Modern Adversary

Security Certifications Are Worthless

And they are creating a huge security risk.

Mar 2023

I'm going to simplify it for you: security certifications are worthless, and the people who rely on them more than experience are creating a huge security risk. These certifications only show that someone can pass a multiple choice exam. That's it.

I could work with my grandma or a 16 year old. I could teach them what to look for, and they would pass the exams. Are they now a "security professional"?

No.

Would you feel comfortable putting a doctor in charge of your life, your body, your overall health, if all it took to become one was passing a written multiple choice exam?

Exactly.

Requiring a certification, and making hiring decisions based solely on whether someone has one, is not only wrong, it leads a business or organization into a false sense of security. That eventually creates real risk by allowing people without actual experience to dictate policy and strategy, based only on what they studied to pass an exam.

It takes years to become a security professional.

Years.

It requires gaining experience across a wide range of subjects, both technical and non technical, over a long period of time, and being versatile and sharp enough to keep learning new ones constantly.

Certifications will not give you that. Worse, they can get in the way of developing the one thing every security professional must have: an adversarial mindset. Yes, the ability to think like a bad guy.

If you want to be a "security professional", you have to think like a bad guy.

So CEH, CISSP, GICSP, CISM, CISA, CCSP, C-insert-your-security-buzzword-here are jokes. Sorry. You are spending money on things that might help you get your foot in the door in some cases, but that's it. They cannot be taken seriously.

If I see a resume that says "Name, CISSP, CISM, CCSP, CSHIT, CMORESHIT", I discard it immediately. I do not even look at the person.

No security professional worth anything takes these certifications seriously. In my experience, they do not even list them. They may hold them as a compliance requirement for the federal government or other organizations, but that is all they are.

So please, do not rely on certifications to prove anything. Only hard-earned practical experience, real skills, and the right mindset carry true value in a security professional.

Do not keep creating more security risk. Do not keep damaging a profession that is already extremely difficult, especially on the defensive side, where you are always one step behind the bad guys.

Stop this.

EDITED TO ADD

A couple of readers, who seem to strongly support certifications, asked me what a "good" certification would look like in my view.

My answer is that there would not be one. I rely only on experience and mindset.

That said, I thought about it a bit, and here it is: the newly minted "Certified Actual Security Professional", or CASP.

CASP is simple. For every five real years of experience in an actual security role, whether in security engineering, offensive security, security architecture, or a mix of those, you move up in rank.

You start as a "basic security person". Like a private in the military, you know nothing and your certification is nil. After five years of real work and experience, you become a "security junior pro". Five years later, you become a "security professional". At that point, with ten years of experience, you start to understand what security is really about. Five years later, you become a "senior security pro". After another five years, you reach the level of "actual security professional". At twenty years in, you have earned it.

Done. That would be a certification I could stand behind.

There would be no fees, no conference requirements, nothing like that. Just real work in the field.