Ask HN: Are Certifications Useful in Infosec?
So i get that infosec is a very broad term, which could mean anything from more business focused roles that focus on ensuring compliance to things like managing network security and appliances, to actively developing and researching exploits.
There are a large number of available certifications in the area. CISSP, Sec+, CCNA Security, CEH are just some I can think of off the top of my head, but I've seen many more.
There always seems to be a mixed response on whether they're useful for entering the industry. Some find them to be bullshit, akin to the programming certs out there. Others seem to think they're useful at least for landing roles in the industry. The most common I've seen requested on job listings has been Sec+, mostly in jobs requiring TS clearance.
Do you believe one narrative or the other. Do you think that these credentials hold more value in certain areas of the field than others?
55 comments
[ 3.6 ms ] story [ 115 ms ] threadCertification: bad.
People think about certifications like those are some kind of magic trick, just like pickup lines.
You might get a girls attention but if you don't have anything else to keep her interested that line is not going to help you much. Let alone if she heard cheesy stuff from other guys that turned out to be not interesting or not having anything more to talk about.
There is bunch of people who think that they can get a certificate and that is it, while certificate might get someone to look at your CV, if you don't have anything more than cert you are not going to get the job. Many employers have hired people with certificates that did not deliver what they promised, many employees have seen such people hired and then let go.
That is also why no one is taking pickup lines seriously and no one is taking certificates seriously. Bragging about certificates/degrees is cheesy just like pickup lines are. Both are considered low effort and creepy attempts to get something.
To the OP, take it from him and look no further. Get yourself enrolled in some learning course like the Matasano's crypto challenge and see where that takes you. Good luck.
cryptopals was the reason I got into security, everything just pales in comparison.
To be fair, I did recommend a cispp course (on linkedin learnings) to a junior member of my old team, mostly to complement the knowledge from the day to day work in appsec with other topics, e.g. network.
Personally, I studied math & crypto (with my own passion for programming) and I entered the industry doing appsec, no certifications asked.
Those also happen to be more technical. I think because more managerial stuff is harder to teach.
Overall I find these certs to be a waste of time and money, and when hiring candidates I usually filter out those who have every ISC2 cert under the sun.
In fact I tend to dismiss CVs for non entry jobs that have certificates listed at all.
If you have 10+ years of experience I don’t care about your “education” if those 10 years can’t speak for themselves you’re probably not the candidate I’m looking for.
Listed? I guess every employer has their own little biases.
In general I found that customers that demanded certifications were not expecting our consultants to do much thinking, they really just wanted box checkers. I didn't quite understand this until after a few years of hiring folks that were hell-bent on stacking certs...they tended to be box checkers. So, intentional or otherwise, it ultimately made sense.
I find that the education associated with most (not all) certs to be sub-par and not particularly applicable, and it tends to stratify the thinking around how you educate yourself in a career that is at least as much based on vocational/practical knowledge as it is academic. Right now I'm working as part of an infosec org that is >>1000 full time employees and industry certs are a non-factor, the company generally doesn't invest in them unless they somehow directly align with your role and almost nobody that I work with advertises that they have any.
So, in short, I'm closer to anti-certification than anything. That said, don't be religious about it. If that's what the offerings in your area or industry of interest require, do it.
Is GRC security? Not exactly, but if you can’t demonstrate security, no one knows if you have security or not. GRC is the ability to quantify/qualify security.
For true security, as in secure-by-design, etc, you need subject matter experts in that field. Since there is no security knowledge qualifying body for (most) platforms, the credentials don’t really matter much. But for GRC, they are essential.
The question is also difficult to answer because there is no one thing that is security. You can manage vulnerabilities or provide incident response, both security topics but with wildly different skill requirements, for example.
Security engineering, security management, security testing, security reporting, etc, etc. All very different things.
Infosec is very much "learn by do", because technology and this corner of it specifically moves too fast for certificate processes
CEH is a bad cert, and I have my doubts about the rest. I think whether they're useful is extremely dependent on your own circumstances, which should already inspire some doubts. College degrees don't exactly have that problem.
If you're switching careers they can be a great thing to point to on a resume, but I definitely don't think of them personally as hugely reflective of someone's skill. It's better to support it with something else.
The only one that I would break this assumption on right now is OSCP, but the exam is grueling and not something that I think people should be subjected to just to get a stamp of approval in the industry. I would say that someone who has it knows offensive security pretty well, something that I could not as definitively say about something like Sec+. I can't personally speak to Cisco certs.
Otherwise, I'd say that the courses are not very good but the labs are really well made and the exam is definitely interesting (but I would never try another exam from them now that they implemented that proctoring rule)
In the end life is not like CTF and we had guy doing pentest like a CTF, where I wanted more broad approach and was trying to explain to him what we want to cover but well I was not the one pulling the trigger and my boss was paying so the guy did what he thought would be the best.
From my point of view he missed a lot of low hanging fruit that I wanted to fix. Then he found bunch of BS issues and marked those as critical. My boss at first got mad how we can have such critical issues but after explaining what is what, we don't think about hiring that guy again.
All that being said, I do think a well written cert course can be an excellent framework for learning a new technology. Having guidance on what is actually important when getting started can be a huge accelerator for your personal development, just make sure you avoid the trash ones (CEH!!!). The HR stamp of approval will hopefully just be the icing on the cake at that point.
Cyber masters are pretty much totally worthless, although perhaps some idiot employers think they have value. If you can get a masters paid for, the SANS masters seems like the only one worth doing. The NYU Masters is expensive, but somewhat value though it's value comes from basically being a CS degree so just go get a CS masters from Georgia Tech.
If you work for the government or military they have their set of required certs (8570 baseline). Certs overall are highly correlated with incompetence in my opinion. Experience is what matters.
So, I'm a little uncomfortable making sweeping generalizations about all kinds of certifications, because I don't do Windows IT security†, but I'm pretty sure I've got some grounding in offensive security, since it's where I've spent my career. And what I'll say here is: the best people in this branch of the field almost uniformly don't hold these "good" certifications, and none of the good firms require them.
A piece of information that you could provide that would force me to rethink my stance would be a link to a very good, widely respected offensive security firm that states clearly that they give preference to senior candidates with any particular offensive security certification. (If I've heard of the firm, I'll go ask them about it, which might be fun to watch.)
† Just kidding, these certifications are all useless.
If you're a blue team type, you're not interested in OCSP, but the answer for you would instead be to build a portfolio of meaty PRs on security open source projects.
Would I recommend it? Yes, especially if the company pays for it.
Company that I work for allows people to spend weeks of their working time preparing for top CTF contests and that is valuable because it is something practical. Just don't waste your time memorizing answers to exam questions.
You can find the syllabus here: https://www.offensive-security.com/awae-oswe/
Something that is really interesting I think is the whitebox approach that some people in infosec might be missing if they don't come from a developer background and never botherered looking at the code introducing the vulnerabilities.
If you want to learn appsec I recommend Web Security Academy: https://portswigger.net/web-security
Just that I would recommend it because I felt good going through the challenges and that someone took the time to set up VMs and writeups for me.
In conclusion, it was more of a consumption thing than an investment.
Does a certification teach you how to 'do' InfoSec? No.
But they're useful if you're starting out in InfoSec. Especially if you're changing careers, don't have a BS, or have those other boxes recruiters like to check. Certs can get you through the recruiter.
Also, some employers require certain certifications to work there; especially if they're working with the government, or some other organization whose contract requires that people working on the contract have various certifications.
If you're going into forensics or something like that where you may be called upon to testify in court as an expert witness, certifications help prove your bonafides to the court.
A blanket 'no they're not useful' is unhelpful and not entirely accurate.
But there are other things you can do, and so the effort involved in acquiring a certification --- even if an employer is paying for it --- has to be weighted against those other things. Research, open source development, writing, CTFs, keeping abreast of research, networking (even just "going to Defcon" --- and I don't like Defcon!), investing more time in researching career opportunities, bug bounties... these things all have a much higher payoff than certification does, and any time you spend pursuing a certification is coming at the expense of those other things.
It's also letting you kid yourself about the work and whether it's a fit for what you want to be doing, because one thing you should notice about that random list of things I just generated is that it covers a lot of what infosec people actually do. A certification process provides structure and forcing functions and activation energy (for a dumb process that won't get you any meaningful advantage professionally). But if you can't generate that kind of activation energy yourself, in this climate, with this many available resources, with the kinds of career payoffs people are regularly obtaining, maybe this isn't really what you want to be doing?
>these things all have a much higher payoff than certification does, and any time you spend pursuing a certification is coming at the expense of those other things.
Those are all good suggestions. I think from the perspective of newbies a lot of them (research/ctfs/open source dev) seem really intimidating and/or they might assume (rightly or wrongly) that they have a high barrier to entry. When you combine that with the tendency for a lot of security guys to be super shy introverts for a lot of us its a big deal to socialize or reach out to people for help. Having static, structured forms of training like books, certification programs, online courses, etc, can help people like this get started even if its not the most efficient way to learn. Getting just a little bit of experience can give the boost of confidence they need to start contributing socially.
I guess my point is while I do agree that passion is usually the biggest indicator of success in this industry (and many others), I wouldn't be ready to rule out that a person has that passion just because they have a slow start, aren't confident and don't really know where to start or where to look.
I think product certs are valueable though for reflecting experience in a specific field (e.g. CCIE/MSCE/AWS ), and process certs (ITIL/etc) for understanding how it fits together in a service mgmt context.
Apart from certs though, an active Top Secret SCI with a full scope polygraph is worth its weight in gold for govt work.
When you come on Hacker News and see submissions full of comments about the technical details of exploiting some hot new critical remote code execution vulnerability, or read a hacker's blog walking through how they discovered security holes in some websites, or see an article by some cybersecurity company detailing how they tracked down some crime ring or nation-state backed hacking group, please be aware that 1) these are amazing things, and 2) they are not InfoSec. Information security is a management field and is mostly focused on developing top-down security strategies for organisations to implement, measure compliance with, and refine over time. It is related to, but also very different from offensive security. Relevant HN submissions would be high-profile cyber security incidents and updates on laws/regulations on computer use and data privacy.
You mentioned Sec+. It has gained popularity in the past decade and is now considered an entry-level requirement for many IT contracting jobs, especially government ones, and not even ones that are really security-related. If you don't usually get down in the weeds on computer security topics, then a Sec+ is a useful way to get broad high-level exposure. Another way to look at it this is that a Sec+ is for people who do not have a lot of pre-existing skills in computer security. It's used by employers to filter out employees who probably cannot be trusted with anything security-related in IT. Imagine your employer is thinking of having you sponsored for a security clearance - if you cannot pass a Sec+, than you're probably not cut to have a clearance in the first place. Realize that practically all of these organisations have to annual security awareness training (SAT) to their employees, but by making Sec+ a requirement, they now have a way cut out everyone who would have just slept through the SAT without really internalizing it.
We've established that the true purpose of Sec+ is for screening entry-level IT positions. The CISSP is similar, but for management-level positions. Primarily, it's for middle-managers who want to prove to HR that they are worthy of being chosen for information security roles study the CISSP. Contrary to what people say on the internet, the CISSP is actually very similar to the Sec+, but with more depth on information security management practices. The enhanced focus on information security management practices is because managers with a CISSP are expected to run information security-related projects and programs for the organisation.
Personally, I made a goal for myself at a young age to get the CISSP simply because I saw it was being hyped online. I didn't even do enough research to understand that years of experience was a requirement. I passed it a year before I even started an IT career. It's very doable depending on how much of a computer geek you are. I let it lapse since I was still working in restaurants and had no IT experience, but a decade later, I went for it again because 1) my employer paid for it, and 2) I consult to customers who are CISSPs.
It's important to research what a cert requires of you in order to maintain it. Both Sec+ and the CISSP require you to accrue a certain number of credit-hours every 3 or so years. There are also member dues. If these aren't too much of a hassle for you, then I recommend certs that are relevant to the environments that you work it. In my case, I got a CISSP because I work with CISSPs. I'd consider other certs if the people I work with had them too. I may not be an expert like what the commenters here are decrying as reasons not to pursue certs, but at least I can show a basic level of competence out of respect for the people who I work with.