A humoristic generalized - but serious - rant about the LinkedIn certification warriors and the outdated mindsets of boomers in cyber security. Based on baseless assumptions and my humble opinion.
You know those people in cyber security, with all those fancy certificates? I’m not talking about OSCP/OSCE, those are one of the very few that serve their respective goals. I’m referring to those CISSP, CISM, CCSP, etc warriors. Some even have them all in their LinkedIn name, as if they’re PhD candidates. They most often work at companies that have such certificates as requirements (evidently). Companies that have dedicated budgets, are bureaucratized, have yearly reviews where the employees have to set arbitrary “goals” - which if they then “achieve” they can use to get their precious 5% salary bump. You’ve performed with “exceeding expectations”, good job! The company likes compliance in other ways as well, they are ISO27001, ISO9001 and what have you not - certified. Proud to work in an agile way of working, with scrum masters - which was a big change already from your prince2 way of working. They have their textbook SOC as well, with L1, L2, L3 SOC analysts - just clicking away those brain draining false positive alerts in their factory.
What is the end result you end up having? A company that attracts your average joe that seeks a 9/5 that lives for the weekend, a bunch of processes and policy on paper for those audits you have to keep those certifications, a SOC that is just a factory with no room for automation, out-of-the-box thinking and creativity, and you keep detecting that dangerous adware whilst you’ve got no clue you’re already hacked to the brim by an APT. You have people that are very good in memorizing the theory about security, but have no clue on how to apply it - no experience. Perhaps you’re better off in the academic world? The funny thing is, you even think you’re doing a great job! That you contribute to the artificial and simplistic mission and vision of the multinational you work at. For a better world! Whatever that entails. As long as we make a good margin on it. Right?
Whilst busy with creating “use cases” for “detection”, you charge your customers per “use case”. “Use cases” that are based on the “customer’s needs”. That’s right, based on what the customer thinks to be relevant and important in security - easier to sell. All the while, you act on feeling and intuition. I think this thing here is important to protect against, or perhaps you created a new “use case” to “detect” the latest overhyped vulnerability - and you’re even as generous as to provide the “use case” for free. Whilst you don’t even have a idea of which threats you’re trying to protect against, and more importantly - why.
You’re always one step behind. When will you make the decision to lead - instead of following and observing others in the security space? Desperately trying to jump through the hoops that others have set out for you. When will you finally educate, train and hack yourself? How do you expect to defend against the enemy, if you can’t think, act and behave like one? You think that APT’s are certified? You think that they are compliant with these fancy standards? You think that the mindset that wants you to strive for such certificates, is really adequate for the actors you’re pretending to be able to defend against? Or another seemingly controversial suggestion, when will you start using a data driven behavioural approach to security - instead of your “professional opinion”?
What you need, is reset in mindset. That is if you’re up to it? Most people are happy and like the conformity of the exact things I laid out to be what I think is a joke. It’s not for everyone, but if you want to keep learning, evolving and progressing as a professional - you’ve got no other choice.
It’s never too late to change, so, will you?