The 6 UGLY TRUTHS about Security Certifications

Here we are again, with yet another (possibly) controversial topic. This time is about security certifications. Regardless if you are in Cloud security, Forensics, Governance, Offensive Security, etc. at some point you may have felt the pressure to obtain the most sophisticated, the latest, and the very “best” of security certifications. Don’t get me wrong, I am a holder of few — but that came with its own struggles.

I am not here to bad-mouth certification offerings, in fact — I am here to simply raise awareness on the topic. I am a huge advocate for continuous learning and professional development, and I still do take courses; however, the toxicity becomes more prevalent when it all becomes more and more of a “4 letters bragging rights” than actual learning.

You certainly don’t need certifications to become one of the best. I have a long list of names to prove and support this statement.

If you struggle with, feel the pressure from, and affected by “imposter syndrome” — know that CONTINUOUS LEARNING triumphs over everything. Study at your own pace, and study what you like. You can be on Google and YouTube, and be better than the majority of Certs holders.

Of course passing an exam will help you and your company strive, but this does not mean you HAVE to torture yourself chasing every certifications out there.

With that said, here are the things I found quite troublesome in the security industry in the present time:

1. Imposter syndrome — You see someone with a bunch of credentials? Good for them, you do not need to collect them all. They are not infinity stones. Thinking that you need to own all certifications to be regarded as an “expert” is toxic, you need to take these certifications with a different mindset. Learning is your first objective, not the three or four letters title. Also, nobody is an expert (maybe in an exception of a few people).
2. “Mandatory” certifications on job postings dismisses the fact that there are talented beings who have proven bug-bounty/CVE/research records under their belts.
3. Companies often “force” talents to take certifications rather than making it optional. If they have been doing their job well for 1 year without any certs, then there should be no reason to. Some people just want to make a living, and have the ability to relax with family members or friends on the weekends.
4. THEY ARE EXPENSIVE and not everyone can afford them (Thanks to TCM Security, this is becoming more and more feasible).
5. A lot of people take these certifications with mindsets other learning.
6. The more certs you have, the more “qualified” you are and the more you will be paid —“that’s not true, we..” STOP IT. I still see professionals getting paid less than they deserve. I understand that you want to impress your clients, but I don’t think it’s fair that Alice with 5+ years of experience being paid less than “Bob | OSCP, GWAP, XXXX…” with 3 years of experience? They are both able to do the jobs.

These are just some that are more apparent within the industry, comment section is open to different thoughts and perspectives.