Re: [ISN] INFOSEC: Certifiably Certified

From: InfoSec News (isnat_private)
Date: Mon Oct 28 2002 - 04:18:48 PST

  • Next message: InfoSec News: "Re: [ISN] Prostitutes Steal Secret Software from US Army"

    Forwarded from: Aj Effin Reznor <ajat_private>
    [Last reply on this subject....  - WK]
    "InfoSec News was known to say....."
    > Forwarded from: "BERNARD, Mark" <MEBERNARat_private>
    > Dear Associates,
    > The one thing that you appear to have over looked is one fundamental
    > principle of incident handling and Information Security, that is to
    > ensure that who you are getting advice has some basis for their
    > decision making.
    ...or to also display an assumed level of competency to be able to
    sufficiently locate knowledge if not already possesed (as in lawyer
    referrence, below.  Case study is rather recurring)
    > Certification simply implies that a person has a basic level of
    > knowledge it does not imply that they know how to use that knowledge
    > that only comes with experience and/or mentoring.
    And herein lies the lab...
    > If you look at the most revered professions within our society you
    > will see that some level of certification under a common body of
    > knowledge is necessary for that profession to become stable and
    > continue to develop. A few examples are lawyers, doctors, mechanics,
    > etc...
    Where the professions you list typically have a serious governing body
    over them (state bars, ama, ase) what does the security arena have?  
    Mutliple conflicting and competing (and practically ad hoc)
    organizations that, well, conflict and compete for attention, respect,
    and god bless the almighty dollar yet again.  CISSP's.  There's an
    *excellent* example of something where you have a "common body of
    knowledge" yet knowing how to *apply* this knowledge never comes into
    play.  Of the CISSP's I know or have met, I think maybe 3 are what I
    would consider to be "competent" at the very least when it comes to
    security.  The rest are, well... certified on paper, but I wouldn't
    trust them to secure an NT or a RedHat box.  Seriously.  
    Certifications are like *any* test from grade school through college
    and beyond:  They are a way of showing that you can regurgitate
    requisite data in a more or less coherent manner.  They in NO way show
    that you understand, or comprehend the material in question.
    At least, there isn't currently with security certs.  Again,
    *currently* with *security certs*.  How do they differ from lawyers,
    docs and mechanics?  Typically any one of the above requires a few
    years of schooling in a structured environ and periodic testing
    showing ability to not only learn, retain *and* apply but to continue
    applying over time that which was learned previously coupled with
    current doctrine.  Security?  Shell out the cash, take a test.  In
    some cases, attend a few seminars and write a few papers on them to
    get/retain your "currency".
    Problem is, security changes so much, so fast that having written
    coursework on it would be expired before it was half completed.  Some
    universities are working on security based skills and titles with
    their CS degrees but would I trust a student fresh out of school to
    hire?  Hell no!  Experience is a must, of course!
    Oh, and don't get me started on CISSPs (esp. the grandfathered ones,
    of whom I'll spare you all my usual discourse wherein I question just
    about everything about the subject matter) and their smug attitudes.  
    I was accused recently of being 'glib' with some of my postings on
    this list.  Personally, I'd rather be glib than smug :)
    > To boldly state, as a few of you have, that all certifications are
    > basically useless is not to understand the goals of these
    > certifications.
    I'll boldy state the opposite and say that all certs are useless
    because of their goals: "showing that the bearer could repeat
    requisite material without necc. understanding how to apply that
    knowledge in a real-world situation".  That some skilled people *do*
    have certs does not legitimize the cert at all.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 07:06:49 PST