Security Certification 1/3 – Certifications in General

It seems that, about once a week, someone asks me about security certification. A lot of people seem to believe that a security certification can get you over the “need experience to get experience” hurdle. The point of this post is not to tell you which certification to get (though it does do this), but to explain why this common line of thinking is wrong.

At the entry level of the job market, the “you don’t have enough experience to get experience” problem is particularly troublesome. This is especially true in the current economy where fewer jobs means that many more experienced workers are competing for the entry level ones. These are the people that typically come to me and ask “CISSP, Security+ or GSEC?”.

However, if you show someone an experience-less resume that lists a security certification, all that is communicated is that that particular certification can be attained without experience. This weakens the certification and does nothing to make you look better.

In fact, most hiring managers I’ve spoken too will take the stack of resumes and filter it as follows:

1. Throw out everyone lacking a college degree.
2. If the stack is still too tall, throw out everyone that doesn’t have a four year degree.
3. Then they look at experience and get rid of everyone that lacks the requirements.
4. If the stack is still too big, throw out everyone that has experience but isn’t certified.
5. Take any resumes that come with a personal recommendation and add them back in to the pool.

It may not be fair, but when any job opening solicits hundreds of resumes, it is a fast way to get through them. It also means that if you have no experience, possessing a certification gains you absolutely nothing. In fact, the best thing you can do to be considered is to know someone in the organization. After that, the most helpful is a degree, then experience, then certification… but only as a tie breaker.

(Note, in some job areas, like the US Federal Government, certain certifications are required for specific job levels. Assume I’m not talking about these job areas. After all, if you’re going for one of those, you already know which certification you need.)

It seems, from this, that I’m saying that certifications are useless. Nothing could be further from the truth. Certifications are great… just not for getting a job. Let’s look at what employers find to be the most useful: who you know, college degrees and experience.

Who you know

If you are recommended by someone that the hiring manager knows, the manager has already vetted you far more thoroughly than is possible in a series of interviews. They know that you are likely a good person to work with, as you can clearly be friends with the sort of people that work at the organization. They know some of your strengths and weaknesses. In short, they know that you can probably do the job and that you are likely to grow with the business.

A lot of people are disdainful of the “good old boys” network, but if you’re not in it, there is always the question of “why”. Without an answer to that question, people create their own answers… and they are seldom complimentary of you as a candidate.

College degree

The industry also has a lot of disdain for college degrees. Do you need a college degree to work in security? Of course not. There are tons of people in the industry without them. (Of course, they got in because of who they knew.) Like many people state, a college degree is just a piece of paper that says that you spent four years putting up with crap… which is a really good measurement of what many organizations want.

If you can get through a university program for two or four years, toe the line and do what you’re told, a hiring manager will know that you’ll be unlikely to make waves. You might not know all you need to do the job, but you’ll likely be able to deal with stupid corporate rules for long enough to learn what you need.

In short, a standard degree is not a measure that you’ll be an awesome employee. It’s a measure that you won’t be horrible and cost the organization more money than you bring in.

(Note: liberal arts degrees are something different entirely… but from a hiring perspective, they are only useful if the hiring manager is aware of the school and what the degree means. Without that knowledge, they look the same as a regular degree, so it comes back to “who you know”)

Experience

Experience is, of course, the gold standard of getting hired. If you’ve done the job before, the manager knows that you can do it again. However, there’s a trap. If you have experience you’re somewhat stuck in that area of expertiese, and if that area goes away, you could be in trouble. A lot of COBOL programmers discovered this in recent years. If you’re in this situation, you’re really back to who you know.

Of course, it’s better to avoid getting into this situation by constantly taking on new projects and expanding your skill set. However, this series of posts is about certification, so I won’t delve into that topic.

Learning

So if that’s the situation, what do you do about it? The key, I think, is learning.

When you get right down to it, what a hiring manager wants to know is:

• What do you know?
• What are you capable of learning?
• Can you convert that knowledge into something useful to the organization?
• Can you do so without causing problems in other areas of the organization?

That’s it. Based on how well you do at those four points, your career will skyrocket or stagnate.

So, the keys are learning, translation and communication. Let’s look at certifications with that in mind.

Most people looking at security certifications look in four areas: ISC(2)’s CISSP line, SANS/GIAC’s G* line, CompTIA’s Security+ line and Offensive Security’s OS* line. The key criterion for you to consider is which line is going to maximize your learning for your dollar. Generally, SANS/GIAC is considered the most expensive, but in my experience also has the greatest opportunity for learning. Second to that, in my opinion, is the Offensive Security line. They’re more focused and hands-on than a lot of SANS/GIAC offerings, but also start a bit higher in the experience level.

So what you need is a way to compare not certifications, but what you learn from the certification process. If you can maximize the amount you learn per dollar you spend, you can both select the best certification for you and the best experience you can get from pursuing that certification.

Check in tomorrow for the method I use to compare certifications.

(See parts 2 and 3)