Re: Certifications: Not worth the paper they are printed on?

[krymson () gmail com]

Jon, nice post. I just wanted to mention that if someone misses their Security+ yet has 100+ certs (or even 10+ certs), 
they need to be avoided. They obviously don't have the knowledge (yet) for security and they certainly have learned 
nothing about how to study and take a test.

I want to join in on the soap box too. :)

I find it important to remember that many of these certification shops are simply businesses trying to make a buck. 
Their focus is their own bottomline, not the experience and actual value from the student perspective. In other words: 
the more they churn in and out, the more they make. There is every incentive to make everyone in the world get the 
cert, rather than make the cert a more exclusive reflection of skill/knowledge. Sure, they dance the balance between 
being relevent and churning more money, but I think we know which one wins over time.

b) I also think it is important to remember our field can be very technical. This means you really have to learn from 
both experience and also from experienced practioners. As you say, getting someone who has logged time in the technical 
trenches is important, maybe essential in most cases.

c) But those people are also most likely well-paid professionals. To get them to leave a technical job and go into the 
"teaching/presenting circuit" might be tough to do. And it might mean premium prices for the education.

d) But then once someone is in the "teaching/presenting circuit," they stale. The presentation suddenly becomes more 
important than the skills they are trying to pass to the student. The extreme result in my mind is the typical 
motivational speaker. Entertaining presentation, but the common sense message is a waste of money.

e) Lastly, I also believe "security" is just too broad. No two companies do security the same, and I really believe no 
two companies ever will do security the same, no matter how much McAfee wants to sell entire universal crapware suites 
and HackerSafe stickers. This results in teaching the vague concepts rather than the technical skills. How often do we 
hear "experts" spout the "best practice" of implementing a PKI buildout? And how often is it actually successfully 
spelled out based on experience?

And this is why us folks who thirst for technical knowledge, and the certs to reflect it, feel so empty from these 
typical trainings and tests. We can get more personal value from wasting time on IRC than on a cert.



<- snip ->

All,

Yesterday I was reading a blog where someone with no security experience
whatsoever was grousing that they flunked the Security+ exam. The
blogger also claimed to have over 100 certifications. In my opinion,
that many certifications undoubtedly qualifies this blogger to be the
Poster Boy for everything that is wrong with the certification process.

.. <- snip ->