In my field (embedded software reverse-engineering/exploit development), our customer requires that engineers hold a CISSP certification (CISSP == Good at Reversing or Exploit Development?)....
In my field (embedded software reverse-engineering/exploit development), our customer requires that engineers hold a CISSP certification (CISSP == Good at Reversing or Exploit Development?). Respectfully, I've met some of the most tech-illiterate business analysts with CISSPs, while some incredibly bright engineers struggle to pass it. I had no trouble passing, simply because I tend to do well at multiple choice tests. It does seem to filter out certain types of creative engineers who's brains aren't wired to be successful at hours long multiple choice tests.
Not to mention my company has to send a $120/year check to ISC^2 per engineer. The situation gets even scummier with other so-called cybersecurity certifications.
I wouldn't conflate PR/pay to win security awards with security certifications. Love it or hate it, someone took the time and effort to actually complete it. There are good doctors and bad...
I wouldn't conflate PR/pay to win security awards with security certifications. Love it or hate it, someone took the time and effort to actually complete it. There are good doctors and bad doctors, good lawyers and bad ones, but I certainly can't trust one that doesn't have a medical license or haven't passed the bar. I consider the annual fee as a charitable donation by my company. Where would you rather that money go to? Bonuses to execs or more budget for the SEOs?
You mentioned lawyers and doctors, but also many other professions: cosmotologists to nurses to plumbers to electricians all have certifications through the state, with governmental accountability...
You mentioned lawyers and doctors, but also many other professions: cosmotologists to nurses to plumbers to electricians all have certifications through the state, with governmental accountability for their work. To be a certified plumber means having a license with the state, not buying a so-called "certification" from a private business. Cybersecurity certifications are some weird pseudo-licensing scheme where private businesses offer various dubious "certifications" in exchange for cash, and lots of it.
And where does this money go, besides some persons pocket? CompTIA, a leading cybersecurity "certification" business has used their cash flow to lobby against Right-To-Repair legislation. In fact, they were one of the leaders of industry push-back against Right-To-Repair [0][1].
Where would you rather that money go to? Bonuses to execs or more budget for the SEOs?
That money is going to execs, just execs for some other company masquerading as a licensing agency. I wouldn't be completely opposed to a licensing program for cybersecurity engineers that holds individuals accountable to a standard of work, but honestly incompetent engineers are going to be best weeded out by the interview process. The existing process doesn't provide meaningful accountability for security professionals; it simply excludes people bad at arbitrary test taking from certain roles and forks money over to dubious businesses who's values one may deeply disagree with.
You seemed to have strong feelings about this, not sure if I'm keen on debating this further. While I agree that a statewide licensing program can benefit the cybersecurity industry, the existing...
You seemed to have strong feelings about this, not sure if I'm keen on debating this further. While I agree that a statewide licensing program can benefit the cybersecurity industry, the existing private business industry is merely filling the void.
I personally don't have a CompTIA cert (nor any wish to get one), but I think it would be unfair to describe these certifications as purely in exchange for cash (a la degree mills). For some with nontraditional educational background, it might be a good pathway to gain accreditation in their job field. It sucks that CompTIA has lobbied against right to repair, but I'm inclined to think this just an out of touch management (maybe boomer execs). I don't think this diminishes the quality of the service they provide or the quality of the people who have those certifications.
My comment regarding where the money goes is merely tongue in cheek. Employees should make more use of their company's learning and development budget.
On the note about increasing accountability for security professional, I agree in principle. But in practice, I'm more concerned about increasing accountability for the people that chose to ignore the advice of security professionals which inevitably leads to an incident. Shooting the messenger is all too common.
In my field (embedded software reverse-engineering/exploit development), our customer requires that engineers hold a CISSP certification (CISSP == Good at Reversing or Exploit Development?). Respectfully, I've met some of the most tech-illiterate business analysts with CISSPs, while some incredibly bright engineers struggle to pass it. I had no trouble passing, simply because I tend to do well at multiple choice tests. It does seem to filter out certain types of creative engineers who's brains aren't wired to be successful at hours long multiple choice tests.
Not to mention my company has to send a $120/year check to ISC^2 per engineer. The situation gets even scummier with other so-called cybersecurity certifications.
I wouldn't conflate PR/pay to win security awards with security certifications. Love it or hate it, someone took the time and effort to actually complete it. There are good doctors and bad doctors, good lawyers and bad ones, but I certainly can't trust one that doesn't have a medical license or haven't passed the bar. I consider the annual fee as a charitable donation by my company. Where would you rather that money go to? Bonuses to execs or more budget for the SEOs?
You mentioned lawyers and doctors, but also many other professions: cosmotologists to nurses to plumbers to electricians all have certifications through the state, with governmental accountability for their work. To be a certified plumber means having a license with the state, not buying a so-called "certification" from a private business. Cybersecurity certifications are some weird pseudo-licensing scheme where private businesses offer various dubious "certifications" in exchange for cash, and lots of it.
And where does this money go, besides some persons pocket? CompTIA, a leading cybersecurity "certification" business has used their cash flow to lobby against Right-To-Repair legislation. In fact, they were one of the leaders of industry push-back against Right-To-Repair [0][1].
That money is going to execs, just execs for some other company masquerading as a licensing agency. I wouldn't be completely opposed to a licensing program for cybersecurity engineers that holds individuals accountable to a standard of work, but honestly incompetent engineers are going to be best weeded out by the interview process. The existing process doesn't provide meaningful accountability for security professionals; it simply excludes people bad at arbitrary test taking from certain roles and forks money over to dubious businesses who's values one may deeply disagree with.
[0] https://www.phonearena.com/news/Right-to-Repair-bill-Apple-iPhone-unauthorized-fix_id115763
[1] https://www.theverge.com/2019/5/1/18525542/apple-right-to-repair-bill-california-lobbyist-comptia
You seemed to have strong feelings about this, not sure if I'm keen on debating this further. While I agree that a statewide licensing program can benefit the cybersecurity industry, the existing private business industry is merely filling the void.
I personally don't have a CompTIA cert (nor any wish to get one), but I think it would be unfair to describe these certifications as purely in exchange for cash (a la degree mills). For some with nontraditional educational background, it might be a good pathway to gain accreditation in their job field. It sucks that CompTIA has lobbied against right to repair, but I'm inclined to think this just an out of touch management (maybe boomer execs). I don't think this diminishes the quality of the service they provide or the quality of the people who have those certifications.
My comment regarding where the money goes is merely tongue in cheek. Employees should make more use of their company's learning and development budget.
On the note about increasing accountability for security professional, I agree in principle. But in practice, I'm more concerned about increasing accountability for the people that chose to ignore the advice of security professionals which inevitably leads to an incident. Shooting the messenger is all too common.