I Am Certified - You Are Secured

Monday, July 18, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

Mustering up as much arrogance as I possibly could, I slowly inhaled in order to make my chest stick out, fixed my tie and uttered “I am certified, you are secured.”

Knowing damn well I could not make good on that promise, it sounded good and for a second there with my who-knows-how-many certifications, I almost believed myself.

Aside from lying to my client, I also lied to myself but its all good because the money is in the bank and I'm walking out the door.

Being certified alludes to me having a clue and fully understanding all of the finer gears inside the machinery of the company I just performed security work on. Not only do I not need to prove that I can actually do anything productive, I can provide in-depth critical coverage of any subject or question I am asked. I know this all too well from many-a-nights of cramming security content down my throat while studying to make more money.

Security? I don't care for it. I learned a long time ago that companies do not want security. They do not want assurance, they simply want a framework to ensure that they did no wrong. My goal is simplified ten-fold and my aim, ensure that someone on the C-level can cross their T's dot their I's and get on with their game of golf. Obviously golf is the only association to the word Ping [1] many will ever come to know.

Now many reading this are wondering how did it come to this. What is he saying, security heresy!!! The reality and fact of the matter is, industry made me what I am. In fact, recruiters and HR personnel without a cause made me this way. You see, a long time ago, I sought to defend networks from attacks.

I spent many hours on end studying attacks, counter attacks and developed accurate and robust methodologies to prevent attackers from “owning” your asses, however, you wouldn't listen.

At the time I didn't have my CISSP or CISM or CISA or CCIE and the reality is, none of those certifications have anything to do with penetration testing. None has anything to do with deploying firewalls, none have much to do with anything as their either too broad or too narrow. I told you then and you wouldn't listen.

You the business owners forced me into a corner like a dog and gave me a few options: CISSP, CISM. Only when I sought one of these options would I be able to effectively: 1) configure firewalls and SIEM 2) properly perform penetration testing 3) perform network audits 4) perform network and security assessments.

Forget the fact I had been successfully doing so for years without them, businesses doesn't need security, don't be fooled. Businesses need to imply they took the appropriate security measures. Cross those Ts and dot those I's.

No longer would I have been able to deploy routers, firewalls and IDS like I had been doing during the course of normal business hours for years. I now need my CCIE to do so, forget the fact that I could configure, deploy and troubleshoot them – again I have been doing so for years – management needs to prove that I can do so.

So why not hire a candidate who could read a book, memorize content, pass a test and call it a day? Makes sense. The aftermath? The aftermath is me. Here I am in all my glory, strolling in drinking my latte, checking my Blackberry, wondering if I brought the right pie charts to feed you my BS.

Wondering if the colors will wow and impress those coming into this conference room. I'm hip, I'm in the game and did I forget to mention – I am certified? Not only that, when you see my bill! How else do you think I got this CLS55 AMG?

So how did we get here? How did security come to this? While many read this initially performing the obvious facepalms, the reality is, this is where many companies have gone when it comes to security. Who is to blame? Is it the certification vendors doing what businesses do – marketing and making money?

Is it the human resources departments that throw certs like the CISSP, CISM, CISA or CCIE into a position whenever the word security comes into play? Is it the individual who now has to pass a test just to get a foot in the door? Where is the industry headed? Obviously certifications aren't the cure. While they may help, they aren't the cure.

Imagine for a moment I was interviewing for a position at your company. Fresh out of school, I obtained my Masters in Information Security. Scratch that, I aimed high and walked away with a PhD. What experience do I actually have? Realistically speaking, by the time I finished up school for a PhD, technologies would have changed at least three times. So what are you getting out of me as a business by hiring me?

With zero experience in the field, never touched anything enterprise outside of a rental car, honestly, what are you getting? This is not to knock anyone who earned their PhD, any degree or any certification, this is merely a “hello, what are you thinking” kind of question.

There are many talented individuals both certified and not certified. How did the industry come to rely on certifications as the “de-facto” anything nowadays? Once upon a time, workers would apprentice in a shop, study hard for years to master a trade, perhaps take some form of exam to be called an “expert” or earn a certification.

Nowadays, all one has to do is dig around for content related books, study to their heart's content, pass an exam, slap on an “I'm Certified – You're Secured” label and businesses are content with this. There is no value to this type of security, there never was and there will never be. For those still facepalming, reality is what it is.

I am unsure how many times I have met someone with enough certifications to fill the backside of their business card. I am also unsure of those that I have met, that I was able to gauge they knew little about what they were talking about when it came to security. I am further unsure of those I have come across, how many forums I have seen them cross post for “wares” on passing another test.

They aren't doing it to learn how to secure an infrastructure properly, they're doing it so they can retain their jobs in some instances. These are those guys that are likely in some of those companies that were recently compromised. You know, the Lockheeds, etc., where those companies outright buy every single available CISSP seat in DC.

When I think about the flip side of this, I can't think of how many talented and uber smart security professionals I have met without the certifications. These are those that are likely in “the trenches” having worked in either a NOC, SOC or some other capacity of IT. Systems administration, engineering and so on. Same holds true for individuals who hold those certs. I know of many a CISSP who really have a clue [3] and likely got their certification because of marketability.

In any event, back to the matter at hand, I am truly certified. I ended up having to get certified to see what all the hooplah was about. It took me 12 years after the fact to even bother taking a certification exam, but that's irrelevant. I can now give you my clients piece of mind as I move on into HTML certification.

After all, I want to make sure their html code is in order. They're sure lucky they chose me too. I am Certified – They are secure. Here is my bill, here is your pie chart, see on the 18th hole.

NOTE: This rambling was not meant to attack anyone holding any certification. I merely used the industry standards CISSP, CISA, CISM and CCIE for the purpose of formulating an opinion.

This is not an attack on any individual however, if it touched a nerve, then it was likely you who it was targeted at. I do not hold the CISSP [2], CISA or CISM and don't care for them. While I make mention of the CCIE, that is an altogether different story, please re-read its use. Who the hell needs a CCIE to maintain firewalls? I mean seriously?

Soupy sales

 

Possibly Related Articles:
29357
Security Training
Information Security
Certification CISSP Training Consulting Infosec CISM CISA
Post Rating I Like this!
Default-avatar
Michael Thibodeaux Fantastic article...a freind of mine just complained about the same thing in the company that he is in. He worked for Citirx for 5 years and the new company will now let him touch the systems because he has no cert.
1311060362
Ec9b0ab31140696dd578b354b1054635
Vulcan Mindm3ld Excellent article. I appreciate the honesty and light it has shown on these misconceptions.
1311066580
Default-avatar
Rishabh Dangwal Just amazing, you spoke my heart :|
1311069604
Bdd5942b986a243fd2d84461611aec6a
Anup Shetty Nice!
Well, it cuts both ways.I've seen managers put in a detailed requirement for the skills he would like to see in the position he is hiring for, which gets very difficult for the HR recruiter or the consultant to even spell out properly while go head hunting.. they come back to the manager saying.. make this stuff easy... he adds in the cert abbreviations to make things easier...Wholla! No these act like accesslist...if you dont answer "yes to questions like.. are you CISSP, CISM, etc.. you dont go past to hear the rest of the skill requirements..who is at blame? The hiring manager for being too specific for the recruiter to interpret the jargons or recruiters for not being too techie?
1311072623
Ec9b0ab31140696dd578b354b1054635
Vulcan Mindm3ld When I read this, the FIRST thing that came to mind were all of the charlatans impressing the masses with the alphabet soup behind their names.

Check out Attrition.org's wall of shame: http://attrition.org/errata/charlatan/

@Anup you are right. We've all been in the business long enough to know that those buzzwords on one's resume draws attention.

But during the interview process, these individuals must be screened very carefully. I would hope other technical people interview them, too. I know that this isn't always possible so REFERENCES are key.

1311077488
Bdd5942b986a243fd2d84461611aec6a
Anup Shetty @ Vulcan..nice share...but what tops the list is Joe Black - the multi certified expert ;)

http://attrition.org/postal/asshats/joe_black/
1311080122
Ec9b0ab31140696dd578b354b1054635
Vulcan Mindm3ld @Anup... yep, when I read that article... I couldn't help but laugh. Made me think of "Leisure Suit Larry in the Land of the Lounge Lizards" ... so CHEEZE and B.S. it is comical.
1311085489
4e714dc795dc50b932e2a837e3efc472
Joe Morrissey LOL - very good write up
1311091516
E376ca757c1ebdfbca96615bf71247bb
1311096002
Default-avatar
Chris Dorr I agree! Who needs certifications or degrees. The guy doing heart surgery? Why care about whether somebody went through med school or not...I am sure there are some fantastic heart surgeons who never graduated college. And the guy flying that 767 into JFK? What does his certification from the FAA say about him, other than he was smart enough to know he needed it to get a job? heck...you could probably find a great pilot with no license at half the cost!

But seriously, this is a tired, old debate....going back to when NetWare geeks in 1995 were complaining that CNEs were getting jobs and they weren't because they had no certs.

I have been in both places. Didn't get hired because I didn't have the certs (and complaining I knew more than the guys with the MCSE). Now? I only hire auditors who hold a CISA. Period. No exceptions. And at least a BA/BS.

Why? Several reasons. For one thing, despite the protestations of those who do not hold certs, they usually DO mean something. yeah, you have "paper MCSEs", but they really are the exception rather than the rule. CISA/CISSP/CISM/Cxxx certificates do generally require a fairly significant investment of time and learning, and imply a certain experience level. that means something to me. Scondly, it is a CYA thing. I hate some auditor with no degree, no CISA, and he screws up? First question across my desk from soon-to-be-former employer is why did I hire an unqualified auditor?

In the end, certs DO mean something. They "prove" something, just like a pilot's certificate or a MDs degrees do. Not the be-all and end-all, but something. And if somebody is really good enough that they know everything that they should? Then just take the silly test and get the cert. You lose nothing by it.

Any cert (or degree) is a small part of the equation...references? Check. Technical skill set? That is what the interview is for. Interpersonal skills? Same. But the cert *is* part of that, and likely always will be...I know it will be for me.
1311096937
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Chris you missed the *gist* of this article. Its not about THE certification but about the candidate themselves. The candidates are the ones who are devaluing once respected certifications. The certification bodies wholeheartedly allow it by not properly screening candidates. Here is an example based on SOLID experience... A *peer" I know has zero experience in the security arena. When I say zero I mean it. He has never done anything at all when it comes to security. Signs up for the CISSP, modified his resume, spoke to his childhood friend who is a CISSP: "vouch for me" Went out and downloaded pirated video and books. Crammed content for 6 months. Guess what? He is now a CISSP. NONE of his background was vetted contrary to the BS ISC^2 puts out. This is one instance. I know FACTUALLY of companies from around the days of "the big four" where people were sent in to take and recreate those exams. So understand where my article comes from.

Secondly, you make the mistake of comparing apples and oranges. Doctor and pilots are rung through strict testing and policies. Those professions aren't based of "old hat" methodologies - remember the whole ISO/BS (emphasis BS) is based on manufacturing made pretty by clever wordsmiths. Much if not all of NIST is old re-hashed information. CoBIT, ITIL and others are all herd following documentation based on *drum roll* manufacturing guidelines which someone tried to simplify. How many NIST, CoBIT, ITIL etc, followers were left scratching their head in L3, Northrop, etc., after stupidity from the likes of anonymous or Lulz?

So certs in this industry, mean little to be blunt. Technical certs are a different story. You can't measure security with the utter insanites of AV * EF nonsense who are you trying to fool? When you say: "CISA/CISSP/CISM/Cxxx certificates do generally require a fairly significant investment of time and learning, and imply a certain experience level. that means something to me." I don't disagree with the statement of time and learning but the all have so much overlap, one can pass all three in a year guaranteed. As for "imply a certain experience" imply does not equate to "HAS A certain experience level" THAT to me is reality.
1311098019
Default-avatar
Chris Dorr J. Oquendo, I do not disagree with anything you say. While there is a much more complex discussion surrounding how one CAN even measure risk, this article seemed to be more about the value of certs themselves in those who DEAL with that risk. I know "paper" CISSPs too. But they tend to be a minority. I will accept 10% "paper CISSPs" if the cert itself implies that 90% of the holders have a certain level of expertise.

Please understand that I appreciate your article, and do not disagree with it. But my point at the end of my first post was similar to yours...certs are only (at best) a part of the equation. But there are reasons they are a part.

In audit, in particular, there is a fair amount of theory (developed from decades of experience with financial audit) underlying how one conducts an audit. the CISA exam does require one to have an adequate understanding of that theory to pass. That theory is required to be a practicing auditor in the real world. How do you select sample size? What are the boundaries of the population? Control-based versus substantive testing....these are real questions every auditor has to face, and a CISA certification strongly suggests that the holder has an understanding of these concepts.

I fully agree with what you say. Checking references, validating degrees and conducting technical interviews is a major part of hiring anyone. But I see the value in the certs themselves. Despite the problems with "paper MCSEs" when I was an IT Director and hiring network engineers, my experiences bore our that the better engineers generally were certified. Not always, but usually.

Part of this is in the delineation of what is "IT' and what is "business". IT doesn't need a "control framework" to operate. IT doesn't "need" change control, or logical security policies to do what it needs to get done. These things exist because the BUSINESS needs them to control the BUSINESS risk surrounding IT operations.

Anyone who blindly follows NIST/CObIT/ITIL is failing at their responsibility. Like certifications, they are nowhere NEAR the whole. but they are part, and for a reason.

I really do not think we are disagreeing that much...just emphasizing different parts of the larger point.
1311099525
Default-avatar
Lucian Andrei Hi J.
Nice article.
The reality is that certifications are a differentiator in the security world. This is a fact and we should live with it (at least for the moment).

Now, I know that you have some certifications, and I would like to ask you to define how a good certification should look like.

Personally, I respect the hands-on certifications (ex OS*P). I would love to see a hands on version of CISA, or even CISSP. In my opinion, this will provide better professionals because they will have to learn for it. Industry will come with boot camps, universities with certificates....

What do you think?
1311100974
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Lucian: Hands on certs work for a technical realm, however, some of those also lack. For example, I loved taking the OSCP however, it does little to build experience on say "REALLY" preparing reports or formulating strategies. It also lacks in the sense that the hosts are "precompiled" exploitable (to some degree) machines. In a real world environment it takes a lot more planning than that exam and the content will teach you about. Do not get me wrong, you will learn ALL hands on technical methods they WANT TO show you, for the sake of understanding the core objectives in order to pass the exam. OSCE different story

In the higher management certs, its not about "prove it... go crack this machine..." I believe that NO SECURITY MANAGER should be in their position without ever having validatable competent SECURITY experience followed by validatable BUSINESS experience. Here is where the two have an issue meshing. The validation part of the certification part is broken period. Where once upon a time it made sense, those certifications organizations are now focused strictly on money rather assurance.

Now Chris, I don't necessarily disagree or agree with you on one perspective over the other. I understand what managers want to see and want to hear so I know the politics all to well in many different environments. Hence the play with words on "you get what you wanted." I can't tell you how many times I have had an upwards battle where money via way of GREED was the trump card.

Let's put this to another angle here: Sony: How much would it have cost them to do the right thing? To think that they DIDN'T or HADN'T done an assessment on their servers goes against the security grain: PCI MANDATED THEM TO DO SO. What went wrong? Secondly, being they were done for so long, what happened to BCP/DR? That too is a CBK for say the CISSP.

Which broken wheel should we change first? Certification bodies? Cert holders? HR? It all goes right back into the herding instinct if you ask me... Herds usually end up becoming some form of hamburger meat ;)
1311101956
Default-avatar
J Feinblum Fantastic article. Chris, your statements are a perfect example of what is wrong with the industry. You should never be screening people out for not having certifications in this industry. Certifications are simply revenue generators for various bodies, and do not test any practical knowledge.

I have a few certs, because they were easy and I was able to get them during initial release (experience assessment), or very early in my career. Every minute studying for those certifications, or maintaining my CPE's, I actually consider a minute lost in garnering real and applicable experience.
1311187285
Default-avatar
Chris Dorr Well J. Feinbaum, feel free to hire whomever you wish. Let me know how YOUR boos reacts when you hire somebody with no college degree or applicable certs, and they mess up. "Well, I thought they were great in the technical interview...yeah, I know I passed over a half dozen guys with degrees or certifications....but....but....but..."

I will continue to hire ONLY those who have the certifications and degrees I value.

Having worked as an IT director for 7 years, then in audit for another 6? I have NEVER regretted hiring somebody who was certified, while I HAVE regretted hiring some who were not.

As noted in an earlier post, the best network engineers I hired were MCSEs or CNEs. And in the field of audit? It is even more important....an external auditor may not even be able to rely upon your work if you are not certified. Literally, I will not even read the resume of somebody who does not have a CISA.

I have been on both sides. Whining that I didn't get hired when I wasn't certified, and seeing the practical value of certification.

The certification (as I noted several times) is only a PART of the qualification set, but there is a REASON that people (like me) value them, and not just for CYA (altho that is part of it). My certs (both the tech ones and the more fluffy ones) have had value, and the subject matter they required me to understand was directly applicable to the areas they focused on.

As I said, the certs are a relatively small part (I'd never hire somebody JUST because they were a CISA, but I would never hire somebody who WASN'T a CISA), but as the guy on the hook for what happens if I hire the wrong candidate, I will continue to use them because my experience in the real world has shown me their value.
1311190051
Default-avatar
J Feinblum I will respond more in a bit, but I did want to clarify and state that I was not attacking you, just the industry. I hold a degree in Criminal Justice, and luckily it has never held me back -- but I know folks who have been held back.

The fact is, a piece of paper cannot tell you if you are hiring someone who is 'good.' I am personally comfortable having 2-3 interviews with someone and evaluating their technical and personal skills on my own. If my boss holds a bad hiring decision against me, I am working for the wrong boss and will find a new one.
1311190483
1789975b05c7c71e14278df690cabf26
Pete Herzog J, once again, you lay it out there in its naked glory. But imagine you were looking to hire a pro exterminator (or change that to something you may know little about) because your generous application of RAID only has bought you a little nausea and they keep creeping in. You know you need one and you search online. You want a good job but price matters and of course health is always a concern because you have kids or pets or you sleep on the floor near the baseboards so you don't want anyone violating the Federal, Insecticide, Fungicide and Rodenticide Act. So you look online and there's tons of evidence of requiring your bug killer be certified as CBK, CIBRD, CBBB, or ECBK. But there's also tons of articles from people complaining how those certified in any of these things really suck because it's just about memorizing chem formulas from 5 years ago and there's no real hands-on required or any actual experience. You read in China they get someone to take the tests for you and people are getting certified just to get business. But they say certification is not important. But some do say education is important and you may want an exterminator who has a Masters or PhD because they have studied the effects of these chems on human tissue and such. So who do you hire? Probably someone with certs, education, and references enough within the price you're willing to pay. Then you wait and see the bugs went away and you don't die.

Where the difference really breaks down is if either of those things happen, you need to lawyer up. But what if the exterminator made you sign a contract ahead of time of NDA about the service, a get out of jail free card to prove you wanted them there spraying stuff, an agreement that says you understand that there is no 100% bug protection and bugs may appear again which is not their fault, and a limited liability contract up to the cost of the service. So if you or a loved one dies, you basically only get your money back. On top of that, imagine they didn't let you watch as they worked, handed you a fancy report when it's done that only tells you what they found but not what they did, and told you that they need to spray whatever wherever because you aren't capable of choosing the scope of the project. By the way, if you tell them they can't spray in certain rooms, like the nursery, then they have zero liability if bugs return.

Then they show up with some brand-name spray packs, pour in chems with vicious names, and enter brutally and without regard for the fact that people are inside, living and working there. They cause downtime, delays, and inconvenience for those inside. Of course they'll call it merely coincidence and they were no where near that part of the house (even if it's in the scope or they have poor control over their little automated robot sprayers). Oh, and when they finish they try to sell you cans of their "good" bug spray that you need to use every eight hours to prevent future problems.

I think I stomped this analogy to death by now. Usually, I use the dentist analogy because they also operate like security folk. I mean it's not like you can watch them work or read those black and white Rorschach tests they call x-rays. But anyway, I feel for the clients. It's really gotta suck to NEED security (compliance) in an industry so full of scammers and thieves. So go out there and hug a customer today!
1311249942
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Pete, if there was anyone's commentary I appreciated during the day to day it's yours and I sincerely mean this. I think you hit it spot on concerning the NEED to hire someone with competency, this was never meant to be my gripe, my gripe stems from the bastardization of what has slowly become of the "certified candidates."

I don't like cross-posting much but I answered elsewhere something that makes sense to post here as well, excuse the language, but we're all adults here and it stems from frustration:



The main point of my rambling was few fold: 1) I wanted to expose some of the certification bodies for allowing nonsense to go on via way of unqualified candidates devaluing certifications that once meant something. 2) I wanted to expose many-a-mentality of douchebag wanna be security professionals who once obtain that cert, forget the term and concept of "security" 3) I wanted to expose the douchebag who knows nothing about security but enough about studying that passed a cert exam and is now passing off bogus security services.

In the #1 for far too long many of the organizing bodies ISC, ISACA, etc., have been promising or alluding to vetting qualified candidates. This was never the case in fact as far back as 1999 I know of COMPANIES that were re-creating the CISSP in order to label all of their contractors as "security capable." This was then one of the big four accounting firms. This practice is still present and evident today. If you've ever set out to take the CISSP in DC/VA you will have a better chance of hitting the powerball. This is because 2-3 companies continuously buy up all of the seats. Now, these companies collectively don't have enough security people to fill these seats, so ask yourself why bother buying them.

FACT Certain certifications are mandatory in government and it is far easier to get contracts pushed through GSA shenanigans when all your guys are CISSPs. FACT: Not all of those guys can qualify FACT: It would be easy with enough test takers to re-construct this exam I don't care how big your question pool is.

On #2, for all of the certified guys at Booz what happened? 400+CISSPs, 150 CISMs, 100+ CISAs, 50-100 SANS (GCED, GPEN, etc) and so on. You mean to tell me collectively they couldn't have secured that network? Something is wrong with that picture. With all of the NIST, NSA, etc., templates, read mes, etc., they couldn't lock it down? What happened to GAP, SWOT and other "methods" and standards they swear by. Not to mention business continuity and disaster recovery. What happened to encryption for data at rest. Its all a charade of AV*EF nonsense.

On #3 I have seen so many people with certs out the wazoo that know close to nothing about security. In my forensics and analytic mood, I can track down far too many to see FACTUALLY that they shouldn't have even been allowed to take that exam. Of those that do, you can be sure that their credentials were NEVER checked. There was zero due diligence from the certifying bodies (ISC2, ISACA, etc.)

Finally, I wanted to show the frustration of someone in the industry who had no choice BUT to get certified even though he'd be doing the SAME EXACT work for years. In order for him to maintain his livelihood, he had to succumb to the idiocy of certifying. The article wasn't an attack on any one specific, it was to point out the obvious frustrations across the board. From HR, to the candidate, to the prick wanna-be.

---

Your doctor whom you trust most is about to perform life or death surgery on you. How would you feel it the hospital board simply said: "Trusted, I see your certificate" without ever determining whether this Dr went to med school? In the industry of say government contractors, this is exactly what is happening. Voodoo security doctors. All paper based with no experience. As a taxpayer it costs both you and I more when taxes are raised.

It is not as difficult as one thinks to validate whether or not someone has experience. Simple onsite tests prior to hiring. Simple "Googling" helps as well however, many are in a rush to "hire right now!" where candidates aren't vetted as they should be.

As for having certs, I prefer the challenging ones exams that consist of practical versus the typical multichoice nonsense.



With that crosspost out of the way, on the forum where I posted this, an immediate facepalm ensued when I read:

"If I were going to make a career of social engineering, what Certs/Studies should I seek? My current thoughts are Sec+, MCSA: Sec, CEH, SSCP, CCNA, CCSP, and finally CISSP. Is there a more logical progression or something I may have missed?

See the problem(s) with the industry? Once upon a time many of us fought our way up the ladder and understood our roles prior to even attempting to certify. We did so to prove we were capable, we were experts. This follows similar suit to a med-student doing their residency if I had to equate it. Right now we're in an industry where too many people manipulated the system, cert'd up and slap on the title "Security Professional" or "Evangelist" or whatever other nonsense title. What happened to this industry where security seems to have taken a backseat to a piece of paper?

I wholeheartedly understand where Chris Dorr comes from however, I also know that he could potentially let stronger security candidates slip through the cracks. For example, Chris states: "but as the guy on the hook for what happens if I hire the wrong candidate, I will continue to use them" Chris, you're not even giving it a second thought here. My response would be to hire the right candidate irrespective of whether or not they had the cert. If by some reason or another is was mandatory I would include a "must obtain this certification by date X" approach. There is ALWAYS a probationary period for an employee.

1311251470
C787d4daae33f0e155e00c614f07b0ee
Robb Reck Very interesting discussion in the comments here, and I wanted to chime in. I agree that certifications are not the whole picture, nobody would try to argue that they are, but they are important.

J, you asked Chris to give it more thought, and consider non-certified candidates as they might be the best one for the job. I would argue that the fact that they weren't willing to jump through that hoop, and get the required certification tells me that they can't be the perfect fit for most security roles.

The more time we spend in the field the more clear is becomes that certificates (for better or worse) are expected of us all. If someone has not gone through the effort to achieve the required prerequisites doesn't that tell us something about them? Either they don't have the ability to get the cert, or they choose not to. Either way it raises questions of why.

All that said, I would absolutely consider a non-certified employee for one of my lower level positions. Especially with a career changer, or fresh graduate. But when you get up to the senior positions, the candidate must have some proof, and being appropriately certified is part of that mix.
1311276432
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked