General discussion

  • Creator
  • #2291063

    How valuable are security certifications?


    by debate ·

    What certifications, if any, do you have? How do you feel they?ve enhanced your career? Which security certifications do you think are the most valuable? Share your comments about the value of security certifications, as discussed in the Nov. 19 Security Solutions newsletter.

    If you haven’t subscribed to our free Security Solutions newsletter, sign up today! Click this link to subscribe automatically:

All Comments

  • Author
    • #3291085

      Some more valuable than others

      by aldanatech ·

      In reply to How valuable are security certifications?

      I personally don’t own any security certification, but I am planning on obtaining a CISSP to advance my career. I find it to be more valuable than others such as Security+.

      • #3318951

        they are all the same

        by secure_lockdown9 ·

        In reply to Some more valuable than others

        unless you have a potential employer who is telling you that if you get certification X they will give you job Y – don’y waste your time.

        take certification for sense of personal achievement and goals – but don’t count on much else.

    • #3291015

      Very valuable

      by roland d’souza ·

      In reply to How valuable are security certifications?

      I have a few and I have found them to be very valuable. For starters, you could work with a product for years and never learn lots of the in-depth stuff that comes in very handy when disaster suddenly strikes. If you are looking for a job, I believe certs will at the very least get you short-listed and give you a chance to sell yourself at the first interview. I have just completed the MCSA 2003. I intend to complete the MCSE 2003 (Security Specialisation) after I complete the MCSE 2003 next month.

    • #3290952

      If you understand what the certification means….

      by mlayton ·

      In reply to How valuable are security certifications?

      … some are valuable. I got my CISSP years ago when I wanted to make a career move into a security organization. It gives general knowledge of the security field in terms which allow you to speak to managers about what concerns them. The ten domains were a nice breakdown of management-speak. Since then, the certs I have received are in the more focused domains of SANS, which require practical knowledge of the domain and technical details. While these enhance my career on the technical level, the details contained therein would bore management or confuse them.

    • #3292518

      Foot in the door…

      by praetorpal ·

      In reply to How valuable are security certifications?

      As with anything else, a cert may get you in the door for an interview, but it is up to the individual’s communication skills, attitude and experience to actually land the opportunity.

      While I do not have a certification, I have talked to many so-called “security specialists” in the past few years. My conclusion is that certifications create a herd mentality or a group mind set. So many I spoke to did not even understand the concept of the trusted operating system, which is the highest level of security that can be achieved. That may be due to the fact that this is a military grade security and has not been prominant in the private sector previously. Thus, I would put my money on a combination of certification plus previous military IT security experience, if I was seeking a security specialist.

      • #3305039

        Well, call me an old cynic but …

        by aardvarky ·

        In reply to Foot in the door…

        You wouldn’t be someone with military security experience looking for a civilian job, and trying to motiviate that prospective employers disregard your lack of qualifications, by any chance?

        OK, really just joking. 🙂

        In general, I have always believed much more in relevant experience than qualifications. As someone once said, “theory is not worth the paper it’s written on”.

      • #3310976

        Security+ is a joke

        by house ·

        In reply to Foot in the door…

        CISSP is probably the most respected cert out there. I remember seeing a review of Security+ on certcities website. It claimed one of the top spots in the most valuable certs list. I have not written this exam because I think it’s a joke. I’ve acquired some documents that have model questions in-line with the Sec+ exam. The questions are just way too easy and logical. [i](to eliminate some confusion, and to defend myself from further attacks, I’d like to say that I am not a testking baby… I have been doing this crap for a long time… I use Q&A to identify my weak areas… not to memorize)[/i]

        An IT manager who is aware of Comptia’s exam will not recognize it as an impressive cert. Personally, I might write it just to add to my resume. It certainly doesn’t require any studying on my part.

        • #3300836

          What the security+ is designed for

          by scottsman ·

          In reply to Security+ is a joke

          I think the point of the Security+ exam is to show awareness of Security issues. I feel the exam is targeted at a sys. admin, not a security professional. If you look at it from that perspective the exam is appropriate.

        • #3328715

          What security cert should I go for?

          by ken.johnston ·

          In reply to What the security+ is designed for

          I am a network admin looking to broaden out into security. I am studying the CompTIA Security+ book. I consider Sec+ to be a level one cert, as are A+ and Net+. I am also studying for my CCNA exam to get on the CCNP track. Back to security, what track should I get on that will get me to a high level of security training and cert?

        • #3319006

          What arrogance!

          by robotech ·

          In reply to Security+ is a joke

          Tell me that you wrote this post just to generate conversation. Tell me that you?re not serious. Have you looked at the objectives for the Security+?

          I’m responsible for managing several client networks, and If a client were to ask me to help them interview someone for a full-time post, the two certifications I would ask for are Network+ and Security+. Very few of us need a CISSP, which has several requirements (that most of us don’t have unless we are constantly working in a security field) before you can apply for taking the exam.

          Security+ covers a broad range of issues and technologies that any network Admin should be aware of (and usually they aren’t). And if one is not aware of it because of the environment he/she works in, studying for the Security+ makes him/her aware.
          Maybe a bank, or some other financial institution would require a CISSP to determine the security policy of the company and its branch offices (perhaps in the form of a security consultant), but for everyday functionality, I think Security+ is good enough.

          Wanting everyone to have CISSP is like training your entire police force to be detectives. There isn’t a need for that. You just need people who have sufficient knowledge to keep things in check. Whenever a serious and consistent problem develops, and there is a problem keeping it under control; then you can call in the specialists.

          Kudos to the COMPTIA group for the work they put into the Security+ exam, I plan to do it in another 3 weeks.

        • #3318972

          good points

          by apotheon ·

          In reply to What arrogance!

          The CompTIA Security+ certification is centered on IT security issues. The CISSP is more of a general-purpose security field certification with a great deal of IT awareness built into it. Generally speaking, anyone that actually has the experience and knowledge that the CISSP pretends to guarantee will be spending so much time on security-related matters that he or she will necessarily be utterly deficient in other areas that are necessary for more realistic IT work. A CISSP-type security specialist should work for an IT guy who should have network and local system security skills on the level of what the Security+ certification pretends to guarantee.

          (Note: I say “pretends to” because generally people learn how to pass the exam, and not what is needed to be as qualified as the certification is meant to indicate they know. You can spiff up a resume and take some “boot camp” classes to pass the CISSP, or you can learn it the hard way and go take the exams without much exam-specific preparation. The latter will be a better worker in the field, but the former will score better on the exams.)

        • #3317799


          by house ·

          In reply to good points

          …don’t you think that the exam is too easy?
          If you have studied for various other topics, there is so much redundancy in the Security+ exam, that it doesn’t require much from the person who wants to write it.

          The questions are also designed in a way that you can rule out all possible answers in order to come to the proper conclusion. Sure, all certs are designed this way, but the Sec+ is way too general.

          The exam should also focus more on software technologies, especially if it is now considered as an elective towards the MCSE route (which is a big mistake in my opinion).

          When I was studying the MCSE 2k route, you needed to combine two Comptia certs in order to match one elective in the MCSA certification. Also, the Comptia exams were not even considered for the MCSE. It seems that MS is slacking off a bit.

        • #3317751

          not really

          by apotheon ·

          In reply to apotheon…

          I haven’t actually taken the Security+ exam, nor have I looked into it much. What I know is from reading [b]about[/b] it, rather than reading study materials or practice tests [b]for[/b] it. With that in mind, take my opinions with a grain of salt.

          The point of the Security+ exam is not to make you a security expert. None of the CompTIA exams are meant to make you an expert at any given field specialization. They are meant to indicate a principles-based (as opposed to technologies-based) understanding of various parts of the important skillset for an IT generalist.

          Because the CompTIA exams are meant to be applicable in perpetuity, they are necessarily not going to be very technology specific. Personally, I’d rather have someone on the payroll that already understands principles and has the ability to learn practical application than someone that understands practical application of some set of technologies and is relatively ignorant of underlying principles. The latter case, though, is what the Microsoft certs are for: they (necessarily) certify in a technology, and not in an understanding of underlying principles.

          Understanding the principles is important for situations where new technologies must be learned. Any job that lasts more than a few months should definitely take the possible need of skills development in new directions in the hiring process. If an OS platform, a database platform, or some other technology platform or services application, must be migrated to a new solution, the tech-certified individual without significant understanding of underlying principles is going to be next to useless. Even if he or she learns how to go through the motions with the new system very quickly, that just leaves plenty of room for grave errors to be made based on a transferrence of assumptions from one platform to another.

          CompTIA exams, in my experience and understanding, are principles-based. This means that people walking out of a CompTIA exam with a thorough understanding of the exam materials and a perfect score based on more than rote memorization will never be an instant expert with any implementation of current technologies (all else being equal), while an MCSE can get plugged into a given job like a grounded power cord into a wall socket and everything will click along in perfect working order from day one. Learning a specific application of technology is relatively quick and easy, though, with the principles behind it firmly in mind. Meanwhile, if you aren’t familiar with the deeper principles, but only with the specific technologies, and the technology changes under you (as it does not only when you migrate from one platform to another, but also when a given platform significantly changes in a major upgrade), you may never catch up without either spending some quality time learning principles or going to another technolgies-based boot camp.

          I don’t know that it’s possible to emphasize this enough: I value understanding of general principles far more than of specific technologies. Period.

        • #3319209

          Have to agree with you there….

          by dafe2 ·

          In reply to What arrogance!

          Absolutely right, in fact I looked at the COMPTIA Security+ material (I won’t be writing the CERT) but it delivers what it’s designed to deliver – A broad awareness & general knowledge of security issues. Your right, an admin needs to be aware, that’s all. He or she does not concentrate anything more than “superficial” efforts in this area. IT Security is a broad function with many specialized areas. IMO a Windows Admin with an MCSA, a “general” security cert such as COMPTIA and more important a security CLEARANCE is a nice mix.

          I mentioned that in my case I won’t be pursuing the CERT. My only reason is that in my case at least, my (personal) lack of interest in the material led me to skip chapters not related to Microsoft. 🙂

          Good luck on your Exam!

        • #3319271

          not pursuing

          by apotheon ·

          In reply to Have to agree with you there….

          “my (personal) lack of interest in the material led me to skip chapters not related to Microsoft.”

          Well, that explains a lot!

          Heh. Kidding. Mostly.

        • #3317875


          by dafe2 ·

          In reply to not pursuing

          Thought I was taking a chance there…..nice uhh catch.;-)

        • #3317842


          by house ·

          In reply to What arrogance!

          No need to call me names. You can’t argue that the Security+ exam is not for security professionals. When you write the exam, you will see what I mean. I have yet to write it myself, but I know people who have. The questions are fairly simple. For a general “proof of knowledge” when you are a well rounded professional, the exam does hold merit. Objectives aside, my argument was based around security specific roles in the IT workplace.

          I have no intention of writing any of the advanced security exams. Security+ is a joke if you are interested in pursuing an IS type career route. The exam is more of a logical/deductive IQ test. It is only valuable as a very general proof of intelligent and logical thinking.

          PS – I did post my comment to generate conversation. I also included the fact that I am going to write it myself just to pad my resume. The exam is not valuable for proof of knowledge in a serious security position.

          Also, the fact that you recognize the Network+ exam is truly a refreshing statement. Most people think that – if you’re an MCSE, you don’t need that garbage. This is ridiculous. I think that the Network+ exam should be more recognized, as it is a key introduction to data communications in the networking world. But then again, if the position involves intense Network mathematics, this exam is fairly general, and will not suffice. This is my analogy for the Security+ argument that I posted earlier. If the position involves router and switch configuration, planning, wiring, etc, you will need at least the CCNA -> CCNP, or related and equivalent experience in the field.

        • #3317815

          It was appropriate,

          by dafe2 ·

          In reply to Thanks

          “Also, the fact that you recognize the Network+ exam is truly a refreshing statement. Most people think that – if you’re an MCSE, you don’t need that garbage. This is ridiculous.”

          The COMPTIA Network+ and Security+ exams are both recognized as acceptable electives for those that chose to pursue the MCSA & MCSE Certs. Most MCSA or MCSE’s know & respect BOTH certs. I’m an MCSA and chose not to do the COMPTIA Security+ only because the READING did not hold my own (personal) interest. Ditto for the Network+.

          You may be quite capable of writting these to “pad” your CV as you flippantly pointed out. Others, take them more seriously and study to LEARN the material. I’ll bet the “documents” you aquired in your “assessment” of the Security+ exam are the same documents that make the rest of us cringe at the thought of another paper cert ammong us? Not sure why you’d check those out if you thought the Security+ a joke.

          Those that pursue these CERTS know they are suited for ‘generalists’ – mostly because it says so on the first couple of pages of the study materials they took the time to READ.

        • #3317812


          by house ·

          In reply to It was appropriate,

          1) A lot of the IT industry doesn’t look for the Network+ certification. This is unfortunate, as I believe that it is essential.

          2) The combination of two Comptia certs count as one elective towards your MCSA, but not the MCSE. [b](my mistake, it seems that the Sec+ does count towards the MCSE now; this was not the case a few years ago, when two Comptia certs were required for one elective)[/b]

          3) I take the time to READ and LEARN the material in question. Personally, I think that the certs hold value in the pursuit of knowledge.

          4) I am not “flippantly” pointing anything out. You, and a few others, are mistaking my point of view. I am in no way attacking the material. THE MAIN POINT IS THAT THE SECURITY+ CERTIFICATION EXAM DOES NOT DEMAND VERY MUCH ON THE PART OF THOSE WRITING IT. This is the main issue here. I am not being arrogant, blunt, ignorant, rude, or anything of the sort. The fact that someone could simply sign up and write the cert without having to go through a certain degree of self education, deems the certification invalid in my point of view. The questions are too simple, and need to be re-developed in order to hamper the efforts of the “testking” and “paper cert” folks out there.

          5) I view practice exams in order to identify my weak areas, and not to study from. I read books, learn through real experience, pursue a variety of challenges in the work force, run labs, etc. Don’t believe for one second that you can judge me simply by reading a couple of short comments within a thread.

        • #3317811

          Yup…I understand the misunderstanding there:

          by dafe2 ·

          In reply to No!!!!!

          Security+ does count as an elective on the MCSE:

          Fair ball but this is a pretty big brush don’t you think:


        • #3317805

          Re: electives – my mistake

          by house ·

          In reply to No!!!!!

          heh – My mistake. It seems that the comptia elective does count towards the MCSE now. 🙂

          * When I was studying in the MCSE route, a combination of two Comptia certs were required to meet one MS elective for the MCSA only.

          Network+ and A+ = one elective
          Server+ and A+ = one elective

          Before, you could acquire the MCSA label with the Comptia electives, but not the MCSE. I’m sure that someone else remembers this too. Security+ was not even considered back then.

          PS – The “big brush” was required because nobody seemed to understand where I was coming from.

        • #3317804


          by dafe2 ·

          In reply to No!!!!!

          I understand where your coming from…
          just being a smart A** on that last post.

        • #3317803

          Thank you

          by house ·

          In reply to No!!!!!

          I hope you are serious though. It is difficult for me to explain my point of view without people jumping to conclusions.

          Security+ should not count towards the MCSE… I thought that they were trying to eliminate paper certs since 2k. It seems that MS is relaxing their requirements again.

          PS – I’ve edited my post, but did not remove my original comment/mistake about the elective requirements.

        • #3317650


          by secure_lockdown9 ·

          In reply to What arrogance!

          budsky has a point. the caliber of question on the Sec+ are very basic. but then again, it’s an introductory/basic level cert.

          that said, it’s not that easy to pass. has nothing to do with your know how with regards to comp. security. it has to do with your ability to correctly answer multiple choice questions that are worded vaguey or badly in some cases. also, has to do with your ability to correctly answer CompTIA question with the CompTIA correct answer.

          my point: even if you kick ass in comp. sec – you should still study for this exam if you plan to pass it. the pass score if not ala A+, 499, but something much higher, i can’t remeber now.

          once last point. i do actually remember seeing a couple of job ad’s that ask for the security+ designation – so it’s not all in vain if you pass it.

          happy holidays,

        • #3317561


          by house ·

          In reply to well..

          It appears that the Sec+ exam is more of an IQ, aptitude, and reading comprehension test. I should actually go out and write it myself so that I am not blowing hot air with seemingly baseless arguments.

          Perhaps I will pick up a Sybex book for the Security+ cert, rather than writing it blind. This kind of stuff interests me anyways. I still think that it will be an easy test though.

        • #3317552

          Good for you..

          by dafe2 ·

          In reply to Yeah

          That’s a good move if it does interest you…I understand the tests have changed somewhat the past two years.

          They provide YOU with satisfaction, just like any other Cert. (No matter what it is) A Cert never got anybody a job or a promotion. Christ, I don’t know where people get that stuff.

          Your hiring a package. A car dealership may get me into their lot based on the “brand” they carry, however, there are all kinds of “models” on that lot. The entry level to the high end.

          “I still think that it will be an easy test though”

          Stuborn upper Canadian……..:-)

          Incidently, I’ve read some of your (other) stuff. (I) never thought you where blowing hot air. You just ‘sounded’ like a paper cert in the way you communicated (these) thoughts. I think you clarified your thoughts/position. Anyway, your a Canadian and it’s to damn cold to blow much hot air anyway. -20c today here in NB.

        • #3317390

          Security+ IS IMPORTANT!!!

          by robotech ·

          In reply to What arrogance!

          I can’t study for an exam and pass without understanding the material. If I don?t understand it, even a multiple-choice question is going to look like greek. I try to explain some of the most basic stuff to users (like doctor’s, lawyers, mechanical engineers, managers) and they just don’t get it.
          How can someone not know their username because they have never had to put it in? ?Duh, I just put my password in and clicked ?OK??

          If you study for Security+ or Network+ you WILL learn something. The fact that a few posters have said that Security+ is easy doesn?t dishearten me, it tells me that I?m in good company because these people have been around long enough and have sufficient experience to consider many Security+ topics as ?easy?.

          Imagine you work for a clinic that has a network of 2 servers and 20 users. The clinic is taken over by another chain of clinics, so now you are in charge 5 clinics. To get in line with HIPAA mandates, your new boss asks you to audit all 5 locations, as well as tie them in to the main clinic in a secure way. Where do you start? How does Security+ help? With your knowledge of Security+ and the culture of the clinics, you at least know what PRINCIPLES to apply when looking for a solution.

          And if you decide to offer a bid on the project, Security+ allows you to listen to the consultants and UNDERSTAND what they are saying without seeking much clarification. The worst thing you can do is ask a sales rep/engineer to explain a technology. Because then they can sell you a 5lb claw hammer, when what you really needed was a150lb gas powered jackhammer

          As a result of me studying for Security+, I just recently acquired a decent VPN solution for a remote office that is coming online with the main office. Had I asked my sales rep, they probably would have sold me something that has been stuck in their warehouse for a while, that probably wouldn?t have addressed my real needs. And if you choose a certain vendor and they end up filing for Chapter 11, Security+ plus allows you to choose products from a compatible vendor. How many times has a vendor told us? ?Well, you can?t do that, our products will only work among themselves?. Those of us who had vendor specific training only probably accepted it. But those of us who understood the underlying PRINCIPLES got cheaper products from another vendor and made it work. Or we made products with different software releases behave themselves when talking to each other, because we understood what part of the software is used for communicating in our specific environment. In doing so we saved our CFOs thousands of dollars.

        • #3317387

          Your right and

          by dafe2 ·

          In reply to Security+ IS IMPORTANT!!!

          Those that delude themselves into thinking it’s an easy pass because they have an understanding of Networking (alone) will find themselves surprised when they sit down to test.

          Many things have changed in the past couple of years with these and other exams. Bout time too.

          Other things such as regulatory requirements such as HIPAA, Sarbanes Oxley & PIPEDA are things that require attention as well.

          Sure, someone could (probably) walk in and write the exam & pass. What value is there in that?

        • #3317347

          For Robotech – On Net, Sec, and arrogance

          by house ·

          In reply to Your right and

          I certainly hope you folks are not talking about me by responding to “What arrogance”. There was a bit of a misunderstanding here last week. My blunt attack on the Security+ exam was misinterpreted due to my poor choice of words and lack of patience in writing a complete post.

          1) There is no value in walking in to write the Sec+. I am concerned though, that others are able to do this through the redundacy of their previous educational pursuits. The certification itself, may be flagged as a paper cert warning because of it. I would definitely think twice about a potential associate who only has the Sec+ label. It is not very valuable in a serious IS position as it is too easily obtained through the mastery of multiple choice questions. That is the reason why I was playing the certification as a dud.

          2) Network+ is highly valuable to me, and apparently to everyone else here, but it does not appear to be the case when those responsible for IT department management, are not IT themselves. I have seen this far too often. It’s nice to know that everyone here respects the Comptia exams as well.

        • #3317320

          House – For Clarity re ‘folks’

          by dafe2 ·

          In reply to For Robotech – On Net, Sec, and arrogance

          To clarify my position with you:

          I knew what you meant in your original post and as I think you know, between the two of us, clarified your position regarding your original post.

          Far as I’m concerned your words were used in haste & you did not intend to ‘cheapen’ the cert.

          The words I use here are for peckerheads in general.


        • #3298421

          Haste is right….

          by robotech ·

          In reply to For Robotech – On Net, Sec, and arrogance

          …and I still wouldn’t put down the Security+ exam. What you said about certs applies to ALL certs, not just Security+. If I were in charge of a medical, financial or any other network that requires a good understanding of MODERN security concepts, and I were looking for a network technician/assistant network admin, that person would need to have AT LEAST Security+.
          But it doesn’t stop there, the interview also plays an important role. It would be silly to hire someone based soley on certs, just as it is silly to hire a fresh college/university graduate for a critical IT position. A person with experience and certs is far more valuable to me than a university graduate, because I can start getting a return on the company’s investment right away. Some people are career graduates; they love college life, and they love to acquire titles but that doesn’t necessary translate into a GOOD/EFFECTIVE network tech/admin.
          I know of a company with a University grad/Network Admin, who is Novell Certified etc. He doesn’t even know which way is up. The guys in the GIS department have stuff running on the network that he doesn’t even know about. He got his degree almost ten years ago but no recent certs (stuck in a time warp). New viruses and worms tend to wreak havoc on badly configured networks, because too many NetAdmins don’t know basic Security+ material.
          As I said before, if you don’t know the underlying PRINCIPLES, you can’t pass Security+ or any other multiple choice test, and if luck is on your side and you manage to pass, your shortcomings will show up in an interview, or worse yet, when you get fired!

        • #3298408


          by house ·

          In reply to For Robotech – On Net, Sec, and arrogance

          That is the problem. The fact that an organization might chose a particular candidate over another, based on the fact that they’ve acquired a few more titles, is a big problem. The fact that the Security+ exam is more of an entry level exam, deems the cert “unimpressive” as far as educational value goes in the field of IS. In a Technical Support/Information Technologist position however, there is no harm done in pursuing the certification.

        • #3298295

          Robotech, re: required certs

          by apotheon ·

          In reply to For Robotech – On Net, Sec, and arrogance

          Requiring a specific cert pulled out of a hat is just pure stupidity. Saying that, hiring someone for a secure networking environment, you’d absolutely require a security cert just ranks you with the pointy-haired bosses as far as I’m concerned.

          Yes, certs can act as shorthand for a measure of skills. No, certs are not the only measure, nor are they even a necessary measure. They are worth something, but only when better methods of measuring the same skills are lacking. If I was an IT manager hiring someone new to augment the general IT staff, I’d be looking for people that learn quickly, think clearly, and have integrity, above and beyond any certificiations. If it’s a choice between a smart, curious computer enthusiast that doesn’t have a chip on his shoulder and some alphabet-soup certification master in a suit, I’d be inclined to hire the enthusiast. Anyone you hire will require training to some degree: make the most of it.

        • #3304882


          by house ·

          In reply to For Robotech – On Net, Sec, and arrogance

          My requirements for a potential candidate…

          1) enthusiasm – proven through background, education, interests, work history, and yes, even certification

          2) attitude – professionalism, social skills exhibited through a history of customer service and general impressions from the interview, no more “dark cellar” IT folks

          3) hold on… I’ll finish the list when these tech calls stop coming in. LOL…

          4) Actually, that’s pretty much everything. A strong sense of management and a keen understanding of the business process, will go much furthur than any cert monger

        • #3299185

          I think you guys are missing the point.

          by robotech ·

          In reply to For Robotech – On Net, Sec, and arrogance

          COMPTIA never claimed that the Security+ was THE exam to get to demonstrate oneself as a Security expert. COMPTIA makes vendor neutral exams, that are used as a foundation for anyone entering a specific field. Yes, you will have to do some sort of training, always; it’s inevitable.
          Nevertheless, the person that has Security+ has a foundation upon which I can build without sending him/or her off for any extensive training. Anyone who has enough drive to study and pass Security+ (whether it’s easy or not) is sending a clear message to any prospective employer i.e. – I CARE ENOUGH ABOUT SECURITY TO GET CERTIFIED AND YOU DON’T HAVE TO TRAIN ME IN BASIC SECURITY CONCEPTS.

          It’s a message that I’ll have to confirm in the interview, given that certs or a degree will not be my only requirements for the position.

          Security Plus is what COMPTIA says it is: “The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years on-the-job networking experience, with emphasis on security… CompTIA Security+ is an elective or prerequisite to advanced security certifications.”

          Did you note that COMPTIA mentions ADVANCED SECURITY CERTIFICATIONS? Obviously they are not making it out to be an advanced cert, just the FOUNDATION to get there. If I were hiring a security tech to assist me on a site, I would use Security+ to narrow down the field, then an interview to test the aptitude of all the aspirants who posses Security+.
          Once I choose that person, I can spend a shorter time training them on any vendor specific hardware/software, because I know they have the PRINCIPLES clearly understood and can fit into my staff and start functioning right away.

          So, when all is said and done, Security+ is a good entry-level security cert that any well rounded NetAdmin or Consultant should have.

        • #3313658

          I got the point.

          by apotheon ·

          In reply to For Robotech – On Net, Sec, and arrogance

          My point is that certification are something I’d probably only really pay much attention to in hiring if the important qualifications between two candidates were exactly the same. Keep in mind that enthusiasm for learning more about IT and a personality that meshes well with my own in a work environment (which might include simply being “seen and not heard”, depending on circumstances) are “important qualifications”. Certs just miss being “important” to me. The same goes for a degree. I’m more interested in skills and knowledge than I am in rubber-stamped approval of skills and knowledge.

    • #3292499

      Mullins?s is arrogant!

      by olditprofessional ·

      In reply to How valuable are security certifications?

      “Sporting a certification without the knowledge and experience that it stands for makes you a “paper cert,” and that just lowers the standard for the rest of us.”

      Well boo hoo, Mike! I think it pretty arrogant of you to say that people who pursue certifications without experience lowers the standards for the rest of us. Who do you think you are? Because you have experience in an area (any area), you are the only one entitled to obtain a certification?

      I for one have NO practicle experience in IT Security, but I am making my career change through certifications. I am currently enrolled in graduate school, with my major being IT Security. I am also concurrently studying for my CISSP.

      So Mike, I guess according to your article, I am going to lower the standards. Oh well, I’ll bet I’ll get hired and excel at IT Security…like I have for my entire IT career…even in the face of those want me to fail!

      • #3292485

        We have witnessed Paper Certs Before

        by praetorpal ·

        In reply to Mullins?s is arrogant!

        We have seen a proliferation of paper certs in the past, mainly MSCEs; I’ve heard it expressed that if you throw a stone out the window, you’ll likely hit one in the head. If they are true IT professionals, why all the trouble migrating to Linux, which will be necessary for any business to stay competetive in future.

        A further thought, what if a company (like mine) came up with a new technology that enabled security to be run in-house by a competent IT person, without the need for a security person at all. What happens to security Certs then?

        • #3292476

          Security professionals

          by olditprofessional ·

          In reply to We have witnessed Paper Certs Before

          I don’t think that the security professional will ever go away. There is much more to security than being someone who configures a firewall or monitors log files. Certain policies and procedures must be created for the business lines to adhere to. This is important, especially in fields such as the military, financial, and health care. In these areas of endeavor, oftentimes there are legislation which overshadows the need to be secure. Someone has to have this job of creating, maintaining, enforcing, and understanding these policies.

          So, if some uber-new technology comes in and makes life easier…all the better! However, having the certification to understand the prinicipals of security is and will be important for years to come.

          When I got my MSCE back in 1995, I wasn’t even in the IT field. Getting that MSCE got my foot in the door and I learned everything I needed to without having any problems. Now, 10 years later, I am attempting to change again by getting my CISSP. Will I be a “paper” CISSP – you betcha! Will I get a job? You betcha! Will I excel and succeed in this new role? Without question. Why? Namely because of my previous experience in IT. I have implemented security on a number of different systems and networks. The prinicipals I’ve learned through this experience transfer over into the “offical” security realm…although I’ve never had a “security” position. So just because I’m not a “security manager” doesn’t mean I cannot study and take a test to obtain a cert. It also doesn’t mean I won’t be successful in the career either.

          I think if someone is so arrogant to say that someone will not be successful in a new role is likely insecure in their own abilities – either that or they are just a jerk.

          People should be allowed to pursue whatever career they want. Just remember, today someone has an appointment with the worlds worst doctor! My point being there is a range of qualification in any field of human endeavor.

        • #3292453

          Re: Security Professionals

          by mike mullins ·

          In reply to Security professionals

          Reread the column. I never said anything about success.

          What I did say was: “Earning a security certification can enhance your prospects for finding a job in the security field and help you obtain the raises you deserve.”

          Obviously you agree with that, since you’re changing your career with the help of a certification.

          Once again, it appears that you have the experience and now you’re going to get the certification that says you have that experience.

          It’s not arrogance, it’s just a fact.
          If I take a test to be an ACE mechanic and don’t know the difference between a cam shaft and a drive shaft. Would you want me working on your car? How about a test to be an airline pilot?

          Mike Mullins

        • #3293815

          Certs are needed

          by praetorpal ·

          In reply to Security professionals

          In the near future, we will need both certified and experienced IT security personnel to verify that our product does what it says it does. It gives the equivalent of SELinux and beyond, to a non-linux user, and can be used in some fashion with any platform. An experienced systen admin would feel very comfortable with the product with about 2 days training.

          It has been running over a year at a major commercial enterprise with significant intellectual property to protect, by the sys admin, not a security person, and has passed with flying colors.

          The enterprise would still require a CSO of some sort, because by definition, this product monitors the actions of everyone, even the super user of the system. Its just that it allows some of the security work to be done in-house by IT staff very easily, and does not require a security person, necessarily, to set it up, as it has a framework for security built-in.

          If you, or anyone, would like information about this “uber-new” technology, just let me know at Always interested in feedback. We are bringing it formally to market in a matter of weeks.

        • #3292366

          Your Linux Statement Makes me Chuckle

          by tomsal ·

          In reply to We have witnessed Paper Certs Before

          Why do so many people insist or at least imply that if you are running a Windows shop at your work you are idiots unless you are running Linux OR that you merely should just migrate over to Linux. When will people, especially the Linux DIEHARDS in this case, grow a brain and have their feet firmly grounded to reality before they just spew forth the diatribe of “Go to Linux Now!” or “Microsoft Admins Know Nothing”, etc.

          Do you know how difficult it would be for my company to simply switch operations from Microsoft to Linux, do you realize the costs involved, the down time, the compatibility issues with our unique proprietary database software that is the trademark of this company?

          Its not as simple as “duh! Just migrate over to Linux silly!” there is WAAAAAAAAAY more to it than that.

        • #3300672

          Reply To: How valuable are security certifications?

          by jaqui ·

          In reply to Your Linux Statement Makes me Chuckle

          okay which proprietary database?
          can it export sql inserts?
          could you have every single document backed up on cdrom and the exported database by 6 pm friday night?
          then monday morning entire network is running linux, with the workstations in gui only mode as that would be more familiar.

          1 person, can rebuild entire network in one weekend, including copying all data back onto the system.
          10,000 stations? maybe 4 people.
          only time office is closed anyway.
          learning curve?
          1 hour to show where to find equivalent tools.
          1 week to troubleshoot those having dificulty.
          1 month on call for insurance.
          data loss/incompatability?
          oh well who needs the security risks anyway?

          oh, you want to keep using the same database software?
          did you write the code?
          change makefile targets to unix standards.
          change includes to unix standards, recompile.
          it’s only hard when you do not want to concider the option.

          I do not own any copy of windows, or windows based software.
          and I don’t miss it.
          as a matter of fact I enjoy reading security bulletins with huge numbers of security risks for windows, and windows based apps.
          very few for unix like systems in comparison.

        • #3317653

          Do you know our business model?

          by tomsal ·

          In reply to Reply To: How valuable are security certifications?

          Your statements I’m sure were given with the best of intentions, but they strike me as a bit absurd.

          Why? Well because while programming may have standards, while databases may have standards…company’s (especially small business) are often very unique and they don’t have standards.

          How can you (or me or ANYONE on Earth) make blanket assumptions on how long it will take for someone’s business to switch over to Linux from Windows with not a shred of prior knowledge on the user base, the company’s business model, the current infrastructure, support level of the IT staff, the available time frames for current project completions (some of which are potential ENORMOUS money makers for us), etc.

          I used to think like you do — which is to say just pure technology and ignoring the business and operations impact as well. I’ve slowly learned that technology must work within and around business and operations and not the other way around.

          That all said, my frustrations stem from folks insulting folks who work with Windows and businesses run by Windows, NOT from a hatred of Linux.

          I enjoy technology — Unix, Windows, Linux alike…

          But it would be no easy or quick thing for us to switch over to Linux.

        • #3317958

          Reply To: How valuable are security certifications?

          by jaqui ·

          In reply to Do you know our business model?

          “Obstacles are those horrible things you see when you take your eyes of the goal”
          Henry Ford

          I preffer to think of them as the stages needed for achieving the goal.

          obviously I don’t have access to all the information needed to accurately assess the end users for your company.
          but with good instructors most people can be brought up to speed on new software fairly quickly.
          unfortunately, not every company supplying software supplies good instructors, and linux falls into that category.

          pick those that would take the longest to learn and start teaching them with a small network set up for the purpose of teaching people.
          once everyone is trained you can switch over.
          use the training network to get everything in place configuration wise for the entire company, then copy the config data over to the rest of the network after changing.
          that way the real hit on the company is done long before the software change, and it is kept from having detrimental effects on the bottom line.

        • #3318131

          You said it yourself –

          by dafe2 ·

          In reply to Your Linux Statement Makes me Chuckle

          Keywoard DUUUH.

        • #3318150

          couple of things

          by secure_lockdown9 ·

          In reply to We have witnessed Paper Certs Before

          #1 – the linux vs windows rant/argument/debate is lame/passe and pretty unproductive. they are both different and require different skill sets. unix and it’s variants have been around from computer dawn of time. i work on windows, linux, and the BSD flavors – i work with them because in IT the “one shoe fits all” mentality doesn’t work that well.

          #2 – working on linux requires a different skill set and experience than working on windows nt/2000 environment. this is similar to a maechanic working on a ford/chrysler cars and another mechanic working on a john deere tractors and another one working on a plane. guess what – the last guy i want working on my plane is the guy that fixes my jeep.

          #3 – re: certs & the paper cert. when i see a cert next to a guys name, i don’t see skills or abilities – i do see initiative and desire. good qualities to have.

          as far as, “did you cheat to get your cert”? as far as i am concerened, it’s your business. but if you have a job to do – you better be able to do it. because trust me, i ,and no one else, will not do your job for you if we aren’t getting paid to do it. if i notice that you are incompetent and you keep causing needless problems – i just might try to get you fired. welcome to the jungle, paper cert.

        • #3318144

          Well said but:

          by dafe2 ·

          In reply to couple of things


          Should have added FireFox vs IE. Damn near fall asleep with that one now too.


          Should have added the guy that makes a decent living on MS product every day of life and spends all their energy trashing the product(s) instead of spending the energy learning best practices supporting the infrastructure. To clarify – I’m referring to the paper cert that hasn’t got a clue what he’s doing here. Most of us have forgotten more than these yahoos will ever learn.
          Trash MS all you want to for the betterment of the product provided you can back up your claim with more than just eeeyeew MS sucks.


          When I see certs next to a guys name, alarm bells go off……….Show me the skill set!
          Still think that’s tacky, oh well, to each his own I guess. Whatever floats your boat.

        • #3317950

          Reply To: How valuable are security certifications?

          by jaqui ·

          In reply to Well said but:

          “Should have added the guy that makes a decent living on MS product every day of life and spends all their energy trashing the product(s) instead of spending the energy learning best practices supporting the infrastructure. To clarify – I’m referring to the paper cert that hasn’t got a clue what he’s doing here.”

          did you have to remind me?
          motherboard damaged, cpu damaged, case detroyed, heatsink ruined…

          by an MCSE shipping a system HE put together.
          parcel post, not registered, not insured, and international post.

          if my brother in law hadn’t been 2000 miles away I would have killed him for not thinking when shipping his sister’s computer.

        • #3318840

          2000 Miles?

          by dafe2 ·

          In reply to Reply To: How valuable are security certifications?

          Yikes! please tell me he’s not in New Brunswick.

          Hey…..sent it back to him……….for his Birthday!

        • #3318712

          Reply To: How valuable are security certifications?

          by jaqui ·

          In reply to 2000 Miles?

          naw, he’s in denver colorado.

          I fixed it.
          4 hours repairing the cpu itself. ( every single pin was bent out of shape, straightened them without breaking any. )
          1 hour restoring the case
          1/2 hour installing new motherboard.

        • #3318704

          Jaqui – Re fixed

          by dafe2 ·

          In reply to 2000 Miles?

          Glad he’s in the US. 🙂

          Ok then…………Send him the Collectors Edition of Bob Denvers Greatest Hits (or) Celine Dion’s box set with instructions to listen for 8 hours.

          He’ll spring for the Insurance next time I bet.:-)

      • #3292464

        Just a fact

        by mike mullins ·

        In reply to Mullins?s is arrogant!

        Actually, since you’re gaining the knowledge and the experience through school:

        “I am currently enrolled in graduate school, with my major being IT Security. I am also concurrently studying for my CISSP.”

        It appears you won’t be a paper cert after all. I hope you do well on your CISSP exam!

        Mike Mullins

      • #3317798

        Paper Certs

        by house ·

        In reply to Mullins?s is arrogant!

        I think that you are a bit confused regarding our “paper cert” terminology. While it is true that most graduates have a difficult time combining their book smarts with real world situations, the real definition of a paper cert is one that is acquired through mock questions and real exam question documents. While these documents do hold value, they are generally more useful in identifying your weak areas. To fight off the “paper certs”, organizations have been gearing their questions towards case studies that require some form of analytical thinking. It appears that you are not a “paper cert” type guy at all.

        MCSE in 1995? Wow. I didn’t even know that it was available so early on.

    • #3292492

      Timely fuel to the fire!!

      by praetorpal ·

      In reply to How valuable are security certifications?

      Just spotted this link at Help-Net Security:

      Security training needs complete overhaul

    • #3292479

      Don’t forget Certified Ethical Hacker

      by gsohl ·

      In reply to How valuable are security certifications?

      Another to consider is Certified Ethical Hacker (see One of our local training organizations also calls this Certified Penetration Tester.

    • #3292363

      The nice thing about certs: They are as valuable as YOU want them to be!

      by tomsal ·

      In reply to How valuable are security certifications?

      Certs , as with any form of education, are as valuable to you as you want them to be. If you use the goal of attaining a cert to study real hard, test, and use hands on labs to comprehend the knowledge then the cert is EXTREMELY valuable — depending on how hard you work, I know for a fact some of the IT folks who mock certs will be impress by what you know on the job and you might even have some of them jealous of your newly learned skills, which as it would turn out is one of the reasons I think some folks mock certs — because they don’t like the fact someone has the self-disclipline, aptitude and intellect to better their ownself and they can’t. I truly believe that’s why some folks down certs at all opportunities.

      On the other hand if you just care about the paper, and you just want to do only whats needed to pass the test (even if it means “cheating” with brain dumps) then the cert isn’t valuable, and your knowledge retention is going to be a lot less than if you actually worked hard for the information.

      • #3305005

        You’ve hit the nail on th head – stop looking for the easy way…

        by hybrit ·

        In reply to The nice thing about certs: They are as valuable as YOU want them to be!

        You’re absolutely right on that one! While I do agree that the whole IT certification industry is a bit of a money grab, the real problem is with those who try to take the quick and easy way out.

        That is, get the books + whatever cheats available, invest a few weekends, and write the test. This is not learning, this is temporary memorization and regurgitation!

        I usually approach IT certification preparation like a university/college course. There is normally 40 hours of instruction (i.e. time to read the certification guide) along with double that in actual work/assignment & test prep time. So I’m willing to bet that if most “IT professionals” invested even just 120 hours in each certification, they’d actually be learning something rather than learning how to recite facts…

        This is why it is also important to pick and choose your certs because having 20 of them on your resume says only 1 thing: I took the short-cuts…

        • #3319239

          I second that comment….

          by robotech ·

          In reply to You’ve hit the nail on th head – stop looking for the easy way…

          My first cert was my MCP. I had the knowledge of setting up networks, connecting desktops to domains etc. I had the experience, and I got the cert to BACKUP my experience. My next Cert was Network+, because it served to BACKUP all the network projects I had done.
          My next cert will be Security+ (in three weeks), I’ve worked with much of the stuff in the Security+ Exam Objectives, and I’m sure that while studying I’ll come across new stuff. I’ll visit various websites and read whitepapers, and I’ll setup labs in my home or at the office. In order to UNDERSTAND what I’m doing and be able to apply it to a project immediately.
          My next cert after that will be MacOS X help desk essentials. I’ll learn enough to get in the door of a Mac shop, and once I’m in and I gain enough experience, I’ll take the Mac OS X server exam to show that my experience is worth something.

      • #3319210

        Kudos – Well said

        by dafe2 ·

        In reply to The nice thing about certs: They are as valuable as YOU want them to be!

        Allthough the paper cert carrier is less likely today, due to the changes MS & others have made to their exams & testing practices, the fact is that much damage has been done to the credibility of the cert.

        On the other hand, it has brought attention to the fact that just by virtue of carrying “the badge” it doesn’t necessarily mean your qualified to “use” it correctly.

        Again, very well said.

    • #3304901

      When the Corporation is the New God…

      by scoid ·

      In reply to How valuable are security certifications?

      Certification becomes the theological study. Certification is an INDUSTRY UNTO ITSELF. Certs are self-promoting, and self-justifying, with the conferring bodies doing everything they can to CREATE THE DEMAND for their certs by telling dough-headed employers everywhere that employees aren’t “qualified” if they don’t have their certifications! Need for certification empowers employers, not employees, because it REDUCES THE LIQUIDITY OF ANY COUNTRY’S HUMAN CAPITAL. It makes it harder to change jobs and careers. Certification IS religion. That said, I am a CISA and I am a chapter director of the conferring body, ISACA. The above sounds cynical, but it’s also the truth. Food for thought: once I received my CISA, my sponsoring employer (no, I didn’t have to change jobs) gave me a 15% pay increase. Woo hoo!

Viewing 8 reply threads