As the months pass by and my retirement savings dwindle, I have to say I’ve at least been enjoying everything that I’ve learned over the past 2+ years. But I really needed to take a moment to criticize some of the activity I’ve been seeing in the certification space, because it’s truly bizarre.
First of all, let’s address something important: cybersecurity is definitely in a massive bubble. This is odd for me to write, since I’m technically a part of this bubble. The difference is, I’m not in it because I want to be l33t hacker-man, or expect to make insane money out of the box: I’m in it because all of it is immensely interesting to me, and I’ve had dozens of dreams that seem to be God pointing me in this direction (as strange as that may sound to people who don’t believe in God). I’m positively amazed at how much training exists for this field and its wide variety of subfields. It is ultimately responsible for ushering in a world of click-to-spin servers, as the education community has shifted from downloadable VMs to automated cloud-deployments. Want to test out a new exploit? Activate your VPN script to connect to the appropriate virtual network, then click a button to deploy the vulnerable server. Truly amazing stuff. But all of this is for security specifically, dwarfing what the world still very much needs: server, cloud, and network administration skills. And let’s not forget how software could use some love and investment, too, given how everything is broken on a regular basis and somehow we’ve all come to think of this as normal (“dirty programmers!”).
I used the training company INE to first cut my teeth on offensive security (known as penetration testing, or “pentesting”, when you don’t want LinkedIn filters to accidentally flag your content as NSFW…). INE was well-known for their extensive network training before they acquired eLearn Security, which had a solid reputation for its catalog of security certifications, even if these were known as “death by powerpoint”. INE revived the certifications that showed potential, upgrading them to video-lectures, while many of the others, which had already begun their rot into obsolescence, were abandoned. Those that died included an advanced penetration testing certification, a software security certification, and an exploit development certification, among others. Those that survived included two network penetration testing certifications and two web penetration testing certifications (all pretty good, IMO). They even added a host of role-based, decently-regarded defensive certifications that don’t yet have HR recognition. Their mobile security certification – the eMAPT – is still alive but on life-support, well-criticized online for being buggy and outdated. Whether they revive it or pull the plug is anyone’s guess at this point.
If you aren’t familiar with these certifications and acronyms, I apologize if I’m not explaining it well, but bear with me for another paragraph or two.
Seeing half of INE’s certifications rot into obscurity, it’s with a dark cynicism that I see companies like TCM massively expanding what they offer. It feels like history repeating itself. TCM is a home-grown company that came out of nowhere to compete with a company called Offensive Security (OffSec), which offers a host of well-respected (albeit expensive) certifications. TCM was lean, mean, affordable, and up-to-date, and really gave OffSec a run for its money, forcing it to update its curriculum massively or face steep competition for the HR recognition market. They did this with a solid pentesting certification known as the PNPT, while offering some smaller certifications for web. Then they expanded to mobile. Then OSINT. Then malware analysis. Then IoT. Now…help desk?! Oh, good lord. I don’t mean any disrespect to people who work the help desk – it’s the common entry level job for most of IT – but if people are offering certifications for help desk, you know that something has gone horribly wrong. They are also trying to get into the defensive side of things, and in a funny twist of fate, the company Offensive Security is now branching into defensive security as well.
My friends…so much of this industry has turned into a massive money-grab.
Every one of these subjects has it’s value, and every one of these training companies has merit. But I think people are missing the forest for the trees.
First of all, everybody is trying to do everything. This is not going to end well. I’m all for learning new things, but you can learn new things without doing a certification, and a large appeal of doing a certification is the recognition it can give you in the job market. When certifications die out, they stop meaning anything. When certifications change their acronyms, it takes years and years for the change to be acknowledged by HR. When you call your company Offensive Security and you expand into defensive security, it tells me you have lost the vision for what you want to be. When companies try to be everything for everyone, they lose the ability to specialize and offer a solid product. The loss in efficiency will fall on you, the consumer. And that’s exactly what you are in this situation: a consumer.
And look. I’ve learned a ton from my certifications. I like them. I’m glad they exist. I appreciate how they can take a lot of information and package it into 100+ hours of content. I wouldn’t be anywhere near where I am today otherwise. But all I’m hearing about are the difficulties of finding a job, and all I’m seeing are more and more certifications. Again: this is not going to end well.
This past month I took a break from security to learn more about Windows Server. It was 100% worth it, because I feel immensely more comfortable pentesting in the Windows environment now. I still have a lot to learn, and doubling down on Active Directory is going to be very important if I want to pass the OSCP (“big fancy”), but it’s funny that I had to escape to the world of administration to learn something cybersecurity couldn’t give me: an understanding of how things are actually configured. Moreover, I have yet to find any cybersecurity training that covers the actual differences between SMB versions; they usually just teach a smattering of scripts you can throw at it, with no discussion of the nuance. I mean…there’s value in throwing script-kiddie tools at a system, and seeing how the system handles that, but in general, you should make an effort to understand what the hell you’re doing, and all of the training I’ve done has been deficient in that area, which leaves me needing to learn more. I’ve realized that none of this training considers this nuance to be important, which has me questioning just how much of this training I want to complete before carving my own path. Perhaps I am just a Red Teamer at heart, who wants to learn ultimate stealth, but I’m still going to need to prioritize the OSCP so I can get a job and build experience first.
And to continue this briefly, the new eWPTX now covers web API testing, which is great, but I literally read a book on this a year and a half ago. It re-uses quite a number of videos from INE’s other training courses, and while I’m not at all opposed to reviewing old material, it leaves me wondering if a handful of books might have more content than whole training courses (though granted, books don’t allow you to spin up labs on the fly). We’ll see, I’d still like to do the eWPTX, but it isn’t a high priority.
I don’t mean for this to be overly negative, but I’m growing increasingly wary of the ticking time bomb that is cybersecurity training. It reminds me that at the end of the day, computer fundamentals lay the ground work for cybersecurity better than almost all of these training courses would have you believe, and the further you stray from these fundamentals, the more training you need to put the pieces together for you. I’ve enjoyed the training I’ve done, and I will probably always enjoy chasing certifications, but there are definitely diminishing returns, and I think the training industry has lost its mind.
The only thing good I can see coming from the bursting of the bubble is that a lot more people in IT and software will have strong foundations in security. Better for society, but maybe not better for you, if you were among the many hopefuls.