Friday, August 31, 2012

Research and tools not certs


People ask me about certifications and whether or not they will be beneficial, either in terms of knowledge gained or for career advancement.

In the '90s, I worked with "paper tigers" who were no more effective than those with real world experience, this shaped my opinion of certs. This changed for me when I had a co-worker trying to get his CCIE. He was good and had passed a number of exams, but failed one and was going to have to take it again. After several conversations he convinced me to  study for the OCP. At the time, I'd been doing Oracle DBA work for a few years.

I bought the books and began studying and within days, I learned things that made me more effective. There were commands and scripts in the books that made me realize how much I didn't know and they made me a more effective DBA. That experience changed my mind about certs and though I never did get my OCP, I did see the value in studying for certification exams.

But I do not think that having a string of letters after one's name is important, though I have been guilty of putting alphabet soup in my .sig.

I'm more inclined to agree with what Timmay said in his Skytalk at Def Con this year, if you want to get a great job in info sec you don't need certifications, instead spend your time becoming a badass in your field.

Rather than spending your time proving that you know the answers to things that thousands of other people know too, why not spend your time publishing original research and tools in support of that research -- tools that will improve the community?

Here's how I rank the ways to build your reputation and land a great job in info sec:
  1. Publish original research in your area of interest via blog posts.
  2. Create new tools that help others, these can be by-products of your research.
  3. Submit and deliver great talks at conferences or local groups (HTCIA, Infragard, ISSA, etc.) also by-products of research and an opportunity to demo your tools and network.
  4.  Participate in public forums in your area of interest in a helpful way (don't be a douchebag).
  5.  Acquire certifications.

You may look at this list and say, "I’m not a developer or I don’t have ideas for original research." Start. Learn what others in the field already know and apply their techniques, methods and tooling. Pick a programming language, Python, Ruby and Perl are all fine choices and there’s a large body of open source, security related code written in these languages so you’ll have a nice base you can review and learn from. As you study the techniques and tools of others, you will eventually hit a wall where the amount of published information about a thing drops off or just doesn’t agree with your own experience, maybe the published information is wrong or maybe few people have explored what it is that you’ve encountered. You will eventually reach the limits of the known and in our field, this won’t take that long. You’ll have questions that you can’t find answers to -- an area ripe for research and publication.

Some of these things may be big undertakings requiring hours of work and considerable development effort. Some things may be simple command line techniques that other people already know but never published because they were too obvious. Whatever, document them in a blog post and publish them. You may save people hours of time in the future.

We all stand on the shoulders of giants in this field (though I normally stand on their toes). If you want to build up your reputation, do it by learning and sharing what you learn with others. I'd much rather see a resume cross my desk with a list of interesting blog posts containing original research and tools than one that lists a bunch of certifications.

Paperclip Maximizers, Artificial Intelligence and Natural Stupidity

Existential risk from AI Some believe an existential risk accompanies the development or emergence of artificial general intelligence (AGI)...