So, let’s be crystal clear on this point: Certifications do not equate to technical competency. At best, they’re indicators of a general grasp of the concepts and nomenclature of infosec. At worst they’re useless and dangerously misleading. I’ve encountered certified individuals who wouldn’t know a buffer overflow from a header file and who were being paid $200 per hour to perform code reviews merely because they were certified. I’ve also seen certified individuals hired to secure networks despite the fact that they think the *nix tool ipchains is an example of a stateful inspection firewall.
The purpose of most certifications is to produce income for the certifying body. Repeat after me: Certifications do not an expert make. On the other hand, an absence of certifications is not necessarily an indicator of incompetence. The bottom line is, Don’t allow yourself to be distracted by letters after a name. HR reps seem to like them because they make their jobs easier; if called on the carpet, they can point to the résumé and say, “But look at these certification credentials!”
What is important is the consultant’s depth of knowledge about the issues involved in your particular situation. Take, for example, the common need to secure a corporate enterprise. A competent consultant would be intimately conversant with the mechanics of security on your network as well as the psychology of those who wish to attack it. The latter is often overlooked, but any hunter can tell you that if you don’t understand your prey, you’re probably not going to stumble across any, much less come home with one strapped to the hood of your SUV. For the ill-equipped consultant, threat analysis is too esoteric to be applicable to a straightforward project such as installing a firewall or building an IDS. But throwing up defenses willy-nilly without considering the nature of potential threats is foolish and wasteful.
I recall one instance in which a security engineer installed a carefully considered IDS consisting of only a few sensors placed at critical points throughout the enterprise. Each sensor’s coverage did not overlap. The resulting data could be rapidly and efficiently analyzed, and potential threats could be identified with minimal effort. Not long after, another certified security specialist decided to justify the expense of having been hired at an artificially inflated salary by putting sensors on every single node in the network. This resulted in a flood of highly redundant data, rendering the system largely useless without a team of full-time data analysts working to sort and interpret the avalanche of false positives. Eventually the organization scrapped the entire system at considerable cost and started over, having realized too late that quality and strategic finesse are the keys to successful intrusion detection, not quantity and data overload.
Different job, different skills