The stupidity of certification
We are obsessed with certification and qualification in the business world.
In the late 90s, Microsoft certification was the number one qualification in the IT space.
The MCSE (Microsoft Certified System Engineer) was the top one that I held from 1998 - 2006
This high-end cert had a few problems.
A person who had been working with Microsoft software in a business environment often failed the exam because of the difference between the reality of the business world and Microsoft’s rosy glass interpretation of what business had to do to make it run.
Anyone could pass the exam if they studied enough or had access to the answers being sold on the internet.
They did not have to have practical knowledge of NT4 (what a beast) to get a job as a network engineer.
That problem is still around.
Technically wise, cybersecurity certs have a similar problem.
You would think the difference between a certified security engineer and cybercriminals would be close.
They are not.
A certified security engineer lives in a world of frameworks, asset management, risk management, alerts, reports and responses.
The cybercriminal does not even need to be a cybercriminal, all they need is a driving focus to get into a system.
To think outside the box.
To find a vulnerability that no one else has found, work out how to exploit it, complete a proof of concept document and release it to the world with the words “look what I did”, that is all that they need.
Not a certification in place.
Not a qualification in sight!
Just a drive and focus on doing something on the digital world that will get them to notice, the kudos for doing it and the learning that comes with it.
I would bet my uncertified unpapered team against your certs anytime.
I wonder who would win.