Mike Rothman wrote an interesting article titled "Security certifications: Are they worth the trouble?" at SearchSecurity.com. His take was pretty close to the one I have and his expierence is in line with what I have experienced in my years within the IT field. From the article:I've never really been a fan of certifications for two reasons: some of the smartest security folks I know don't have any, and some of the least capable do.I don't have a CISSP, nor have I earned a CEH, CISA, Security+, etc. Quite honestly I am too busy to study for any of them. I have found a few types of "certified" folks out there:
- Smart, dedicated professional looking to expand knowledge and become an expert in their chosen field spending hours studying texts, reading white papers, etc.
- Smart, dedicated professional that went to training and took the exam at the end because... "why not?"
- Poor soul sent to a boot camp training course to take on new technology / responsibility that they have no experience in, took the test on Friday afternoon after getting their free travel mug and polo shirt.
- Sales engineers and the ilk that need certifications to "prove" expertise... I still remember the CISSP, CEH, LMNOP vendor dude that didn't understand basic routing issues and insisted that eBGP could NOT be run on an internal network.
I think what is beginning to happen with security certifications is what has happened with Cisco certifications and college degrees... so many unqualified, uninterested, and incompetent people have been attaining the high level certs that they are becoming almost worthless as a selection criteria of value or knowledge.
That being said, I would actually consider a certification that still meant something like the CISSP (but that is changing by the day) or a newer, lesser known SANS certification (management or technical tracks... I still haven't decided which direction I want my career to go). Of course that would put me in the first type of certified professional I listed above ;)
No comments:
Post a Comment