They do not, but see the link above; this all got argued a couple weeks ago.

Your argument in the other link is that they’re not the only thing thats required to get in. I totally agree.

Plainly stating that they do not provide scaffolding is nonsensical. Newbies have to learn the boundaries of the field IOT target their prep. Certs basically excel at this (and IMO otherwise useless aside from HR speedbumps).

Otherwise, you see a very common situation like this (verbatim example): someone wants to do cloudSec. They decide a good prep area for that is hosting a DVWA in the cloud and pentesting it is good cloudSec home lab work. Very rarely, short of a cert in AWS for instance to start off with, is it easy to ID that cloudSec prep is actually configuring IAM and hardening some servers, and there are a ton of jobs here and the future of SOC work.

Certs provide scaffolding. If you don’t think this, you’re giving your mentees pretty bad advice and should try to open up your view point here.

I’ve helped lead fairly large 0->Sec Job 1 volunteer/non-profit groups, and have seen X000’s of success stories and failures. Failures always share three things, successes always share the inverse

- don’t understand people-networking matters

- don’t understand certs won’t get a job, and they’ll only help re: credentials to get past basic HR boundaries. The field of Sec+/CySa is crowded as hell.

- do projects that veer very basic red team and overall fairly outside the territory of what they’ll actually be hired for. If they’d have taken a cert, a job description, and a cloud or SIEM localhost home lab, they could instead do very simple, almost out-of-the-box projects they’d work on immediately once hired.

That is not my argument on the other link. My argument on link is that they are worth nothing.

It seems like you got into computer security a fair bit ago, and have a lot of experience on the appsec side.

With that background paired with “certs are worth nothing” points out two blind spots to me:

- the value-add certs have exists in non-appsec areas, putting aside CISSP and promotion paths. CySA is going to help you be a better soc anaylst, but ya it’s not getting you into NCC Group anytime soon. A CS degree or knowledge in that direction matters a lot more/only. SWE<>Sec exists in a totally different part of the field, in a way.

- early days security folks have a very different view on how to get into the industry. Back then, it was pre-certs, and even really pre-compsec jobs. Things are a bit different now.

You may not realize that where you stand depends on where you sit, but you’re pretty far from new talent pipelines these days it sounds like.

If single sentence platitudes are how you want to engage, then I’m done as well.

It’s kind of amusing to tell somebody whose prior ventures were “how do we do tech hiring better” and “being the interim security team for small companies, and then helping hire their replacements” that they seem pretty far removed from new talent pipelines.

FWIW: the interim security team company is still going strong; I'm just not there anymore (I'm at Fly.io).

Not sure what to tell you, I’m pretty close to the same hiring pipelines and outcomes tracking as well.

There is huge nuance to the cert topic, but it’s silly to hold a binary “they’re worth nothing” view.

The most I’ll concede is that certs are very useful in identifying job opportunities: if a tech job uses certs to assess a candidate/employee’s skills or value, it’s a good indicator to not take that job.

There’s not huge nuance here.