Mustering up as much arrogance as I possibly could, I slowly inhaled in order to make my chest stick out, fixed my tie and uttered “I am certified, you are secured.”
Knowing damn well I could not make good on that promise, it sounded good and for a second there with my who-knows-how-many certifications, I almost believed myself.
Aside from lying to my client, I also lied to myself but its all good because the money is in the bank and I'm walking out the door.
Being certified alludes to me having a clue and fully understanding all of the finer gears inside the machinery of the company I just performed security work on. Not only do I not need to prove that I can actually do anything productive, I can provide in-depth critical coverage of any subject or question I am asked. I know this all too well from many-a-nights of cramming security content down my throat while studying to make more money.
Security? I don't care for it. I learned a long time ago that companies do not want security. They do not want assurance, they simply want a framework to ensure that they did no wrong. My goal is simplified ten-fold and my aim, ensure that someone on the C-level can cross their T's dot their I's and get on with their game of golf. Obviously golf is the only association to the word Ping  many will ever come to know.
Now many reading this are wondering how did it come to this. What is he saying, security heresy!!! The reality and fact of the matter is, industry made me what I am. In fact, recruiters and HR personnel without a cause made me this way. You see, a long time ago, I sought to defend networks from attacks.
I spent many hours on end studying attacks, counter attacks and developed accurate and robust methodologies to prevent attackers from “owning” your asses, however, you wouldn't listen.
At the time I didn't have my CISSP or CISM or CISA or CCIE and the reality is, none of those certifications have anything to do with penetration testing. None has anything to do with deploying firewalls, none have much to do with anything as their either too broad or too narrow. I told you then and you wouldn't listen.
You the business owners forced me into a corner like a dog and gave me a few options: CISSP, CISM. Only when I sought one of these options would I be able to effectively: 1) configure firewalls and SIEM 2) properly perform penetration testing 3) perform network audits 4) perform network and security assessments.
Forget the fact I had been successfully doing so for years without them, businesses doesn't need security, don't be fooled. Businesses need to imply they took the appropriate security measures. Cross those Ts and dot those I's.
No longer would I have been able to deploy routers, firewalls and IDS like I had been doing during the course of normal business hours for years. I now need my CCIE to do so, forget the fact that I could configure, deploy and troubleshoot them – again I have been doing so for years – management needs to prove that I can do so.
So why not hire a candidate who could read a book, memorize content, pass a test and call it a day? Makes sense. The aftermath? The aftermath is me. Here I am in all my glory, strolling in drinking my latte, checking my Blackberry, wondering if I brought the right pie charts to feed you my BS.
Wondering if the colors will wow and impress those coming into this conference room. I'm hip, I'm in the game and did I forget to mention – I am certified? Not only that, when you see my bill! How else do you think I got this CLS55 AMG?
So how did we get here? How did security come to this? While many read this initially performing the obvious facepalms, the reality is, this is where many companies have gone when it comes to security. Who is to blame? Is it the certification vendors doing what businesses do – marketing and making money?
Is it the human resources departments that throw certs like the CISSP, CISM, CISA or CCIE into a position whenever the word security comes into play? Is it the individual who now has to pass a test just to get a foot in the door? Where is the industry headed? Obviously certifications aren't the cure. While they may help, they aren't the cure.
Imagine for a moment I was interviewing for a position at your company. Fresh out of school, I obtained my Masters in Information Security. Scratch that, I aimed high and walked away with a PhD. What experience do I actually have? Realistically speaking, by the time I finished up school for a PhD, technologies would have changed at least three times. So what are you getting out of me as a business by hiring me?
With zero experience in the field, never touched anything enterprise outside of a rental car, honestly, what are you getting? This is not to knock anyone who earned their PhD, any degree or any certification, this is merely a “hello, what are you thinking” kind of question.
There are many talented individuals both certified and not certified. How did the industry come to rely on certifications as the “de-facto” anything nowadays? Once upon a time, workers would apprentice in a shop, study hard for years to master a trade, perhaps take some form of exam to be called an “expert” or earn a certification.
Nowadays, all one has to do is dig around for content related books, study to their heart's content, pass an exam, slap on an “I'm Certified – You're Secured” label and businesses are content with this. There is no value to this type of security, there never was and there will never be. For those still facepalming, reality is what it is.
I am unsure how many times I have met someone with enough certifications to fill the backside of their business card. I am also unsure of those that I have met, that I was able to gauge they knew little about what they were talking about when it came to security. I am further unsure of those I have come across, how many forums I have seen them cross post for “wares” on passing another test.
They aren't doing it to learn how to secure an infrastructure properly, they're doing it so they can retain their jobs in some instances. These are those guys that are likely in some of those companies that were recently compromised. You know, the Lockheeds, etc., where those companies outright buy every single available CISSP seat in DC.
When I think about the flip side of this, I can't think of how many talented and uber smart security professionals I have met without the certifications. These are those that are likely in “the trenches” having worked in either a NOC, SOC or some other capacity of IT. Systems administration, engineering and so on. Same holds true for individuals who hold those certs. I know of many a CISSP who really have a clue  and likely got their certification because of marketability.
In any event, back to the matter at hand, I am truly certified. I ended up having to get certified to see what all the hooplah was about. It took me 12 years after the fact to even bother taking a certification exam, but that's irrelevant. I can now give you my clients piece of mind as I move on into HTML certification.
After all, I want to make sure their html code is in order. They're sure lucky they chose me too. I am Certified – They are secure. Here is my bill, here is your pie chart, see on the 18th hole.
NOTE: This rambling was not meant to attack anyone holding any certification. I merely used the industry standards CISSP, CISA, CISM and CCIE for the purpose of formulating an opinion.
This is not an attack on any individual however, if it touched a nerve, then it was likely you who it was targeted at. I do not hold the CISSP , CISA or CISM and don't care for them. While I make mention of the CCIE, that is an altogether different story, please re-read its use. Who the hell needs a CCIE to maintain firewalls? I mean seriously?