[phaus]

I'm not crediting my entire base of knowledge with a certification course, but I did learn quite a bit at some of the courses I've taken. I've also learned quite a bit from books, articles, security conference talks, and of course, by spending a ton of time putting the things I read/watch into practice.

I guess my point is that I agree with you that no one needs certifications, but I didn't think the contents of the courses I took were completely worthless.

IMO, some subfields of security are better suited to structured learning than others. For example, forensics can be taught very well in the format of a certification course. However, from my experience, exploitation and reverse engineering are pretty hard to learn in the same format.

[tptacek]

I doubt the curricula of any certification is entirely worthless. You're saying you appreciate their value as a forcing function and as a set of guideposts for what to learn. I'm saying: there have to be cheaper ways of setting up forcing functions, and I know there are better guideposts on what to learn --- they're just not promoted as heavily as the certifications, because nobody (except hiring managers, who are too dumb to realize it) makes any money on them.

[phaus]

I agree completely. There are books that cover the same content in many cases, but not always. I've read quite a few of these books, sometimes they are actually better. I was fortunate enough to take all of my courses for free, but if I was paying $5k out of pocket each time I wouldn't recommend it. I think the norm is to have an employer pay for it.

[tptacek]

I know that's true and I find that especially alarming, because it gives those employers a tremendous amount of leverage as gatekeepers to the industry (by underwriting certifications for people they elect to employ and retain).