Monday, July 11, 2016

A word on certs and RFC...

A friend of mine recently asked me, what info-sec certs would be worthwhile to pursue?
It's a bit of a loaded question because I feel it depends on 

1.    The career interests of the individual
2.    Knowledge level of the individual
3.    Time investment
4.    Use of the certification

To expand on point number one, info-sec has many areas such as defense, offense, and vulnerability management to name a few. So it depends on what is interesting to an individual. As an example let’s go with offense. There are a couple of certifications from EC-Council, SANS and Offensive Sec. Respectively Ethical Hacker, GCIH, GPEN and OSCP.

This follows into point number two, some of these certifications (not just offensive) and accompanying courses require varying levels of technical knowledge in order to understand the material.

Point number three, as mentioned previously due to varying levels of technical knowledge needed an individual must be ready to make time to understand unfamiliar concepts. Read the course material and if taking a class with an instructor, prepare to take notes. An individual should not only focus on the course materials but also augment with additional resources such as books and blogs applicable to the subject. Some of the courses and training material will highlight tools but an individual should heed from only focusing on learning command line switches or buttons to press without understanding the concepts behind the tool. A quick analogy I would like to reference is, you may be able to buy the tools you need to change the oil on your car but without understanding why you need to change your oil and which components are involved then you may use these tools incorrectly.

How will an individual use the certification? It simply to have an alphabet of letters proceeding a name? Or for career advancement to pass HR filters? Is there personal fulfillment in achieving a certification?

So I open a request for comments to those who may read my blog. I look forward to a discussion. What do you feel about info-sec certs?

**********Update 1****************
Thanks to Harlan for commenting! Harlan brings up a good point in regards to accountability. Another reason for pursuing a cert would be due to management objectives for an individual. But how does management hold an individual accountable for what was learned through a course and accompanying cert?

IMHO i think that management, particularly in Info-Sec should to some extent be proficient at a technical level in the info-sec area they are managing. This would allow them to assess the material, its benefits and then assess ways to hold an individual accountable. But I know this sounds like a perfect world scenario for those that have management who are not technical and only managerial. 

The next question to readers would be, how would you help non-technical management understand the value of the training/cert an individual is seeking and how would you help them assess you afterwards?