Today, today I rant.

AKA: The Last Thing We Want in DF/IR is the First Thing We Need in DF/IR, Part Deux

TL:DR

DFIR standards are a mess—a confusing, convoluted, and chaotic disaster that’s doing more harm than good. And we have no one to blame but ourselves. Vendors, universities, certifying bodies, and practitioners/experts in the field have all played a part in turning what should be a straightforward path into a career into a labyrinth that’s nearly impossible to navigate with overwhelming and unnecessary complexity. Levels upon levels of complexity!

Note. I take personal blame, too.

Today, I rant

This is part two of a post I wrote back in 2017 (https://brettshavers.com/brett-s-blog/entry/the-last-thing-we-want-is-the-first-thing-we-need-in-df-ir). And guess what? The problems I identified then have only gotten worse. Every month, I get DM’d and emailed from people who are trying to break into DFIR. They want to know what certifications they need, what degrees are worth pursuing, which training to take, and how to get that first job. But the real question they should be asking is this:

“How do I cut through the BS and find a clear and direct path into DFIR that doesn’t leave me broke, frustrated, and disillusioned?”

Universities: Stop Promising a Rose Garden

Universities play a crucial role in shaping the next generation of DFIR professionals, but there's room for improvement in aligning educational programs with the realities of the field. Recently, I spoke with students at several universities offering digital forensics as part of their cybersecurity degree programs. Many of these students were under the impression that they were fully prepared for a career in DFIR, but they quickly realized that the curriculum they were following didn’t match the skills needed in the industry. They may as well have chosen a degree in basket weaving.

This is not to place blame but rather to highlight an opportunity. As the DFIR field evolves, so too should educational programs. By working closely with industry professionals, universities can ensure that their programs are relevant and provide students with the practical skills and knowledge they need to thrive in the real world. Clear communication about what these programs offer, and perhaps even integrating more hands-on, scenario-based training, could benefit students and better prepare them for the challenges they’ll face in their careers. Put the right person in the right seat. That is all.

YES! There are growing exceptions, and you know who you are. Keep doing good work!

Vendors: Quit with the Magic Button

Vendors have a unique position in the DFIR ecosystem, providing the tools and training professionals rely on to do their jobs effectively. However, with the rapid expansion of certification programs and training courses, ensuring that these offerings truly deliver value to learners is crucial.

Instead of focusing solely on certifications that might look good on a resume, there’s a growing need for training emphasizing practical, real-world application. Learners are looking to gain the skills they need to excel in their roles—how to effectively use the tools, understand their limitations, and push them to their full potential. When training focuses on these aspects, it benefits the individual and enhances the overall capability of the industry.

I’ve seen some vendors doing this exceptionally well, and I encourage others to follow suit. By prioritizing the practical application of skills and offering meaningful, in-depth training, vendors can ensure that their programs contribute positively to the DFIR community and help bridge the gap between theory and practice.

***AGAIN! EXCEPTIONS ARE EVERYWHERE!***

You also know who you are, and for those with great training, keep doing good work!

The NICE Framework: A Bureaucratic Nightmare

Let’s talk about the NICE Framework. It’s supposed to be the gold standard for defining job roles, skills, and competencies in cybersecurity, including DFIR. But what it is, is a bureaucratic nightmare. I found their spreadsheet that is supposed to simplify the framework, but there are 56 separate worksheets with 12,428 rows of information. Who the hell has time to sift through all that and end up more confused than when you started just to try and identify a job and skill for that job?

NICE, NIST, DoD, SANS—pick your acronym—they’re all contributing to this bottomless pit of information that’s more about checking boxes than helping people get into the field.

But it’s a start!? Maybe…or a start of a race to the bottom.*

?Job Titles: Funny not Funny

Job titles in DFIR have become a joke. I stopped counting after I counted 300 different titles under the cybersecurity umbrella. Just in the digital forensics subfield alone, there are at least 50 different titles. Computer Forensic Analyst, Cyber Forensic Analyst, Digital Forensic Examiner—seriously? It’s all the same thing, just with different labels. This isn’t clarity; it’s chaos. We’ve created a situation where even the job titles are meaningless, and newcomers are left trying to decipher a mess of jargon that does nothing but create barriers.

Training and Education: A Never-Ending Quest

The DFIR training and education landscape is a?scam?if?learners don’t know what to spend their time and money on. There are over 400 college degree programs, over 500 continuing education programs, over 50 large private training vendors, and over 400 smaller niche training vendors in the USA alone. Globally, there are nearly 3,000 institutions and vendors offering some form of cybersecurity education. It’s a billion-dollar industry full of legit, meaningful, and pertinent training, but we are haphazard in delivery and purpose. If one takes the right path with exemplary trainers/educators for the right target, every dollar and minute is well spent and will return 1000x. If not, it is money and time wasted.

It can take years before you know precisely the training and skills that you need. At that point, you can drop a $1 into training and come out $10 ahead in skill and time saved.? But to get to that point....takes a lot of $1s...

Certifications: A Pyramid Scheme by Any Other Name

Let’s talk about certifications—over 1,000, each with its own acronym, and each promising to be the key to unlocking your DFIR career. But if you had even 10% of them, your signature line would be longer than your resume, and your bank account would be in the red. This isn’t a career path; it’s a pyramid scheme. And the worst part is, most of these certifications don’t even guarantee you’ll be able to do the job once you land it. They’re just expensive pieces of paper that you’re told you need to succeed. I constantly suggest finding an employer that you want to hire you and earn the certs that they require.? But what happens to all that money and time spent if that employer doesn’t hire? You hope to find another employer who wants the same certs..and is willing to hire you.

CTFs: Time killers?

Capture The Flag (CTF) competitions are supposed to be the proving ground for your skills, but the reality is that there are thousands of them, each one as irrelevant as the last. How are you supposed to know which ones matter? How are you supposed to navigate this mountain of challenges and come out with something that actually adds value to your career? The truth is, you probably can’t.? Winning CTFs is cool, but is it that strong on a CV?

Tools: The Never-Ending Parade of Buttons

And let’s not forget the tools—thousands of them. Some are free, some cost tens of thousands of dollars, and most are so niche that you’ll probably never use them or need dozens of them for a single case. But at least competition keeps competition in developing tools for the better.? But which tools do you sink your budget into?? The question is, which tools do you need, which are good to have, and which do you not need to ever use?

Skills Needed: A Checklist from Hell

Let’s talk about the skills you’re supposed to have. Security, Linux, Mac, Windows, Mobile, malware reversing, critical infrastructure, software programming, offensive security, pentesting, legal knowledge, threat intel, writing, communicating—the list goes on. Which do you need? How deep do you go in each? And where do you even start learning them? No one knows because no one can agree on what matters.? You have to know a little about a lot and know a lot about a little, but what is a lot and what is a little?

Cost of Entry: Stop Whining and Start Fighting

For those working to enter the field, here’s a reality check: Stop expecting to get into DFIR for free and stop complaining about it. There’s both a time commitment and a financial commitment. The more you have of one, the less you need of the other. But if you’re short on both, you must stop whining and fight for your place in this field. Yes, it’s expensive. Yes, it’s time-consuming. But the alternative is to quit and join the military since they have “free” cyber training! I say “free” because you pay for it daily, sometimes with life or limb.

Consider that you get what you pay for. If something is 'free', there is a reason for that. Maybe the information is stale, or the app is not supported or updated, or the trainer is outdated or ineffective. If there is not a cost tied to an educational event or tool, then the cost will be time to self-learn or re-learn what was wrongly learned. Yes..exceptions exist with some outstanding free tools and training, but to know which ones this applies, you have to know which ones to which this applies.

Those in DFIR also need to stop fighting against the tide and open the door for others to follow. I much rather help someone who will do better than me rather than keep someone out.

The Problems: A Broken System that We Allowed to Happen

There’s no clear path to picking a job role, no clear path in training or education, no clear path in job or skill requirements. The differences in role requirements and skill expectations are so vast that knowing where to start is impossible. Career potential is exaggerated to fill seats in degree programs, tools overlap to absurdity, job roles are commingled beyond recognition, and job requirements are confusing and irrelevant. And we allowed it to happen. No, that’s not accurate: We made it happen.

The Solution: Time to Burn it all Down and Start Over?

It’s time to face facts: The DFIR field is broken in regard to standards and entry, and the only way to fix it is to burn it down and start over. We must come together as a community and agree on what’s foundational to cybersecurity. We need to stop letting vendors, universities, and certifying bodies dictate what’s important based on profit margins and start deciding what’s necessary for the field to thrive. Let vendors and universities do what they do best: train to the standards of the community’s needs.

Before you say, “We already did that,” take a good, hard look at the mess we’ve made. The acronyms, the degree programs, the certifications—they’re all part of the problem. And if we don’t take control now, the government will step in and make decisions for us, and I promise you, that’s the last thing we want, but is the first thing we need.

Where to Start: NGOs, Schools, and Trainers—Get Your Sh*t Together

NGOs, educational institutions, and individual trainers, this is on you. You have the power to stop this runaway train before it crashes, but only if you start working together. It’s time to stop the madness of degrees, certs, and skill requirements spiraling out of control. We don’t have a single reference point for baseline DFIR, and it’s killing the field, especially those who keep knocking on the door to get in.

Start with the basics—computer hardware, operating systems, software, networks, ethics, and law. Make this the foundation for every job role in DFIR. If someone can’t master these fundamentals, they have no business moving up the ladder.

Right now, anyone can take a 3-day class, slap a certification on their resume, and get hired to defend or prosecute a murderer, rapist, or terrorist. That’s not just irresponsible; it’s dangerous.

To become an MD (a real medical practitioner), the path is structured, regulated, and clear with delineated steps and milestones. A successful outcome results in a known result: you become a doctor.

To become DFIR, there is no structure for all practical purposes. It is unregulated and confusing, and there is a near complete lack of standardization and milestones. A “successful” outcome is unpredictable: you might be put in a job related to DFIR, but not DFIR because the years of learning was learning the wrong thing.

The standards don't have to be complicated. The standards should allow for many competitors to compete for business which encourages development and improvement in training and education.

And for those who teach what you don't know how to do yourself, or how to teach, just stop. stop.? Teach well what you know well.

Here is a tidbit. Of all the conversations that I have had about this topic with higher education, private vendors, and NGOs, the overwhelming response is that everyone has their kingdom to protect, and few are willing to put their toes out and address this. In my opinion, standardization won't take away from any training entity, as it should increase marketability since learners will know where to go for what they need.

Imagine the first training entity that steps in the spotlight to start the conversation..boom.

Final Words: Tick tock

The DFIR field is at a tipping point. We can either take control and make the changes that are desperately needed, or we can let this broken system continue to drag the community down. The clock is ticking, and the choice is ours.If we don’t act now, someone else will, and we’re not going to like the results.

If I offended you in the post, good. My intention is to talk about what I see is a problem that?we should fix before?someone else fixes it for us. If we let a government fix it, our standards will be more out of sync than a server with no NTP.

DFIR is (should be) about justice.? What we are doing to the field and newcomers is the exact opposite. Who suffers the most from this: victims in our cases.

Source: https://brettshavers.com/brett-s-blog/entry/today-i-vent