Information Security Certifications are Worthless and Causing More Harm than Good


February 24, 2017

Here’s an excerpt from a 2016 Ars Technica article:

Recruiter Thomas Ptacek, whose Chicago-based agency Starfighter specializes in recruiting security folk, describes the CISSP as “a joke,” and claims that in his experience a job description requiring a CISSP was a warning flag to industry elite not to apply.

“I don’t think there are that many high-level practitioners outside of management who put much stock in the CISSP,” he says.

Dan Tentler, founder of the attack simulation consultancy Phobos Group, compares hiring infosec workers based on passing an exam to hiring other professionals on the same basis: “Would you feel comfortable letting a doctor be your primary care physician if all it took was to pass a written multiple choice exam?”

He believes that “ISC2 is making money hand over fist,” and that the organization is “diluting the market with people who have no idea what they’re doing.”

I concur. And I’m not alone.

Top 10 Problems with IT Certifications
5 Reasons Certifications Aren’t Worth It
Your CISSP is Worthless - Now What?

Hiring decisions based on security certifications is not only flawed, but they lead your organization into a false sense of security. This will eventually cause more harm than good.

The fact that someone is “certified” – CEH, CISSP, GICSP, insert-your-security-cert-here – does not make them a skilled and experienced security professional or a “hacker.” And it doesn’t equip them to think like a hacker either.

It simply means they know the vocabulary and they know how to pass a test. Okay, maybe they know how to install Kali, run Nmap, and launch a Metasploit payload against a Windows XP box. But any 13-year old can do that, too.

I’m fortunate and privileged to work along side some of the best skilled security experts I know. And not one of them credits a certificate for their skills and knowledge. In fact, everyone here at the company – myself included – is self-taught.

Craig Heffner, DEFCON speaker and firmware reverse engineer extraordinaire, learned his trade craft while stationed in the mountains of Afghanistan by reading books sent to him and hacking devices in his down time. No certificates needed.

Peter Eacmen, partner here at TNS, developed his innate ability to hack systems during his time at the Naval Postgraduate School. And he proved his skills by earning the coveted DEFCON Black Badge as a member of Sk3wl 0f r00t. No certificates needed.

And I was arrested for hacking in 1985. Yet I obtained my TS/SCI security clearance from the US National Security Agency in 2002. No certificates needed.

In all these cases, skills, talent, and creative thinking were developed over long periods of time and not obtained by studying for some industry certification test.

If you must obtain a security certificate for compliance or regulator reasons, so be it. But it’s practical experience and skills which hold the true value and not some hot, trendy security certification.

So please save your money and stop feeding the security certification machines. We don’t value them and neither should you.

One final excerpt from the Ars Technica article:

“A 13-year-old kid can turn your company inside out, and you have a $10 million security budget, and your CISSPs are compliant,” Tentler says. “Tell me what kind of validation you get.”