The Certification Trap

Published: 30 Aug 2024

I woke up this morning and saw that yet another certification is now available. You can now be "XYZ" certified! The exam seems pricey, but hey, that will definitely show that I'm good at hacking, right?

This is the kind of message that bombards professionals in our field every day. The certification industry is booming, with new credentials popping up regularly, each promising to be the key to advancing your career. But have we stopped to consider what we’re really buying into?

The Dangers of Turning Certifications into an HR Shortcut

The more we encourage the narrative that certifications are an "HR bypass," the more we solidify this problematic perception. By promoting certifications as a fast track to employment, we're inadvertently exacerbating the issue. In some countries, the cost of this so-called "bypass" can be as high as three months' salary, making it a significant financial burden.

But here's the truth: hacking and security are about skills, expertise, and real-world experience—not about how much money you can throw at a certification. When the industry starts to prioritize certification over merit, it undermines the very foundation of what makes a good security professional.

Certifications are, at best, just a snapshot of someone's skills at a particular moment in time. They don't tell you where the individual is in their journey. Is this just the beginning for them, with plenty of room for growth and development? Or have they hit a plateau, with the certification representing the peak of their abilities? A certificate doesn't provide insight into whether someone is going to continue improving or if they’ve already reached their limit. It’s a static measure in a dynamic field, where continuous learning and adaptation are crucial.

The Pokémon Mentality

People have started to collect certifications like they collect Pokémons (Gotta Catch 'Em All). It’s become a comfortable pursuit—there’s no real risk involved. You either fail or you get the certification. If you fail, you can simply try again until you succeed. There’s a safety net, a guarantee that eventually, with enough attempts, you’ll add that shiny new certification to your collection.

But this comfort comes at a cost. Unlike actual security research, where you don’t know if there’s something to be found, certifications offer a predetermined path. They don’t require the same level of creativity, problem-solving, or risk-taking. Too many people get trapped in this mindset, seeing their career as a checklist of certifications to obtain, rather than an opportunity to build something unique and impactful.

The Problem with Generic Certification Advice

All too often, people looking to break into the security field are met with a generic list of certifications to "get started." Instead of offering a one-size-fits-all recommendation, we should be providing thoughtful, personalized advice. Don’t tell someone to get certifications XYZ just because they’re popular or seem like the logical first step.

If someone has a background in web development, guide them towards "Web Hacking"—a natural extension of their existing skills. If they used to work in sales, suggest exploring social engineering, where their understanding of human interaction can give them an edge. For those with a history in network engineering, point them towards network security, where their existing knowledge will be invaluable.

By tailoring advice to an individual’s background and strengths, we can help them build on what they already know, rather than pushing them towards a generic path that may not suit them. This approach not only fosters more meaningful growth but also encourages people to carve out their own unique place in the security field.

Conclusion

The fixation on certifications as a measure of competence is leading us down a dangerous path. It’s turning the security industry into a field where the ability to pay for exams is mistaken for genuine expertise. Certifications are becoming more about collecting badges than developing real-world skills. We need to shift the focus back to what truly matters: the ability to think critically, solve complex problems, and continue growing beyond the limitations of a certification. Only then can we ensure that the field of security remains one where true merit is recognized, and real innovation thrives.

Photo of Louis Nyffenegger
Written by Louis Nyffenegger
Founder and CEO @PentesterLab