Is an Ethical Hacking Certification Worth Earning?

Bloomua Shutterstock

It seems like every other month that a major corporation suffers an epic hack, with millions of customers’ data stolen. In the aftermath of those attacks, many companies are turning to ethical or “white hat” hackers to test their defenses. But is ethical hacking an effective counter to unethical hacking, especially when those who practice the latter can do pretty much whatever they want with a wide variety of tools?

Ethical hacking’s cause isn’t helped by the fact that the EC-Council, the Albuquerque, New Mexico-based organization that offers a certification in ethical hacking, was hacked in February. (It doesn’t get much more meta than that.) Michael Goldner, dean at EC-Council’s University, insisted in an interview that the breach occurred downstream: “Our website was secure, but the hosting company under contract had weaknesses in their systems.”

Click here to find IT security-related jobs.

Whatever the cause of the EC-Council breach, ethical hacking as a concept isn’t undermined—but it isn’t the sole solution to the Web’s chronic vulnerabilities. According to Jeff Williams, CTO at Contrast Security, a Mountain View, California-based interactive application security testing company, a realistic approach to defending an organization’s systems involves threat modeling, security architecture, building strong defenses, security testing, code analysis, and eventually some sort of ethical hacking to test potential vulnerabilities.

Williams argues that unbreakable security is a myth: there will always be unethical hackers, and sometimes they will succeed in breaking into a system. “But if organizations monitor the attacks on their infrastructure and respond appropriately, they can learn and make themselves stronger,” he said.

Upload Your ResumeEmployers want candidates like you. Upload your resume. Show them you’re awesome.

So is there value in an ethical hacker certification? The hack at the EC-Council isn’t exactly a vote of confidence. But the EC-Council’s ethical-hacking certification isn’t the only one that falls under the umbrella of DoD 8750, the Department of Defense directive that established baseline certification guidance for Information Assurance (IA) positions; other, related certifications include the CISSP, OSCP, and Security+ CE. “Typically, these certifications are offered after a class,” Williams said, while cautioning: “None of the skills that hacking requires is easily measurable in a class and exam format.”

Marc Maiffret, CTO of BeyondTrust, a Phoenix-based privileged account management and vulnerability management software-solutions company, admits that while certifications are a start, an ethical hacker needs real world experience and on-the-job training. Like Williams, he’s also a realist: “There is no match for someone with unlimited time and resources… If someone wants to get into your organization, they will.” To minimize the impact of an attack, he added, organizations have to adopt an approach that focuses on monitoring and regulating user privileges once a breach occurs.

“Certifications are a calling card to say you’re committed to the industry, the profession, and lifelong learning,” said Philip Casesa, director of service operations at (ISC)2, a Clearwater, Florida-based nonprofit organization that specializes in information security education and certification. “To maintain certification with us, you have to do education credits. You have to keep learning new technology, skills, threats and protections.” An organization’s commitment to security, he added, ultimately matters far more than any one certification.

Hiring managers are still on the lookout for certifications, and that’s what ultimately matters with regard to getting a job. Cameron Camp, a malware researcher in the San Diego offices of ESET, an IT security company, believes that certifications continue to offer substantial value and a bit more. “They provide a base level of knowledge, and that’s important,” he said. The onus is on the professional to put in the time on the job. “Core development work isn’t always pretty, but you need to apply your skills in the real world.”

Related Articles

Image: Bloomua/

8 Responses to “Is an Ethical Hacking Certification Worth Earning?”

  1. To costly

    Certifications, like formal education, has become a joke it’s not about qualifications its about $$$$ . These certificates do a good job at selling the appearance of proper training when all it does is make it harder for qualified individuals to get jobs.

    Book smarts mean nothing to street smarts. You can hire all the theoretical nerds you want but unethical hackers normally learn thru unconventional ways. To often it’s taught “this is how it works….” when in reality that’s how it’s suppose to work.

    • If you have all of this knowledge simply pass the certification and move on then. Assuming that because someone has a cert they automatically know nothing is ridiculous. There are many out there that have both the book smarts and the street smarts because I’m one of them and I work with a bunch of them. There is also this thing called the “technical interview” that actually gets you hired, cert or no cert, degree or no degree.

      If someone is fresh out of college a cert will probably get them through the door all other things being equal, but if you are claiming 10 plus years of experience and you haven’t taken the time to pursue any certs I would definitely see that as a problem.

      You don’t acquire superior skills just working between 9 and 5 and certs show that you are doing things on your own time to improve your skill set and remain relevant. Or you better be able to show me your kickass lab/test bed at the house that you are using to master your craft.

      BLUF if you are not showing your continuing education through acquiring and maintaining certs, which is what it takes to survive out there today because the technologies change every single day, I would not hire or recommend a person be hired.

      And paper tigers Always crash and burn during the technical interview.

  2. It would be great if on one page we get an idea of how much money companies saved by sending work to much less qualified IT personnel and how much money they lost due to compromised network security.

  3. OSCP is a certification by ‘Offensive Security’ and it is definitely NOT a classic class+test type of certification. This is a hands-on virtual lab work to hack into 60 systems and then an exam that requires you to root 4 systems in a 24-hour challenge!

    SANS certifications are also great although they are classic in the sense (class+test) but the material is brilliant and the instructors are phenomenal.

    I am not advertising for the above vendors, but EC-Council certs were never worth the paper they’re printed on (I have an EC-Council Cert). ‘Offensive Security” certifications are tops in the industry. Hands down.

  4. First thing is don’t blame the entire industry for the failings of the EC-Council, The CEH has long been considered suspect among us that know. I don’t know who’s a$$ they kissed to get on that DOD list but much like the NT4 MCSE’s of the late 90’s, CEH’s are considered paper tigers (disclaimer, poster had a NT4 MCSE cert back in the way back. That doesn’t mean all whitehat certs are suspect, someone above mentioned Offensive Security and SANS which are both worthwhile endeavors…Offensive Security for it’s lab based tests and SANS for it’s level of training leading up to the test.

    So what is wrong….

    What has happened is the industry has exploded and there aren’t enough qualified individuals to fill these roles, At the same time the attack surface has increased by a triple digit percentages (the day grandma got high speed interwebz is the day it started to go to $hit, yesterday she got a smart phone…sigh). Because of this attack surface the set of specialized tools has increased as well, this has caused some Security teams to spend too much time doing things that should be left to IT in general. The real fix to all of this is a fundamental shift in how we teach the next generation…Like the High Kings of Arnor, gone are the mythical days of the uber nerd that knew everything about every system forward and back. Our only chance is to make sure that every niche in IT has drilled into it the appropriate security training from day one in school, and every industry is held accountable to a high set of standards. Also Security must not fill a general support role, so stop this nonsense of reporting directly to an ill prepared, “develop and deliver”, minded CIO. Security must get back to the fundamentals of Monitoring systems, Advising the decision makers (DIRECTLY), Responding to a crisis, Testing the efficiency of, and Maintaining the security program.

  5. It’s garbage – I know because I have one. The test is a joke, and the company’s security posture is also a joke – just look at their web source. They will teach you how to protect corporate systems but cannot protect their own?

  6. Johnny Balderoni

    CEH ranks among the top certs in the industry and it was chosen to be the cert for the DOD 8570.1 The labs are sophisticated, well planned and teaches the student hacker, how to hack. After was done, I was able to hack into my own computer. I am now an expert white hat and moving onto bigger things. Just wanted to give a shout out to EC Council for their masterful cert.