Monday, July 11, 2016

A word on certs and RFC...

A friend of mine recently asked me, what info-sec certs would be worthwhile to pursue?
It's a bit of a loaded question because I feel it depends on 

1.    The career interests of the individual
2.    Knowledge level of the individual
3.    Time investment
4.    Use of the certification

To expand on point number one, info-sec has many areas such as defense, offense, and vulnerability management to name a few. So it depends on what is interesting to an individual. As an example let’s go with offense. There are a couple of certifications from EC-Council, SANS and Offensive Sec. Respectively Ethical Hacker, GCIH, GPEN and OSCP.

This follows into point number two, some of these certifications (not just offensive) and accompanying courses require varying levels of technical knowledge in order to understand the material.

Point number three, as mentioned previously due to varying levels of technical knowledge needed an individual must be ready to make time to understand unfamiliar concepts. Read the course material and if taking a class with an instructor, prepare to take notes. An individual should not only focus on the course materials but also augment with additional resources such as books and blogs applicable to the subject. Some of the courses and training material will highlight tools but an individual should heed from only focusing on learning command line switches or buttons to press without understanding the concepts behind the tool. A quick analogy I would like to reference is, you may be able to buy the tools you need to change the oil on your car but without understanding why you need to change your oil and which components are involved then you may use these tools incorrectly.

How will an individual use the certification? It simply to have an alphabet of letters proceeding a name? Or for career advancement to pass HR filters? Is there personal fulfillment in achieving a certification?

So I open a request for comments to those who may read my blog. I look forward to a discussion. What do you feel about info-sec certs?

**********Update 1****************
Thanks to Harlan for commenting! Harlan brings up a good point in regards to accountability. Another reason for pursuing a cert would be due to management objectives for an individual. But how does management hold an individual accountable for what was learned through a course and accompanying cert?

IMHO i think that management, particularly in Info-Sec should to some extent be proficient at a technical level in the info-sec area they are managing. This would allow them to assess the material, its benefits and then assess ways to hold an individual accountable. But I know this sounds like a perfect world scenario for those that have management who are not technical and only managerial. 

The next question to readers would be, how would you help non-technical management understand the value of the training/cert an individual is seeking and how would you help them assess you afterwards? 

1 comment:

  1. IMHO, certs in DFIR work have varying value. Some feel strongly that certs show a minimum level of knowledge...however, as someone who's been on both sides of the podium, I would suggest that that's not so much the case. What does it take to get most certs? You go pay a great deal of money, go to a venue, sit through the course, take a test (open book)...then what? That doesn't guarantee a minimum level of knowledge; it simply guarantees that you've spent time and money.

    I earned my CISSP cert in 1999; my employer sent me and two others to a course, in order to come back and prepare others in our organization. For 5 days, we sat in a room with an instructor who'd actually written the content for the Legal domain; he spent half of his time telling us what didn't apply. We went back to the company, briefed everyone, and all 10 of us who sat for the exam passed.

    The primary use I've seen for certs is for a candidate to make it past the HR gauntlet. Since the early 2000's, I've known recruiters and HR screeners who have admitted to dropping resumes of possibly extremely qualified candidates, because they didn't include certain key words, either by word or frequency.

    My biggest issue with certs isn't the material or instruction...there are a good number of certs out there that provide quality information and instruction, given by some very good instructors. The issue that I see time and again is that analysts are sent off to these courses, but never held accountable for the instruction once they return. I've seen analysts go off to SANS FOR408/508 courses, get their cert, and upon their return, their 'analysis' hasn't changed or improved in any way. This is not an issue with the instruction; the issue is that after spending the money for the cert, management does not hold the analyst accountable for using the new information.