Certifications? Huh... No

Maybe I should have written "Why I don't believe in certifications" as a title for this post, but I'm tired of having to explain that one, so I'll explain why I refuse to take any certifications myself intead. At the end of the post, I give a brief idea of how I think certifications should work. You can skip to that point if you don't want to read the entire rant.


Lately a lot of customers have been asking me and some of the Team guys to take one of the many Security Certifications. There are many out there: CISSP, CPTC, CompTIA Security, CSTA, CEH, etc, etc, etc, etc, etc.... A lot of them. Each one saying they are the best and most complete, or like one site states: Demonstrates a working knowledge of information security and confirms commitment to profession.


However, if you check the syllabus of the courses you will see stuff that is so outdated, it makes any 5 year old script kiddy laugh.

Now, in one particular case one of my customers told me that they would pay for the certification since they needed everyone, employees and contractors, to be certified in that particular certification for the purposes of passing a very specific checklist. So, I agreed and I enrolled in the course so I could, at the end, take the exam. The first 10 minutes of the 1st class set it for me. The instructor had no idea about real life information security and how bad guys do it. I stayed until the end and when everyone left the classroom I asked him about that, and he said: "listen, I know all this doesn't work in the real world, but learn this and you will pass the exam. Then you are certified."


OK, so my take? Imagine this situation. Joe is a marketing manager. His company is looking to hire a new director of information security. After several months trying they decide that since Joe is a great manager, they will make him the director of information security. So, they send him to take Super-duper-hack-all-certified certification. Joe, being a really clever guy, reads the book, takes the classes and passes the exam. He is now certified as a super-security-guy. Only he has zero experience in the real world. However, he feels he knows stuff now. Yes, he is certified afterall, right?


What happens is that Joe now knows basic stuff that worked sort of ok 5-10 years ago, but today? Not so much. Sure, it's important to know those things, but putting that person in charge of making company-wide decisions about security is plain stupid.

Big corporations have all these "cover-your-ass" checklists that they like to fill, one of the points is "have a certified person responsible". Check. So, for them, they did the right thing. And... Then... They get breached.

How? How can this be? They have a certified director of information security. They passed PCI, they have a firewall for fsck's sake! How can this happen!????

Well, all these certifications, compliant checklists, and other ways big companies have to try to make sense of security don't take into account the real world.

Anyone can pass an exam. ANYONE.

Does that make you an expert? Hell no! But it looks good on paper.
Yet, that person with the certification will probably be hired over a person without certifications but with years of experience. It looks good on paper.

So, now you know why I don't care about certifications. They mean nothing without the experience in the field.

How can we make this better?

Well, I have a few ideas. For starters how about this: let's have a certification that takes into account the experience of the person applying. If the person has less than 5 years of real world experience in security, he or she can apply to level 1 certification ONLY. This is the entry level and tells people this is a beginner security professional. Once you have real world experience you can apply to level 2. This level allows you be trusted with some decision making stuff. You have some world experience. Then after 10 or so years, you can apply to level 3... You get the picture. I think 5 levels should be perfect here, with level 5 required to be a director, C-level exec or someone in charge of security on any organization and should require at least 15 or more years of real experience: red teaming, pentesting, reverse engineering, exploit coding, etc.

That's how I'd do it. Then I'd trust a certified person.


EDIT: I must say that there are some good people steering the certifications in the right direction. Offensive Security is one of them and they seems to be doing a good job. While I haven't seen the content of their courses, they seem to get the fact that you need hands-on experience in order to understand the world of security as it is currently.