Open in app

Sign in

Write

Sign in

Cyber Certifications Are A Scam!

Tareq Alkhatib
6 min readJul 11, 2022

--

Summary: Vendor Certifications serve the vendor more than they do the student. Skill-based certifications with written exams can’t guarantee practical use and practical exams can be prohibitive to pass for anyone without much time to spare. And yet, we use certifications in job postings and put them after our names on business cards, even when these certifications are prohibitively expensive and set to expire for no apparent reason.

Photo by JESHOOTS.COM on Unsplash

I have a confession to make. I never really understood the whole certification thing. I, like most people in this industry, have enough horror stories regarding certifications, but I don’t want this to devolve into a rant so let me try to break it down to its basic principles.

Types of Certifications

First, let’s differentiate between training and certification. The quality of training obviously varies but I’m all for training for the sake of learning. What I take issue with is the certification stamp of approval we seem to have attached too much unearned value on.

There are really two kinds of certifications, Product Certifications and Skill Certifications. Let’s start with Product Certifications.

Product Certifications are taught by the vendor. They prove to your employers that you are qualified to use a particular product. I understand requiring these from fresh grads or similar. For example, if your employee has never used a firewall before, I can understand requiring some basic familiarity with the concepts of firewalls. That said, once you’ve worked with firewalls a bit and know your way around one product, picking up the skills for another product should be a lot easier. Sure, there are always concepts that are unique to one vendor and not others, but these are easy enough to pick up with practical experience with the product or reading documentation. Which is why I am baffled by headhunters who insist on “certification from X vendor” instead of “experience with Y technology”. Vendor lock in doesn’t need to happen if you don’t insist on it as a feature in your hires.

Long gone are the days when you had to type commands that were half Unix and half dark incantation to configure your device. Most devices are easy to pick up even by those who never used them before simply by virtue of their web user interfaces. If I’m allowed a bit of cynicism, Product Certifications are little more than a method for vendors to get professionals used to their products. This not only makes it easier to sell their product but it also means these users would be less likely to open support tickets, which are costly to the vendors. That is, a Product Certification is little more than marketing material you need to learn so you can work for free as the vendor’s support resource, and you need to pay for the honour to do so!

Skill-based Certifications might be less of a scam since they aim to teach you the skills you need to survive in your cyber career without locking you in to a specific vendor. Most of the more popular certifications fall into this category: CEH, Security+, CISSP, everything in SANS, etc. Let’s further divide these into certifications with written exams (including multiple choice ones) and certifications with practical exams.

Certifications with written exams are more common given that they are easier to administer. My disillusionment with these happened way back when I was starting a job as a junior reverse engineer. I had zero reversing skills going into the job and I needed a way to prove myself quickly. So I paid for the SANS course out of my own pocket, went through the material, and passed my GREM exam with flying colours. And yet, when I went to work, I still couldn’t reverse any of the real samples I was given until I went through the same training process that every other junior reverse engineer went through. That is, my GREM certification, a certification from SANS that I know how to reverse engineer, did not help me much beyond the basics when I was faced with real samples. In a sense, certifications with written exams, at least the better ones, should be equivalent to a university course. That is, they will contain mostly theoretical knowledge and some light practical anecdotes, but they shouldn’t be considered experience by any means. Going with this analogy, we should consider those who have passed these exams as “Fresh Graduates” who still need someone to guide them through their first days on the job.

DISCLAIMER: I took my GREM exam more than a decade ago. I have no idea what the state of the exam is in its current form.

Finally, Practical Exams are probably the purest form of certification we have in our industry. The practical nature of the exam means that it is impossible to cram your way through it. This is why you can find many study guides for exams like OSCP where people share how many CTF challenges they had to complete or how many things they had to learn before they were able to pass the exam. There are two things that make this type of certification problematic. First, the very nature of a practical test does not lend itself to all cyber functions. This is why you see this type of exams mostly for skills related to Red Teams. Second, and more troublingly, people trying to break into a field are essentially asked to develop their experiences on their own instead of through the practical experience of a job. This makes it easier for people with fewer commitments on their time to pass these certifications than people with family, social, or other obligations.

I hope it is clear by now. Most of the trouble with certifications happen when we conflate having a certification with having experience. Having one or more certifications may be an easy way for HR to filter out some applicants, but that does not mean it is an effective way. As shown above, most certifications imply theoretical familiarity with the topic, not necessarily practical experience. And yet because the hiring process favours certified professionals, a lot of us spend time, effort, and money trying to stockpile certifications, even when these do not result in practical improvement in our day to day work.

Questions

So this is the lay of the land when it comes to certifications. Let me then ask the following questions?

If most certifications only measure a beginner’s level of understanding at a subject, why do we list certifications in job requirements, especially for senior levels?

On a similar note, why do we list our certifications after our names on business cards or at conferences? A physician can put an m.d. after their name because they’ve studied for at least a decade to earn it. We on the other hand do not get to put the name of every certification we spent three months studying.

Why do certifications expire? I know that the official line is that “the technology moves too fast that things learned three years ago are no longer relevant today” but this assumes that your only contact with the product/technology/process/etc is through the learning from the certification. If you learned something and never used it for three years, you probably never really needed it in the first place. Similarly, if you learned something, used it for three years but still managed not to learn anything beyond what you learned in your certification, you probably don’t need any of the updated bells and whistles anyway.

Why are certifications so expensive? I get that developing the content is not cheap but vendors don’t need to treat their courses as a luxury brand (*cough* *cough* SANS *cough*). A lot more of us would be interested in more trainings if it was offered at more reasonable prices, which should make the whole thing more profitable to vendors.

And if I’m allowed one romantic question, whatever happened to charting your own path? Whatever happened to reading books or documentation without a promise of a “certified” stamp on your behind? Whatever happened to learning something because your job needs it or because you are interested in the topic, not because you need some authority to verify that you know the thing?

A Post-Certification World

It is easy to say that the hiring process needs to be changed but it is not as easy to actually change it. Certifications are shorthand for the skills needed for a job, they make for easy filters for applicants, and they offer something resembling a career trajectory for those willing to invest the time in them. There is a reason the certification industry is as large as it is today. And yet I still hope we can agree that the Emperor has no clothes first, before we start arguing what to dress him up in.

So in conclusion, CISSP sucks!

Thank you,

Tareq M. AlKhatib, Certified Hater of Certifications®

P.S. If you’re interested in Threat Hunting or Detection Engineering, you may be interested in checking out our newsletter at the link here: https://threathuntersdigest.substack.com

Cybersecurity
Dfir
Blue Team
Red Team
Cissp

--

--

Tareq Alkhatib

Written by Tareq Alkhatib

192 Followers

Cyber Nerd | Father | Chocoholic | All opinions are my own and not my employer's | https://threathuntersdigest.substack.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams