you're reading...
Career Advice

The Certification Authority Mafia – is ISC2 CISSP Part of It?

Hi my name is Pythorian and I have been a paid hacker since 1998. I am certified by Microsoft and Cisco for various things, but to be honest, I don’t keep up on all of these new fangled certifications. Every time I turn around I am renewing a cert or finding a new one on the market. Every time I sit down after about 2 hours of studying and pass with at least a 90%.

I don’t really keep up on the ever growing certification market as I have NEVER ONCE had an employer ask for my digits so they could verify a cert. Wait what? That means my roughly $4k in certs is worthless? EXACTLY Certifications are WORTHLESS. We are all being held hostage by the infosec certification mafia.

So that in mind, I am changing employers next month. One of the criteria of coming over is that I get a CISSP certification before Feb 1. With testing dates, that means I have to get the cert in the next week or miss out on a 130k a year job.

Seems straight forward right? Except, now I have to come up with $600 for a certification that the employer won’t even likely verify in the next week. Also, the certification has to be renewed every 3 years. So I did what anyone with a twitter account and blog would do. I offered PR in exchange for a voucher. This is the response I got from the certification mafia:

ISC2 scam

Wait, if I spend $2500 on a 5 day seminar that isn’t offered in the next week, you’ll throw in the voucher for free? What bearing does this have on whether or not I am qualified vs your bottom line?

So what does this mean about the Information Security community?

As long as employers are not verifying certs, and certification authorities like ICS2 are acting like mobsters who are completely tone deaf to their role in the Information Security community, why are people going to get certs?

What does this do to the employer and the authority? Fewer certified people, less revenue in the long run and more vulnerabilities. Am I being cynical? NO, just Google “adobe flash vulnerability” and tell me that major companies are hiring qualified / certified individuals?

What is the role of a certification authority?

Certification Authorities are members of any community with universal trust. This means that not only does the industry have to trust them, but so do the people purchasing their certifications. If we can’t trust that you are a certification authority who believes in the certification you are selling rather than your bottom line, why should we trust you with the investment of buying a certification?

What are your thoughts?


About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: