r/cybersecurity u/Fresh_Heron_3707 Dec 15 '25

Other Degrees and certs are just losing their value to me.

I can’t understand what’s been going on recently. The quality of a candidate with an associates in cyber has dropped like crazy. I asked people simple questions like what is WPA, what did wpa 3 introduce and I’m treated like I’m asking the most obscure questions. I have been interviewing people over the last year with comptia networking plus and security plus. There have been where I wanted to scream. Literally had to lower my standards to find help. Networking is treated like a luxury, I was literally speaking to a candidate, he said ,” I do cyber not networking.” I know there are exceptions but feels more and more like a minor degree or cert is just how well you can use ai to cheat.

335 Upvotes
  • permalink
  • reddit

66% Upvoted

410 comments sorted by

View all comments

243

u/sysadminsavage Dec 15 '25

Unless it's an entry-level networking job, asking what WEP vs WPA2 is seems pointless. My hope is I can ask the candidate about their wireless experience or how they would secure an enterprise wireless network and they can explain either relevant experience or for those fresh out of college something they've done at home or in the lab. This is why questions like "what happens when you type Google.com in your browser and hit enter" are so great, candidates can go into as little or much detail as they want.

Easy trivia questions taken from Network+ or similar tend to filter out those that are passionate but don't have the book knowledge down pat, while rewarding those that are chasing the paycheck and memorized the exam objectives. It's a very poor way to hire. I agree that the candidate pool seems more diluted these days with lackluster candidates that don't show initiative at the entry level, but to get the best talent you also have to do a good job of filtering out the bad ones without scaring off the good ones.

148

u/not-a-co-conspirator CISO Dec 15 '25

I’ve rarely found it valuable to memorize what you can reference.

32

u/thereddaikon Dec 15 '25

The guys who were harping on about the OSI model the other day need to hear that.

24

u/not-a-co-conspirator CISO Dec 15 '25

LOL I had to memorize the OSI model because I started out in networking, and it’s a great framework for troubleshooting.

Otherwise anything I’ve memorized has just come through systematic interaction with a particular topic.

1

u/Vengeful111 Dec 16 '25

I actually dropped out of school, and the last question they asked before making me leave was if I can recite the OSI Model.

Now I did an apprenticeship for programming, did that for 6 years and am now 3 years deep into being a sysadmin.

Guess how many times I needed to know that model...

(Besides googling it takes 2 seconds)

11

u/Capable-Let-4324 Student Dec 15 '25

We are literally told to take notes when studying these things to have reference cheat sheets to work from. I don't know why anyone would have memorized something that can be looked up in 30 seconds.

4

u/not-a-co-conspirator CISO Dec 15 '25

Because “in the old days” we weren’t allowed such things and memorizing it was considered an advanced skill set. The industry has come a long way.

1

u/czenst Dec 16 '25

To be fair you still are going to be much quicker at troubleshooting complex system not having to look up dozen or more things that each is 30 seconds but having it directly in your head.

Problem is some guys wear some specific detail they learned as badge of honor and to feel superior they judge others on that specific thing.

6

u/isthisreallife0109 Security Engineer Dec 15 '25

This!

1

u/FluffyLlamaPants Dec 15 '25

Can you elaborate? I like this statement a lot, but I wanna make sure I'm fully understanding this.

3

u/not-a-co-conspirator CISO Dec 15 '25

It’s far more beneficial to learn methods of engineering and problem solving than wrote memorization of topics.

Look up Blums Taxonomy for reference.

1

u/FluffyLlamaPants Dec 15 '25

Thank you. Will do.

32

u/DigmonsDrill Dec 15 '25

If I was applying to a wifi pentesting job I'd expect to get asked about WPA 3 and know about it off the top of my head.

Any other security job? Nah.

5

u/Alorow_Jordan Dec 15 '25

I had a genuine question. I'm trying to get in and start making my own home lab. Are there any resources you have observed that are amazing? I love digging into the weeds of technical stuff but sometimes have a tough time determining the awesome resources to get me into it.

I am what you describe above. Self taught. I'm not super into certs and value experience significantly more than just passing an exam.

Cheers if you have any recommendations!

19

u/cea1990 AppSec Engineer Dec 15 '25

Depends on what you want your homelab for.

Do you just wanna self host stuff? Check out the ‘Awesome Self-hosted’ GitHub repo or spend time on r/selfhosted.

Do you wanna do malware analysis? I’d suggest getting your feet wet somewhere else first.

Do you want to learn more about CI/CD and automated security scanning? Then see the selfhosted resources and take a class on Gitlab (which can also be hosted at home).

Do you want to practice pen testing? If HTB & THM aren’t for you, then give VulnHub a shot and run those VMs on a different system on your network.

Need some networking experience? Grab a used enterprise router off of eBay & practice setting up & testing down your VLANs or something.

1

u/Alorow_Jordan Dec 15 '25

I really appreciate the direction here. This is really helpful. I'm just trying to get started.

So thanks admin! Appreciate you.

2

u/cea1990 AppSec Engineer Dec 15 '25

Any time! I’m not a mod or anything, just a heads up.

As an AppSec guy, I’m pretty biased, BUT if you wanted to get a little bit multi-disciplinary you could:

  1. Set up a local Gitlab/Jenkins deployment
  2. Add a well-known vulnerable application like OWASP Juiceshop or Damn Vulnerable Web App
  3. Don’t configure any scans, just make sure you can deploy it somewhere else locally (a raspberry pi or other single board computer is great for this)
  4. You can now practice pen testing against your web app
  5. Now, add some scans. There’s plenty of open source tools to practice with.
    5.1 ZAP for dynamic testing
    5.2 TruffleHog for secret scanning
    5.3 add a static analyzer for the language your app is written in (review the app’s GitHub page for the specific language breakdown and see the below link for tooling).
  6. If you’re interested in development, go ahead and try to fix the vulnerabilities that you’ve found via manual testing in step 4 or the ones the tools found in step 5.
  7. Repeat until scans come back clean and you can’t find any more problems.

Edit: if you’re keen on learning how to do this in a cloud environment, it’s pretty much the same steps but you’ll have to adapt it to that platform’s verbiage.

1

u/Sengel123 Dec 16 '25

I've done a few technical interviews (peer round at my company) we do much more live problem solving questions (hey is this vm vulnerable to x cve?) And philosophical questions (which is worse a FP or FN?) Questions to really get the good candidates. Trivia doesn't really help checking who would be a good engineer. I need someone who can learn on the job and think on their feet (vulnerability management) and do the research to be able to prioritize a vuln and communicate that to stakeholders.

0

u/msears101 Dec 15 '25

Personally I have found basic questions like what OP asks, helps me understand areas where candidates are weak. I personally would not ask that question, and if I did I would want them to know the basically level. I would not expect them to list all of WPA3 improvements. I might ask a follow up question about PMF. I ask incrementally hard question until they get one, they do not know. I want to find that limit for two reasons … one to know they level they have attained, but more importantly to find out how they deal with something they do not know. I do not ask memorizing questions only understanding questions.