Ask HN: Are Certifications Useful in Infosec?

30 points by the_only_law ↗ HN
So i get that infosec is a very broad term, which could mean anything from more business focused roles that focus on ensuring compliance to things like managing network security and appliances, to actively developing and researching exploits.

There are a large number of available certifications in the area. CISSP, Sec+, CCNA Security, CEH are just some I can think of off the top of my head, but I've seen many more.

There always seems to be a mixed response on whether they're useful for entering the industry. Some find them to be bullshit, akin to the programming certs out there. Others seem to think they're useful at least for landing roles in the industry. The most common I've seen requested on job listings has been Sec+, mostly in jobs requiring TS clearance.

Do you believe one narrative or the other. Do you think that these credentials hold more value in certain areas of the field than others?

55 comments

[ 3.6 ms ] story [ 115 ms ] thread
No.
Care to expand?
Sorry. No, certifications are not useful in infosec.
What about hands-on lab sites like tryhackme, vulnhub, cybrary?
Training: good.

Certification: bad.

I am not the person you asked but my 5 cents.

People think about certifications like those are some kind of magic trick, just like pickup lines.

You might get a girls attention but if you don't have anything else to keep her interested that line is not going to help you much. Let alone if she heard cheesy stuff from other guys that turned out to be not interesting or not having anything more to talk about.

There is bunch of people who think that they can get a certificate and that is it, while certificate might get someone to look at your CV, if you don't have anything more than cert you are not going to get the job. Many employers have hired people with certificates that did not deliver what they promised, many employees have seen such people hired and then let go.

That is also why no one is taking pickup lines seriously and no one is taking certificates seriously. Bragging about certificates/degrees is cheesy just like pickup lines are. Both are considered low effort and creepy attempts to get something.

I came looking into the comments for tptacek's reply.

To the OP, take it from him and look no further. Get yourself enrolled in some learning course like the Matasano's crypto challenge and see where that takes you. Good luck.

truer words were never spoken

cryptopals was the reason I got into security, everything just pales in comparison.

It always makes my day when people say stuff like that, though cryptopals probably wouldn't be in my top 3 entry-level things for people otherwise considering a certification. Thank you!
Same with most "higher" education. Just hoop jumping.
(comment deleted)
Pretty much like you said imo, i.e. useless in the industry unless you're looking for some sort of work that requires them for compliance reasons.

To be fair, I did recommend a cispp course (on linkedin learnings) to a junior member of my old team, mostly to complement the knowledge from the day to day work in appsec with other topics, e.g. network.

Personally, I studied math & crypto (with my own passion for programming) and I entered the industry doing appsec, no certifications asked.

High level clearance is more valuable.
In government contracting jobs? I assume that's what you mean, because nobody in industry gives an electron-microscropy-detectable fuck about clearance.
People contracting for DoD sometimes aren't "in industry"?
The more useful ones are those where the final test is "hack these systems".

Those also happen to be more technical. I think because more managerial stuff is harder to teach.

Yes, as you get deeper in the industry, you will be expected to have the basic validation certs, CISSP, CISA, CISA, CISM, etc.
No, you won't. Some people have them, the best people often don't. There are some jobs that will performatively demand them, and those are all terrible jobs that will sap status and retard your career.
It really depends on how you enter and where you enter into the industry.

Overall I find these certs to be a waste of time and money, and when hiring candidates I usually filter out those who have every ISC2 cert under the sun.

In fact I tend to dismiss CVs for non entry jobs that have certificates listed at all.

If you have 10+ years of experience I don’t care about your “education” if those 10 years can’t speak for themselves you’re probably not the candidate I’m looking for.

>In fact I tend to dismiss CVs for non entry jobs that have certificates listed at all

Listed? I guess every employer has their own little biases.

If you see a job where there is some validation cert listed you should apply anyway. Either the company is dumb and insists on the cert, in which case you dodged a bullet when they passed you over for lack of a cert, or they know that the certs are bullshit and will ignore them but someone (usually a recruiter) insisted on putting them into the description.
I don't find this true in the least. I've been at this for 25 years, ran a small consultancy for 15 of that, and certs have been wholly useless save for a very very small fraction of our business as a DoD subcontractor.

In general I found that customers that demanded certifications were not expecting our consultants to do much thinking, they really just wanted box checkers. I didn't quite understand this until after a few years of hiring folks that were hell-bent on stacking certs...they tended to be box checkers. So, intentional or otherwise, it ultimately made sense.

I find that the education associated with most (not all) certs to be sub-par and not particularly applicable, and it tends to stratify the thinking around how you educate yourself in a career that is at least as much based on vocational/practical knowledge as it is academic. Right now I'm working as part of an infosec org that is >>1000 full time employees and industry certs are a non-factor, the company generally doesn't invest in them unless they somehow directly align with your role and almost nobody that I work with advertises that they have any.

So, in short, I'm closer to anti-certification than anything. That said, don't be religious about it. If that's what the offerings in your area or industry of interest require, do it.

So. GRC or security? It’s a rhetorical question.

Is GRC security? Not exactly, but if you can’t demonstrate security, no one knows if you have security or not. GRC is the ability to quantify/qualify security.

For true security, as in secure-by-design, etc, you need subject matter experts in that field. Since there is no security knowledge qualifying body for (most) platforms, the credentials don’t really matter much. But for GRC, they are essential.

The question is also difficult to answer because there is no one thing that is security. You can manage vulnerabilities or provide incident response, both security topics but with wildly different skill requirements, for example.

Security engineering, security management, security testing, security reporting, etc, etc. All very different things.

In my experience it is the opposite. These types of certs are often used in low skilled positions or entry level positions, as they generally don't carry a lot of weight in more senior roles.
Agree, you won't ever need them, and if you do those aren't the type of interesting jobs you'll want to gain access to.

Infosec is very much "learn by do", because technology and this corner of it specifically moves too fast for certificate processes

To me their worth is at best questionable and a lot of the time just a scam. I don't like to spend time on any, and there are definitely better ways to spend the time it would take to acquire many.

CEH is a bad cert, and I have my doubts about the rest. I think whether they're useful is extremely dependent on your own circumstances, which should already inspire some doubts. College degrees don't exactly have that problem.

If you're switching careers they can be a great thing to point to on a resume, but I definitely don't think of them personally as hugely reflective of someone's skill. It's better to support it with something else.

The only one that I would break this assumption on right now is OSCP, but the exam is grueling and not something that I think people should be subjected to just to get a stamp of approval in the industry. I would say that someone who has it knows offensive security pretty well, something that I could not as definitively say about something like Sec+. I can't personally speak to Cisco certs.

Problem with the OSCP is that they decided to now have proctors watching through a webcam for the duration of the exam (24 hours). Not sure if a lot of people in the industry are comfortable with such a gross invasion of their privacy.

Otherwise, I'd say that the courses are not very good but the labs are really well made and the exam is definitely interesting (but I would never try another exam from them now that they implemented that proctoring rule)

Currently I am considering that OSCP is losing its appeal for me, I see in my linkedin feed a lot of people showing it off. Well they are still better than me for sure, I can do some easy boxes on HackTheBox maybe some Linux medium.

In the end life is not like CTF and we had guy doing pentest like a CTF, where I wanted more broad approach and was trying to explain to him what we want to cover but well I was not the one pulling the trigger and my boss was paying so the guy did what he thought would be the best.

From my point of view he missed a lot of low hanging fruit that I wanted to fix. Then he found bunch of BS issues and marked those as critical. My boss at first got mad how we can have such critical issues but after explaining what is what, we don't think about hiring that guy again.

I definitely agree on the mixed bag nature of certs. It can be frustrating being ignored by HR because you're lacking the special four letters they want to see, and that situation is more common than I think we'd like to admit. You'll probably need at least one or two unless you're a real Rockstar who can show value on your resume in some significant other way (CVEs, extensive GitHub, etc.).

All that being said, I do think a well written cert course can be an excellent framework for learning a new technology. Having guidance on what is actually important when getting started can be a huge accelerator for your personal development, just make sure you avoid the trash ones (CEH!!!). The HR stamp of approval will hopefully just be the icing on the cake at that point.

(comment deleted)
Offensive Security certs are worthwhile, so is GIAC if you can get your employer to pay for them. Other than that, having a CISSP is useful for some employment (but effectively meaningless) and having a few networking certs from either Cisco or Juniper is not bad to have.

Cyber masters are pretty much totally worthless, although perhaps some idiot employers think they have value. If you can get a masters paid for, the SANS masters seems like the only one worth doing. The NYU Masters is expensive, but somewhat value though it's value comes from basically being a CS degree so just go get a CS masters from Georgia Tech.

If you work for the government or military they have their set of required certs (8570 baseline). Certs overall are highly correlated with incompetence in my opinion. Experience is what matters.

Certs plus experience are even more valuable. That is why the CISSP requires years of experience before you can test.
CISSP is completely useless; even people who believe there are useful certifications don't stick up for it.
The best part about the CISSP is that it’s a management certification, which deflects so much of the boot camp people that instead become junior developers.
Most of the time this topic comes up on HN, someone says that certifications are bad, except for the offensive ones (usually, it's OCSP).

So, I'm a little uncomfortable making sweeping generalizations about all kinds of certifications, because I don't do Windows IT security†, but I'm pretty sure I've got some grounding in offensive security, since it's where I've spent my career. And what I'll say here is: the best people in this branch of the field almost uniformly don't hold these "good" certifications, and none of the good firms require them.

A piece of information that you could provide that would force me to rethink my stance would be a link to a very good, widely respected offensive security firm that states clearly that they give preference to senior candidates with any particular offensive security certification. (If I've heard of the firm, I'll go ask them about it, which might be fun to watch.)

Just kidding, these certifications are all useless.

I see your point as someone who's been in the industry for some time, but do you by any chance have recommendations for folks trying to get into it? Every time I've seen threads from people trying to get into offensive security OSCP and other certs come up, even to people that already have college degrees and in some cases experience. Where is that coming from, and what should people do instead? It seems at least to me like there's a real disconnect on this topic between people hiring senior roles and junior employees.
Take every ounce of energy you would have put into OCSP and plow it into bug bounties, build a portfolio of findings, and get a pentest job. Take a year and figure out where you want to pivot to from there.

If you're a blue team type, you're not interested in OCSP, but the answer for you would instead be to build a portfolio of meaty PRs on security open source projects.

I believe that certifications that don't have a practical aspect to them are totally worthless. I work in appsec and recently completed OSWE. The coursework was ok, nothing groundbreaking, learned a cute trick here and there.

Would I recommend it? Yes, especially if the company pays for it.

Company that I work for allows people to spend weeks of their working time preparing for top CTF contests and that is valuable because it is something practical. Just don't waste your time memorizing answers to exam questions.

Why would you recommend OSWE? What's an example of a specific benefit you'd get in appsec (also my specialization!) by holding that certification?
An example would be to be able to read source code in different languages (Java, PHP, JavaScript, C#) and be able to identify, chain vulnerabilities and write an exploit script to automate everything.

You can find the syllabus here: https://www.offensive-security.com/awae-oswe/

You're suggesting you might consider getting OSWE in order to learn appsec?
I would not recommend OSWE to learn appsec since it is teaching "Advanced Web Attacks" and assume that you know the basics.

Something that is really interesting I think is the whitebox approach that some people in infosec might be missing if they don't come from a developer background and never botherered looking at the code introducing the vulnerabilities.

If you want to learn appsec I recommend Web Security Academy: https://portswigger.net/web-security

PortSwigger is great. Certifications, on the other hand, are not a good way to learn appsec.
No specific benefit or skill.

Just that I would recommend it because I felt good going through the challenges and that someone took the time to set up VMs and writeups for me.

In conclusion, it was more of a consumption thing than an investment.

I am very sorry to say that many schemes are little more than a scam. Some of them began well then went off as they aged and were not updated, others started badly and got worse, even some courses from what was the gold standard provider now need re-examining. I can’t help but feel that many people, especially those looking to break into the profession, are being taken advantage of. Honestly, I would start with gaining experience, real experience, no matter how junior the role. So much bad stuff was being taught, we decided to grow our own and devised a programme to run new people through, it meant we could take a keen, bright, school-leaver (if necessary) and turn out somebody useful within 3-4 months.
The consensus among my friends is that experience, relevant projects and especially a contact network are extremely more valuable.So,ideally you better spend your time, money and effort on those.
This really depends on the candidate profile and what exactly you're expecting the certifications to do.

Does a certification teach you how to 'do' InfoSec? No.

But they're useful if you're starting out in InfoSec. Especially if you're changing careers, don't have a BS, or have those other boxes recruiters like to check. Certs can get you through the recruiter.

Also, some employers require certain certifications to work there; especially if they're working with the government, or some other organization whose contract requires that people working on the contract have various certifications.

If you're going into forensics or something like that where you may be called upon to testify in court as an expert witness, certifications help prove your bonafides to the court.

A blanket 'no they're not useful' is unhelpful and not entirely accurate.

If, for newcomers, there was literally nothing else you could do, short of obtaining a compatible bachelors degree (another form of certification), to prepare for entry into the field, then yes, it would be unhelpful and inaccurate to say that certification is entirely useless.

But there are other things you can do, and so the effort involved in acquiring a certification --- even if an employer is paying for it --- has to be weighted against those other things. Research, open source development, writing, CTFs, keeping abreast of research, networking (even just "going to Defcon" --- and I don't like Defcon!), investing more time in researching career opportunities, bug bounties... these things all have a much higher payoff than certification does, and any time you spend pursuing a certification is coming at the expense of those other things.

It's also letting you kid yourself about the work and whether it's a fit for what you want to be doing, because one thing you should notice about that random list of things I just generated is that it covers a lot of what infosec people actually do. A certification process provides structure and forcing functions and activation energy (for a dumb process that won't get you any meaningful advantage professionally). But if you can't generate that kind of activation energy yourself, in this climate, with this many available resources, with the kinds of career payoffs people are regularly obtaining, maybe this isn't really what you want to be doing?

I agree that they are most effective for newcomers. I'd also agree that with few exceptions they aren't the most efficient learning process, but as a person that had the luxury of spending about $35k in leftover GI bill benefits on 6 SANS certifications I did get some value out of most of the classes, even when I was an intermediate DFIR analyst. They weren't life changing or anything, but some of them were useful.

>these things all have a much higher payoff than certification does, and any time you spend pursuing a certification is coming at the expense of those other things.

Those are all good suggestions. I think from the perspective of newbies a lot of them (research/ctfs/open source dev) seem really intimidating and/or they might assume (rightly or wrongly) that they have a high barrier to entry. When you combine that with the tendency for a lot of security guys to be super shy introverts for a lot of us its a big deal to socialize or reach out to people for help. Having static, structured forms of training like books, certification programs, online courses, etc, can help people like this get started even if its not the most efficient way to learn. Getting just a little bit of experience can give the boost of confidence they need to start contributing socially.

I guess my point is while I do agree that passion is usually the biggest indicator of success in this industry (and many others), I wouldn't be ready to rule out that a person has that passion just because they have a slow start, aren't confident and don't really know where to start or where to look.

Well, if they weren't useful, we wouldn't have 2 million H1B's working in the US. Schools teach very little technically and most folks graduating with some sort of degree in IT/CS/? only spend a couple of semesters even covering the related field. I have found that certs are useful because you can expect the applicant to at least know the basics of a Cisco Router, Checkpoint Firewall, Windows/Linux Server, etc. Obviously a CCIE will know something about Cisco Routers and Networking and some of the GIAC Certs are worth while. I know a lot of folks dismiss certs as bullshit but I've never met a CCIE/CCNP or OSCP that didn't know what they were talking about in their respective fields. At the same time there are a lot of really smart and talented people who don't have a Degree or a Cert and could put 90 % of the security field to shame and I would expect that to be true in other fields also.
They're useful for getting past HR screeners, but otherwise they are almost all useless.
As a security practitioner I am skeptical about certs value ( CISSP, Sec+, CCNA Security, CEH) in infosec except for the offensive certs from Offensive Security. This because I know too many folks that have certs yet never mastered security basics, cannot code, cannot administer, cannot innovate/automate, cannot lockdown, cannot audit, cannot circumvent, and are generally dangerous around any type of IT. Fundamental ability to manage, develop code, or administer, are foundational in infosec, which is why most of our good talent comes from IT support, Networking, System Administration or Development.

I think product certs are valueable though for reflecting experience in a specific field (e.g. CCIE/MSCE/AWS ), and process certs (ITIL/etc) for understanding how it fits together in a service mgmt context.

Apart from certs though, an active Top Secret SCI with a full scope polygraph is worth its weight in gold for govt work.

Quite a few comments here are mentioning that certs are not useful for offensive security. That's true, but offensive security =/= InfoSec...

When you come on Hacker News and see submissions full of comments about the technical details of exploiting some hot new critical remote code execution vulnerability, or read a hacker's blog walking through how they discovered security holes in some websites, or see an article by some cybersecurity company detailing how they tracked down some crime ring or nation-state backed hacking group, please be aware that 1) these are amazing things, and 2) they are not InfoSec. Information security is a management field and is mostly focused on developing top-down security strategies for organisations to implement, measure compliance with, and refine over time. It is related to, but also very different from offensive security. Relevant HN submissions would be high-profile cyber security incidents and updates on laws/regulations on computer use and data privacy.

You mentioned Sec+. It has gained popularity in the past decade and is now considered an entry-level requirement for many IT contracting jobs, especially government ones, and not even ones that are really security-related. If you don't usually get down in the weeds on computer security topics, then a Sec+ is a useful way to get broad high-level exposure. Another way to look at it this is that a Sec+ is for people who do not have a lot of pre-existing skills in computer security. It's used by employers to filter out employees who probably cannot be trusted with anything security-related in IT. Imagine your employer is thinking of having you sponsored for a security clearance - if you cannot pass a Sec+, than you're probably not cut to have a clearance in the first place. Realize that practically all of these organisations have to annual security awareness training (SAT) to their employees, but by making Sec+ a requirement, they now have a way cut out everyone who would have just slept through the SAT without really internalizing it.

We've established that the true purpose of Sec+ is for screening entry-level IT positions. The CISSP is similar, but for management-level positions. Primarily, it's for middle-managers who want to prove to HR that they are worthy of being chosen for information security roles study the CISSP. Contrary to what people say on the internet, the CISSP is actually very similar to the Sec+, but with more depth on information security management practices. The enhanced focus on information security management practices is because managers with a CISSP are expected to run information security-related projects and programs for the organisation.

Personally, I made a goal for myself at a young age to get the CISSP simply because I saw it was being hyped online. I didn't even do enough research to understand that years of experience was a requirement. I passed it a year before I even started an IT career. It's very doable depending on how much of a computer geek you are. I let it lapse since I was still working in restaurants and had no IT experience, but a decade later, I went for it again because 1) my employer paid for it, and 2) I consult to customers who are CISSPs.

It's important to research what a cert requires of you in order to maintain it. Both Sec+ and the CISSP require you to accrue a certain number of credit-hours every 3 or so years. There are also member dues. If these aren't too much of a hassle for you, then I recommend certs that are relevant to the environments that you work it. In my case, I got a CISSP because I work with CISSPs. I'd consider other certs if the people I work with had them too. I may not be an expert like what the commenters here are decrying as reasons not to pursue certs, but at least I can show a basic level of competence out of respect for the people who I work with.

I really dont have an idea about any certifications needed in Infosec but doing CCNA certification can give so many opportunities in industries. I have done my CCNA certification training in Pune from https://ccnapune.training/ and got placed in MNC.