, any degree or any certification, this is merely a “hello, what are you thinking” kind of question.

There are many talented individuals both certified and not certified. How did the industry come to rely on certifications as the “de-facto” anything nowadays? Once upon a time, workers would apprentice in a shop, study hard for years to master a trade, perhaps take some form of exam to be called an “expert” or earn a certification.

Nowadays, all one has to do is dig around for content related books, study to their heart's content, pass an exam, slap on an “I'm Certified – You're Secured” label and businesses are content with this. There is no value to this type of security, there never was and there will never be. For those still facepalming, reality is what it is.

I am unsure how many times I have met someone with enough certifications to fill the backside of their business card. I am also unsure of those that I have met, that I was able to gauge they knew little about what they were talking about when it came to security. I am further unsure of those I have come across, how many forums I have seen them cross post for “wares” on passing another test.

They aren't doing it to learn how to secure an infrastructure properly, they're doing it so they can retain their jobs in some instances. These are those guys that are likely in some of those companies that were recently compromised. You know, the Lockheeds, etc., where those companies outright buy every single available CISSP seat in DC.

When I think about the flip side of this, I can't think of how many talented and uber smart security professionals I have met without the certifications. These are those that are likely in “the trenches” having worked in either a NOC, SOC or some other capacity of IT. Systems administration, engineering and so on. Same holds true for individuals who hold those certs. I know of many a CISSP who really have a clue [3] and likely got their certification because of marketability.

In any event, back to the matter at hand, I am truly certified. I ended up having to get certified to see what all the hooplah was about. It took me 12 years after the fact to even bother taking a certification exam, but that's irrelevant. I can now give you my clients piece of mind as I move on into HTML certification.

After all, I want to make sure their html code is in order. They're sure lucky they chose me too. I am Certified – They are secure. Here is my bill, here is your pie chart, see on the 18th hole.

NOTE: This rambling was not meant to attack anyone holding any certification. I merely used the industry standards CISSP, CISA, CISM and CCIE for the purpose of formulating an opinion.

This is not an attack on any individual however, if it touched a nerve, then it was likely you who it was targeted at. I do not hold the CISSP [2], CISA or CISM and don't care for them. While I make mention of the CCIE, that is an altogether different story, please re-read its use. Who the hell needs a CCIE to maintain firewalls? I mean seriously?

Soupy sales


Possibly Related Articles:
Security Training
Information Security
Certification CISSP Training Consulting Infosec CISM CISA
Post Rating I Like this!
J. Oquendo Robb, I intended it to mean, give someone a chance and let them know certification would be required in X amount of time. The fact that a person hasn't taken the time to certify proves very little. My brother in law ran Citigroup's network out of NYC for 21 years without having a cert. He had been there for years and understood their network more than any certified candidate ever did. Alas Citigroup outsourced their entire networking group on Greenwich so even the certified guys were given the heave ho.

Just because someone HAS NOT certified makes them no less experienced and worth having on board than someone who took the time to certify. So when you say: "can't be the perfect fit for most security roles" I take personal issue with that as I could likely fit into any security role under the sun and PERSONALLY choose NOT to bother with certifications that mean little sense to me. However, I prefer to remain in the technical arena than run around being hypocritical dishing out pie charts whose values mean little more than "look at me I can skew the numbers to my own liking!"

While I don't disagree that "certing" is a bad thing, my POV is that it is not the de-facto "You are security god" people make it out to be. I have personally mopped floors with CISSPs, CCIEs, CISMs and the list goes on like Alphabit cereal. Am I better than they are? On some grounds sure, on others absolutely not.

I will go back and say now: "If a candidate has experience, I'm all for it however, in the event that it is MANDATORY, I would urge the employee to get the cert out of necessity not in order to perform the work.

I thought about further refining this into another "Part 2" and pinpoint WHY some of these certs fail, but it is old re-hashed news. E.g., should I be forced to study fire extinguisher types and methods? In most companies, especially in cities, at NO POINT IN TIME will I ever be exposed to this. So what and where is the value in this?

I also thought about a "Part 3" from an HR perspective and how they're forced to make sense of the requirements of a candidate. What do they know about tech honestly. Most will run through Google and copy and paste anything and everything associated with the term security. Do you HONESTLY believe that ONLY a CCIE or CCSE can deploy, configure and administrate firewalls?
John Langston "...But when you get up to the senior positions, the candidate must have some proof, and being appropriately certified is part of that mix. ..."

Clearly not the case with Laura Calahan being named to a senior level position at the U.S. Cyber Command.

Robb Reck You don't think there's any proof she has good, applicable experience? I never suggested that certifications are the only part that matters, simply that it's a part of the mix. It's possible to be great without it, but certifications make the job of determining who is experienced easier.

I am not especially interested in an on-going debate on this topic, so this will be my last response. I simply wanted to give my opinion that certifications matter, not necessarily because they mean you know more (though I suspect that on the whole, they do mean that),but because it gives us a kind of attestation that someone has gone through the effort to learn some skills, and jump through the hoops his industry requires. It shows a level of commitment to the career. It's not perfect, and there is a lot of room for improvement, but as a hiring manager it matters to me.

I know we'll end up having to disagree on this. I hope that in the future the certifying industry can come up with more specific, more useful certifications that provide better assurance of the quality of the holders.
Michael Chan Robb has a point. It is like this with every senior technical position in general. There is only one exception. If you already know the person. If you don't, how are you going to gauge whether the person you are interviewing is just lying through his teeth to get the job?
John Langston My reference to Callahan is not because she made headlines with certifications but because she resigned from a senior position at Homeland Security after it was determined her cited degrees had all come from a diploma mill.

In other words the credentials presented that enabled her to secure several high positions were truly just paper.

Pete Herzog J., your point is well taken that there is a definite dearth between certifications and capability. I come from a position of working for a certification authority and we know that there are some pitfalls to making a good certification. You need to make it so that the person who passes has proved a particular ability that can stand in for experience at doing that job. You need to assure the candidate is resourceful enough to round out rough edges of the experience they can't mirror so quickly. You also can't be afraid to fail people who can't. (One large training company in the US dropped the OPST early on because they had a 50% fail rate and they said that we must change the exam so they get a 90% pass rate because they guarantee a free re-training bootcamp if a student fails the exam.) So there is a business reason to make certifications easy and as marketable as possible knowing that each person who certifies is not likely to trash talk their investment. Add to that the business needs to make the test so it can be easily graded in a fast time (people want instantaneous) and each question needs a clear answer so that there's no disputes and you end up with a business need to just make an easy exam. Unfortunately, we know that no test is really easy. Those certifications don't reflect the real world scenario we test under where exploits work and systems respond. Because sometimes they don't. And how people handle not getting the answers they expect is just as important as how they analyze the answers they might get. Furthermore, it's important to know how the person is solving the problem which is why if they show their work, and they show they knew what they were doing even if they didn't get the right answer, then they may still be right. Because in practical examinations, under real-world conditions, it's close to impossible to assure 100% black and white answers. Yet, that's how this mass-market certs work.

Basically, the people who go after these mass-market certs, the ones who hold them, should certainly not think they provide enough value to hire those with them in lieu of experience, which is what I'm seeing in these comments and around the world. I can excuse those who aren't security people because anyone can be fooled by marketing under duress but real security pros who don't see that these aren't providing what people really need to do the job, are only perpetuating the myth. This only leads me to wonder why?
Skip Alfonso J,
Your comment concerning the knowledge of fire extinguishers betrays and contradicts the title to your article and exposes a bit of tunnel vision in viewing the overall state of security in our world. If you don’t know what type of fire extinguisher or extinguishing system is protecting your data center (knowledge you would have if you studied for a CISSP or CISM), you are not secured.
The one thing that certification organizations such as ISC2, ISACA, SANS and yes, even ECCouncil has done is increased awareness in business and in government about security. Without their attempts at standardization and best practices we would at best be at the mercy of vendors as they pitch their own version of security to lone and isolated security operators who ineffectively attempt to protect us from script kiddies, criminals and terrorists.
As you stated, CISSP and CISM are management certifications. To use the analogy of the military, these certs should be applied to officers, not the ground troops. Officers should know strategy, design and tactics. The officers rely on their troops to know their weapons, vehicles, armor and systems at a far higher and in-depth level than they do. The true solution to the problem you are describing is to have the recruiter or those who engage and interview prospective employees are themselves certified as either a CISSP or CISM.
I know entirely too many incompetent lawyers and doctors, all sanctioned by the state. The worst are those who can quote law and medicine by the book, with years of experience prescribing the same worn out remedies known all too well in both professions. The entity we are supposed to be securing is technology itself. By its very nature, it moves and evolves at ever increasing speeds, often making experience and education obsolete as it progresses. Certification and experience are both values that should be pursued, but as a man much smarter than I once said, “Imagination is more important than knowledge”. Where that knowledge comes from, experience or education, is irrelevant.
Amanda Grissom I would love to be an auditor but the "must have a college degree" requirement always blows me out of the water. I'll never understand it. With over 15 years of practical, hands on experience I would think that I would get a look. But with recruiters/hiring managers who believe a college degree is a requirement to work in a hands on technical career field, I'll never get a shot.
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.