Are Certifications Useful in Infosec?

Offensive Security certs are worthwhile, so is GIAC if you can get your employer to pay for them. Other than that, having a CISSP is useful for some employment (but effectively meaningless) and having a few networking certs from either Cisco or Juniper is not bad to have.

Cyber masters are pretty much totally worthless, although perhaps some idiot employers think they have value. If you can get a masters paid for, the SANS masters seems like the only one worth doing. The NYU Masters is expensive, but somewhat value though it's value comes from basically being a CS degree so just go get a CS masters from Georgia Tech.

If you work for the government or military they have their set of required certs (8570 baseline). Certs overall are highly correlated with incompetence in my opinion. Experience is what matters.

This really depends on the candidate profile and what exactly you're expecting the certifications to do.

Does a certification teach you how to 'do' InfoSec? No.

But they're useful if you're starting out in InfoSec. Especially if you're changing careers, don't have a BS, or have those other boxes recruiters like to check. Certs can get you through the recruiter.

Also, some employers require certain certifications to work there; especially if they're working with the government, or some other organization whose contract requires that people working on the contract have various certifications.

If you're going into forensics or something like that where you may be called upon to testify in court as an expert witness, certifications help prove your bonafides to the court.

A blanket 'no they're not useful' is unhelpful and not entirely accurate.

I am very sorry to say that many schemes are little more than a scam. Some of them began well then went off as they aged and were not updated, others started badly and got worse, even some courses from what was the gold standard provider now need re-examining. I can’t help but feel that many people, especially those looking to break into the profession, are being taken advantage of. Honestly, I would start with gaining experience, real experience, no matter how junior the role. So much bad stuff was being taught, we decided to grow our own and devised a programme to run new people through, it meant we could take a keen, bright, school-leaver (if necessary) and turn out somebody useful within 3-4 months.

To me their worth is at best questionable and a lot of the time just a scam. I don't like to spend time on any, and there are definitely better ways to spend the time it would take to acquire many.

CEH is a bad cert, and I have my doubts about the rest. I think whether they're useful is extremely dependent on your own circumstances, which should already inspire some doubts. College degrees don't exactly have that problem.

If you're switching careers they can be a great thing to point to on a resume, but I definitely don't think of them personally as hugely reflective of someone's skill. It's better to support it with something else.

The only one that I would break this assumption on right now is OSCP, but the exam is grueling and not something that I think people should be subjected to just to get a stamp of approval in the industry. I would say that someone who has it knows offensive security pretty well, something that I could not as definitively say about something like Sec+. I can't personally speak to Cisco certs.

I believe that certifications that don't have a practical aspect to them are totally worthless. I work in appsec and recently completed OSWE. The coursework was ok, nothing groundbreaking, learned a cute trick here and there.

Would I recommend it? Yes, especially if the company pays for it.

Company that I work for allows people to spend weeks of their working time preparing for top CTF contests and that is valuable because it is something practical. Just don't waste your time memorizing answers to exam questions.

Pretty much like you said imo, i.e. useless in the industry unless you're looking for some sort of work that requires them for compliance reasons.

To be fair, I did recommend a cispp course (on linkedin learnings) to a junior member of my old team, mostly to complement the knowledge from the day to day work in appsec with other topics, e.g. network.

Personally, I studied math & crypto (with my own passion for programming) and I entered the industry doing appsec, no certifications asked.

As a security practitioner I am skeptical about certs value ( CISSP, Sec+, CCNA Security, CEH) in infosec except for the offensive certs from Offensive Security. This because I know too many folks that have certs yet never mastered security basics, cannot code, cannot administer, cannot innovate/automate, cannot lockdown, cannot audit, cannot circumvent, and are generally dangerous around any type of IT. Fundamental ability to manage, develop code, or administer, are foundational in infosec, which is why most of our good talent comes from IT support, Networking, System Administration or Development.

I think product certs are valueable though for reflecting experience in a specific field (e.g. CCIE/MSCE/AWS ), and process certs (ITIL/etc) for understanding how it fits together in a service mgmt context.

Apart from certs though, an active Top Secret SCI with a full scope polygraph is worth its weight in gold for govt work.

I definitely agree on the mixed bag nature of certs. It can be frustrating being ignored by HR because you're lacking the special four letters they want to see, and that situation is more common than I think we'd like to admit. You'll probably need at least one or two unless you're a real Rockstar who can show value on your resume in some significant other way (CVEs, extensive GitHub, etc.).

All that being said, I do think a well written cert course can be an excellent framework for learning a new technology. Having guidance on what is actually important when getting started can be a huge accelerator for your personal development, just make sure you avoid the trash ones (CEH!!!). The HR stamp of approval will hopefully just be the icing on the cake at that point.

Yes, as you get deeper in the industry, you will be expected to have the basic validation certs, CISSP, CISA, CISA, CISM, etc.

Well, if they weren't useful, we wouldn't have 2 million H1B's working in the US. Schools teach very little technically and most folks graduating with some sort of degree in IT/CS/? only spend a couple of semesters even covering the related field. I have found that certs are useful because you can expect the applicant to at least know the basics of a Cisco Router, Checkpoint Firewall, Windows/Linux Server, etc. Obviously a CCIE will know something about Cisco Routers and Networking and some of the GIAC Certs are worth while. I know a lot of folks dismiss certs as bullshit but I've never met a CCIE/CCNP or OSCP that didn't know what they were talking about in their respective fields. At the same time there are a lot of really smart and talented people who don't have a Degree or a Cert and could put 90 % of the security field to shame and I would expect that to be true in other fields also.

No.

The more useful ones are those where the final test is "hack these systems".

Those also happen to be more technical. I think because more managerial stuff is harder to teach.

High level clearance is more valuable.

They're useful for getting past HR screeners, but otherwise they are almost all useless.

Quite a few comments here are mentioning that certs are not useful for offensive security. That's true, but offensive security =/= InfoSec...

When you come on Hacker News and see submissions full of comments about the technical details of exploiting some hot new critical remote code execution vulnerability, or read a hacker's blog walking through how they discovered security holes in some websites, or see an article by some cybersecurity company detailing how they tracked down some crime ring or nation-state backed hacking group, please be aware that 1) these are amazing things, and 2) they are not InfoSec. Information security is a management field and is mostly focused on developing top-down security strategies for organisations to implement, measure compliance with, and refine over time. It is related to, but also very different from offensive security. Relevant HN submissions would be high-profile cyber security incidents and updates on laws/regulations on computer use and data privacy.

You mentioned Sec+. It has gained popularity in the past decade and is now considered an entry-level requirement for many IT contracting jobs, especially government ones, and not even ones that are really security-related. If you don't usually get down in the weeds on computer security topics, then a Sec+ is a useful way to get broad high-level exposure. Another way to look at it this is that a Sec+ is for people who do not have a lot of pre-existing skills in computer security. It's used by employers to filter out employees who probably cannot be trusted with anything security-related in IT. Imagine your employer is thinking of having you sponsored for a security clearance - if you cannot pass a Sec+, than you're probably not cut to have a clearance in the first place. Realize that practically all of these organisations have to annual security awareness training (SAT) to their employees, but by making Sec+ a requirement, they now have a way cut out everyone who would have just slept through the SAT without really internalizing it.

We've established that the true purpose of Sec+ is for screening entry-level IT positions. The CISSP is similar, but for management-level positions. Primarily, it's for middle-managers who want to prove to HR that they are worthy of being chosen for information security roles study the CISSP. Contrary to what people say on the internet, the CISSP is actually very similar to the Sec+, but with more depth on information security management practices. The enhanced focus on information security management practices is because managers with a CISSP are expected to run information security-related projects and programs for the organisation.

Personally, I made a goal for myself at a young age to get the CISSP simply because I saw it was being hyped online. I didn't even do enough research to understand that years of experience was a requirement. I passed it a year before I even started an IT career. It's very doable depending on how much of a computer geek you are. I let it lapse since I was still working in restaurants and had no IT experience, but a decade later, I went for it again because 1) my employer paid for it, and 2) I consult to customers who are CISSPs.

It's important to research what a cert requires of you in order to maintain it. Both Sec+ and the CISSP require you to accrue a certain number of credit-hours every 3 or so years. There are also member dues. If these aren't too much of a hassle for you, then I recommend certs that are relevant to the environments that you work it. In my case, I got a CISSP because I work with CISSPs. I'd consider other certs if the people I work with had them too. I may not be an expert like what the commenters here are decrying as reasons not to pursue certs, but at least I can show a basic level of competence out of respect for the people who I work with.

The consensus among my friends is that experience, relevant projects and especially a contact network are extremely more valuable.So,ideally you better spend your time, money and effort on those.