Security Certifications Are Worthless

And they are creating a huge security risk.

I’m going to simplify it for you: security certifications are worthless and the people that count on them more than on experience, are causing a huge security risk. These certifications only tell you that a person can pass a multiple choice exam. That’s it.

I can work with my grandma, or with a 16 year old. I can teach them what to look for, and they will pass the exams. Are they now a “security professional”?


Would you feel comfortable letting a doctor in charge of your life, your body, your overall health, if all it took for him/her to become a doctor is to pass a written multiple choice exam?


Requiring a certification, and hiring decisions based solely on whether you have a security certification or not, is not only wrong, but it leads a business or organization into a false sense of security. This will eventually cause a lot of risk by allowing people without actual experience to dictate policy and strategy based solely on their belief that what they studied to pass an exam is how the world works.

It takes years to become a security professional.


It requires that a professional gain experience in a multitude of subjects, both technical and non technical, over many years, and be versatile and smart enough to learn new ones constantly.

Certifications will NOT give you that. Worse, they will prevent you from attaining the one thing EVERY security professional MUST have: the adversarial mindset. Yes, how to think like a bad guy.

If you want to be a “security professional” you have to think like a bad guy.

So, CEH, CISSP, GICSP, CISM, CISA, CCSP, C-insert-your-security-buzzword-here are jokes. Sorry. You spend money on things that can give you a way in, in some cases, but that’s it. They can’t be taken seriously.

If I see someone I’m trying to hire, apply with a resume that has “Name, CISSP, CISM, CCSP, CSHIT, CMORESHIT”, I immediately discard it. I don’t even look at that person.

No security professional worth anything takes those certifications seriously. And in my experience no security professional will list them. They may have them, as a compliance requirement for the federal government or other organizations, but it’s just that, a compliance requirement.

So, please, do not rely on these certifications to attest anything. Only hard gained practical experience, skills, and mindset hold the true value of a security professional.

Do not continue to create more security risks. Do not continue to create harm to a profession that, not only is extremely difficult, but if you are on the defense side it’s always one step behind the bad guys.

Stop this please.


A couple of readers, whom I think are big supporters of having certifications, the more the merrier, asked me what would a “good” certification look like in my book.

The answer is there wouldn’t be one in mine. I rely only on experience and mindset.

That got me thinking for a bit, though. And well, here it is, the newly minted “Certified Actual Security Professional”, or CASP for short.

The CASP is simple: Every five real years of experience in an actual security job doing security engineering, offensive security, security architecture, or a combination of all, you get promoted in ranking.

You start as a “basic security person”. That’s like being a private in the military. You know nothing, and your cert is nil. Five years later, after working in the security field and gaining actual experience, you get “security junior pro”. Five years later, you get “security professional”. This level is a good middle ground, with ten years of experience, you begin to understand security and what’s all about. Five years later you get a “senior security pro”. Then five years later you get the coveted “actual security professional”. 20 years in, you are an actual security professional.

Done. That would be a good certification in my book.

Oh, and there would be no fees, and no "needing to go to conferences", or anything like that… Just hard work in the security field.