Skip to main content

What's the point of (InfoSec) Certifications?

Quite recently, my GSE was up for renewal.

I'm currently in the middle of transporting my family to another continent and I've slightly more responsibilities work-wise in 2016 versus 2012. However, given the effort and study that it took to get the cert the first time (and to a lesser degree the expense), I figured it was a no-brainer to renew. For me, I've always been a huge fan of the GSE and considered it the epitome of InfoSec certifications, much like the CCIE for (Cisco) networking.

Personally, I learn better by "doing" and consider it as the evidence that someone knows their stuff so the "2-day lab" element in the GSE was a both a huge goal and challenge that I was excited about. I talked about the value of "doing" when trying to learn about yourself previously here with the infamous Security Ninja and here on my own blog so there's no point in repeating myself.

When I did the GSE, I absolutely loved the hands-on lab more than anything-else I'd done in the world of SANS or GIAC, outside of Mike Poor's 503 Packet Work book (if you like packets, this is heaven, literally :) ) and the "Capture the Flag" exercises created by Ed Skoudis in 504 and 560. I've also had some amazing instructors like Arrigo Triulzi (Arrigo teaching SEC504 actually convinced me that my future was in InfoSec) and Stephen Sims, however, I am questioning more than ever the value of certifications and to a lesser degree the training courses (which are priced to be exclusive to a tiny minority who are already fairly well off or lucky - I often recommend Coursera or the Offensive Security stuff to candidates when cost is a real issue).

I do truly value the education that I have received through SANS as well as the support from the companies I've worked at and more importantly my family in order to be able to do those certifications and ultimately get the GSE but now I'm questioning the value of many of them, more than ever. Maybe it's the fact that I've seen people turn up with certifications and know absolutely nothing (the CEH and CISSP-holders are more often than not jokers), though I've never seen a GCIA-holder turn up and not know packets :) I haven't encountered too many OCSP or OCSE holders to have full context on those but having read their syllabuses, the practical element sounds awesome.

As for SANS, as I've said, I've learned hugely there but it truly does seem over-priced. I recently did the FOR572 with Phil Hagen, who also seems to be a great instructor and an awesome dude (based on my limited interactions on email), however, I paid (or in this case Riot did) practically the same price for the course in "offline" format versus "attending the course physically for a week". I am truly baffled as to why there's such a minute difference but I've never seen or heard a good explanation. As for the course, it was very good although I was very familiar with the vast majority of the topic.The exam for this was easily the worst GIAC exam I've ever done - the questions were not clear, occasionally the answers were incorrect and there was too much ambiguity. SANS did reach out but the discussion didn't go too far, I suppose this is natural in comparison to the GSEC but both exams are around $400 to challenge on top or the SANS course or $1149 outright to challenge so surely the standard should be much closer.

Additionally, sadly SANS and GIAC still seemed to be heavily geared to the US Market. For example, with the GSE renewal, the cost is $399 and you get one set of books (i.e. either the GSEC, GCIA or GCIH) included. Sounds sweet, right? Unfortunately if you live outside of the US, you've to pay $199 to ship that one set outside of the US. Being a tight-ass, I used my old books :)

I'm immensely proud of passing the GSE back in 2012 and realise that I am also incredibly lucky to have a company (thanks AIB) to support me in the burden of the financial costs for the vast majority of the per-requisites. However, in 2016 I'm not so proud of passing my renewal. On the other hand, this could simply be me getting old, cynical and grumpy but I'm pretty sure I won't be renewing my GSE in 4 years, we shall see! Maybe if it was to be the practical 2-day lab again, I'd fail :)

I then see articles like this and this, which are two of many pushing people to certifications :( Two of the smartest and hardest-working people I've ever worked with that regularly kick my ass daily don't have degrees. If I ever started a company, they're the first people I'd hire again :)

Here's the complete list of InfoSec certifications, which is pretty incredible and many I've never heard of (it must have been so painful to compile this list). Seeing so many certifications is little scary for me but really, it's just indicative of the bloat in the InfoSec industry in general.

This is either a rant or random thinking aloud but I do feel better after getting it out of my head....

Subsequent Edit:

Some links to "Getting into InfoSec" as it came up in Twitter convos:

Comments

  1. Great information. I have to renew my GSE by next month but I hesitate to do that as well. GSE does not seem to be beneficial anymore to me as well.

    ReplyDelete

Post a Comment

Popular posts from this blog

Being a Support Engineer @ 10gen - Part 1

There's a mis-conception around the role of a "Support Engineer".  As a clue, it's not what Urban Dictionary   says   - A person whose job is to answer calls from customers of a small- to large-sized company...... They are teathered to a their desk all day via phone headset........ phone jockeys usually hate their jobs.......they are are paid well enough..........until they completely burn out, and hate everyone.   and doesn't always involve this - Image Source: http://half-bakedbaker.blogspot.ie/2009/11/cannoli-and-broken-computer.html As you can see  here , there's lots of open roles in  10gen  and more specifically with 10gen, in  Dublin . I thought I'd write this quick blog to explain what Support Engineers actually do and why I joined 10gen as a "Support Engineer". I could be wrong but didn't Google come up with term " Site Reliability Engineer " to do away with the stigma associated with being a...

WAF versus DPI Firewall

This is a question, I've frequently been asked in recent years and in the last month, o n one of the internal mailing lists, in my old company, the following question was posted – In simple terms, what tasks is a Web Application Firewall (WAF) able to do that a Deep Inspection Firewall can't and why ? by one of my colleagues. Many of you may be surprised (I know I was initially) but this question still comes up an awful lot. Having answered the email (as a warning, I went into a lot of detail and plugged the awesome Security Onion ), I was requested to write a technical blog on the subject, but as I left the company soon after, the blog was never published. Therefore, to save me answering the question again, I thought I’d publish it so I can just reference the link in future J

LinkedIn Emails

Receiving mails via LinkedIn is an interesting experience. For example, how many folk actually personalise "contact requests" - from what I see, less than 1%. I typically try to because I think it shows some thought has gone into the request and it's friendly, but then "manners" on the Internet is a very different thing to the real world, right ;-) Anyway, to the point of the blog post. In early November (2012), whilst I was preparing my Security Onion presentation for IrissCon  (why did I bother when my MBP died on-stage), I received a very interesting and personal email via LinkedIn. The email came from a "Senior International Belief Instigator" (let's call him the SIBI - to save me typing) at Riot Games and the email was literally awesome, it hit many of the key points that you'd hope for in a recruiter email but it also had a wonderful tone. In my ignorance, I knew of League of Legends but not Riot (yes, I am embarrassed by that). I r...