Kenneth G. Hartman bio photo

Kenneth G. Hartman

Security Consultant,  
Forensic Analyst & 
Certified SANS Instructor

Email Twitter GitHub

A friend of mine recently made the following post on his Facebook page. It resulted in an interesting discussion, so I thought that I would share it and my response.

OPINIONS wanted: Ok all of my professional FB friends. I am looking at possibly taking some training and obtaining new certifications down a slightly different branch in my IT career. I am looking at taking a Cyber Security program, in the end I will have my CompTIA Security+, CompTIA Advanced Security Practitioner and Certified Ethical Hacker (CEH) certifications to add to my toolbox of skills.

I have been in the consulting world for most of my IT career and am looking for feedback on what the perceived value of these certifications are. If you are in a position to make a decision at your company would you be looking to hire a CEH to test your companies security?

I know there is a huge need for cyber security, I guess I’m wondering if there are enough businesses willing to pay for it and what those businesses look like. Maybe cause I don’t think I could sit at a desk at one company and do the job all day. Any and all thoughts are welcome. –Mike

Hey Mike, Great question and good responses on this topic. As a security guy with a bunch of certs, I definitely have some opinions on this. First, as much as I hate to say it, security is generally an afterthought for many companies and they will only reluctantly invest in it. It seems that the companies that spend money on security do it for three reasons:

  • They were a victim of an attack,
  • Compliance regulations,
  • They are selling security products.

This is what it is, and I see an increase in demand driven by all three of these reasons. Often the companies that sell security products are not themselves all that secure, but have enough knowledge to sell their particular product. But products do not make one secure any more than a fancy stove can cook a gourmet meal. I have seen companies that are willing to invest in a cool security “stove” but unwilling to hire a good chef.

Compliance does drive a significant amount of security investment, including most penetration testing. I deal mostly with PCI and HIPAA, but FedRAMP/FISMA are also big drivers. Then there are those companies that have been victimized. Depending on the size of the company and the publicity of the breach, they may need to bring in a big name like Mandiant or Stroz Friedburg to publicize that they are taking the response very seriously. These big events also generate an uptick in security spending for a period of time that benefits the smaller consultants as well.

On the topic of certifications, there are many “experts” that poo poo certifications–particularly the CISSP. I think that this is because the CISSP is a hard test and has many trick questions. You cannot pass it without studying the “Common Body of Knowledge.” I put experts in quotes because some of these people are just unwilling to invest in the time whereas others are truly experts and have written the book. I have the CISSP and am proud of it, but to me it was just an initial milestone. There are those that are willing to step up into the ring and be measured and there are those that are not willing for one reason or another.

Penetration Testing is the cool and sexy side of InfoSec–it makes for better movies than being a defender. Not only that it is fun knowing that you can pop a computer. It will also give you a better appreciation of patching and vulnerability management. The CEH and OSCP are both highly regarded as is the GCIH (which is what I have). Even if you do not go into InfoSec full time, the learning process involved in obtaining the certifications will be very valuable. I have found that when I have to sit for the exam, I learn the material much more deeply.

One last thought, don’t go into InfoSec unless you love to learn as the technical aspects of security change rapidly (i.e. Beast, Shellshock, Heartbleed, Stagefright and on and on). On the other hand, it is always fascinating to me. While you are at it hit some regional security conferences such as Bsides and Derbycon. There is also a good meetup group in Madison, WI that you may like–MadSec. Also check out the website by friend Ted Demopolous. This will give you lots more to think about.