It's no secret that I have issues with portions of the security certification industry, in particular with the way that the word "ethics" is thrown around with no apparent thought about the concept. It seems that ethics only comes up when someone is getting certified or when a cert holder gets in trouble; no one actually teaches cert holders about ethics.
As a result, I was particularly intrigued when I first heard about the Certified Ethical Hacker (CEH) certification about a year ago. My research to date has indicated there is little-to-no discussion of what it means to be ethical in the certificate's training materials, and what discussion is there appears to be limited to importance of having permission before performing an assessment. Grantees of the certificate must agree to follow a code of ethics, but the CEH's code doesn't appear to be any better or worse than (ISC)2's or GIAC's, which is to say it's pretty lousy.
That being said, I have reviewed the curriculum of the class. The course outline that I saw covers a broad range of topics that any good security analyst should be familiar with. The question to ask is whether this information is something you can learn on your own or if you prefer the classroom environment.
There are two main reasons to get a certification: first, if you want to work for many government agencies, you need to be certified; and second,, some employers give bonuses for gaining certifications, in which case, by all means, certify away.
If neither of those cases apply, I don't really see the value of most certifications. Savvy hiring managers -- the ones you want to work for -- know that certifications have limited value and instead look for real-world experience and an understanding of how security needs to work in a business environment.
For more information:
- What certificate offers the best ROI for an IT project manager? Find out more.
- Is SANS institute security training worth the effort? Read more.
This was first published in January 2009