Thursday, March 18, 2010

The Value of Certifications

I see two basic camps in the security realm when it comes to certifications.

The first would include those with an alphabet soup behind their name. CISSP, CISM, CISA, GSEC, GIAC, GSE, CEH, CCNA, CCIE, etc. I suspect I could keep typing for days and not list them all. Organizations that promote these will definitely push that they add value and validate that the holder knows something of value to an organization and is worth more. This may or may not be true, but certifying organizations do make a substantial income on people maintaining their certifications, so they definitely have a vested interest in believing that certifications are valuable and promoting them.

I would note that I am not convinced that certifications are always a cash machine, but they do fund the employment of many people, so the amounts are significant. Those people are probably needed for solid certification programs. This means that large sums are involved in the process, whether or not those involved make a lot of money personally.

The other end of the spectrum argues that certifications are completely worthless and work experience is all that matters. They often look in disdain on those with certifications. They tend to view certifications as creating "paper tigers," people who can pass a test, but who don't really know much practically. I suspect having a certification is a bad thing if one of these people is in charge of the hiring process.

What spurred me thinking on this again was an OWASP podcast with Mark Curphy. (Yeah, I am a little behind - the show was from last July.) He expressed the second view and seemed to disdain certifications in general.

I am more in the middle of both camps and see merit in both positions. I have personally acquired many certifications because I felt like it, not because I wanted some letters to add to my name. Even though experience is still more valuable, I would rate my M.S. in C.S. from Illinois as more valuable than them all (along with a B.S. in C.S. from their Engineering College) as far more valuable, since it laid a firm groundwork for all the many things I have dug into.

That said, my certifications, especially the SANS ones I hold (GSEC, GCFW, GCIH, GCIA, GPCI) helped me really master the material in this area. My background is more in programming/development than system administration, so having to have studied the material for those courses has helped me absorb a lot more than I would have with just reading a book. Of course I need to put things to practice, but that is true of anything.

My main point would be to not worship certifications, but don't disparage them out of hand either. Don't get any if you don't see the need, but don't automatically assume someone with several is really incompetent either!

The Insider Threat to Drivers

This article shows that the human factor is always going to be a major factor in any overall security stance. A disgruntled downsized employee used a former coworker's account to access a system for tracking and disabling cars that they now use frequently at "buy here, pay here" auto sales places. A bunch of people had unworking cars until they reserved this. It kind of makes you concerned for what the future could hold as we place more and more computerized control devices in cars and other electronic equipment.

I am reminded of a recent Onstar commercial where they remotely disable a stolen car so the police can catch it. While that sounds great, what would happen if a disgruntled employee got access to that system? It is very important that we make sure companies with that kind of control have very secure development processes. In this case, making it harder for a single employee to disable so many vehicles so quickly would have been a reasonable development limitation and would have limited the possible damage in a case like this.