Skip to main content
CrankySec

Certified Trash

Some years ago, I volunteered at ISACA's Young Professionals Committee. They flew me to Chicago, wined and dined a bunch of other volunteers, and, in exchange, asked us to come up with ways to drive engagement amongst the target demographics. You know, keep conversations going on members' forums, promote the organization, etc. There was a massive tactical error in this plan, though: if you're not getting some letters to add to your LinkedIn profile, no one gives a shit about ISACA.

No one was going to those forums to, let's say, talk about cybersecurity, share some knowledge, exchange experiences... Things people usually do when they join a professional association that explicitly states that they exist "To advance the pursuit of digital trust and the positive potential of technology." The vast majority of people were there to talk about some variation of "How do I pass this shit?" or "Can I get CPEs for XYZ?" That was about it. So, my overarching thesis here is that ISACA, ISC2, SANS, et al are a thing because they are cheat codes you can use to have a career in cybersecurity. One can sit down for a couple of weeks, memorize a bunch of incredibly stupid questions, take the exam, pass, add letters to their profile, and start applying for jobs.

This has been debated to exhaustion, but it bears repeating: you can surely find good professionals who are CISSPs. You can surely find steaming-pile-of-shit folks with CISSPs. And, of course, you can find both versions without those certs. The problem, I think, starts when you use those certifications as indisputable validations of one's competence. Reader, they are not.

Full disclosure here: I've been a member of a bunch of those organizations, and I've held a number of certifications in the past. I don't do that anymore.

I've heard so many cases of s-tier professionals being turned down because they lack certification ABC. Shit, you can't even become a PCI-DSS QSA without having a couple of those. Why? Because everyone involved is fucking lazy. The PCI SSC established the certification requirements not because they want to weed out people who shouldn't be anywhere near an assessment. They did it because they knew it was almost impossible for any schmuck to fail their ridiculous training/test combo, so they just outsourced the barrier to entry to ISACA, ISC, SANS, and the rest of the gang.

Lazy recruiters and hIrInG mAnAgErS do the exact same thing: they cannot be bothered to do a little bit of homework to determine what good looks like, so they punt the ball to those organizations. Then, when it becomes clear that being a CISM doesn't automatically mean you know what you're doing, they can go online and complain about some "talent gap" or whatever the fuck. Bud, the only thing you can infer here is that the person holding those certificates can sit down for a couple of hours and click on some multiple choice questions. If that's your bar, you deserve what you get.

A much better way to suss out who knows their shit and who doesn't is to ask how they approach the problem, how they learn new things, what their favorite books on the subject are, give them some simple real-world scenarios to analyze, and so on. Thinking "Oh, they're CRISC! They surely know everything about risk management." is a very dangerous gamble because this is the kind of question they're being asked.

crisc question

Do you know what a pentest is? Right this way, sir! You're cyber risk director material for sure! Outsourcing your due diligence to some opaque institution is a very bad idea. The same way that trusting EYKPMLOITTEWC's opinion over your own people is fucked up. But, then again, if you don't outsource your due diligence to someone else, you'll have no one to blame but yourself when things don't work out, and we can't have that. As the good friend of the blog Ludic once said "Big enterprise is buying plausible lies that get executives promoted." It's all about the meta game.

I'm not here to tell you what to do, or even suggesting that your efforts to get a certification were worthless. What I am saying is that the industry in general mostly uses these things as crutches, and the entities that run these programs lean into that hard. Next time you get your job application rejected because you lack some certification, thank the Goddess for helping you dodge a shit bullet.


P.S.: We're running a fundraiser to help readers who have been hit with layoffs, RIFs, and other kinds of corporate fuckery. The drive ends on February 29, 2024. I appreciate your help, and everyone who buys a shirt will be awarded the rank of beaut in our Discord server.