Forwarded from: Aj Effin Reznor <ajat_private> [Last reply on this subject.... - WK] "InfoSec News was known to say....." > > Forwarded from: "BERNARD, Mark" <MEBERNARat_private> > > Dear Associates, > > The one thing that you appear to have over looked is one fundamental > principle of incident handling and Information Security, that is to > ensure that who you are getting advice has some basis for their > decision making. ...or to also display an assumed level of competency to be able to sufficiently locate knowledge if not already possesed (as in lawyer referrence, below. Case study is rather recurring) > Certification simply implies that a person has a basic level of > knowledge it does not imply that they know how to use that knowledge > that only comes with experience and/or mentoring. And herein lies the lab... > If you look at the most revered professions within our society you > will see that some level of certification under a common body of > knowledge is necessary for that profession to become stable and > continue to develop. A few examples are lawyers, doctors, mechanics, > etc... Where the professions you list typically have a serious governing body over them (state bars, ama, ase) what does the security arena have? Mutliple conflicting and competing (and practically ad hoc) organizations that, well, conflict and compete for attention, respect, and god bless the almighty dollar yet again. CISSP's. There's an *excellent* example of something where you have a "common body of knowledge" yet knowing how to *apply* this knowledge never comes into play. Of the CISSP's I know or have met, I think maybe 3 are what I would consider to be "competent" at the very least when it comes to security. The rest are, well... certified on paper, but I wouldn't trust them to secure an NT or a RedHat box. Seriously. Certifications are like *any* test from grade school through college and beyond: They are a way of showing that you can regurgitate requisite data in a more or less coherent manner. They in NO way show that you understand, or comprehend the material in question. At least, there isn't currently with security certs. Again, *currently* with *security certs*. How do they differ from lawyers, docs and mechanics? Typically any one of the above requires a few years of schooling in a structured environ and periodic testing showing ability to not only learn, retain *and* apply but to continue applying over time that which was learned previously coupled with current doctrine. Security? Shell out the cash, take a test. In some cases, attend a few seminars and write a few papers on them to get/retain your "currency". Problem is, security changes so much, so fast that having written coursework on it would be expired before it was half completed. Some universities are working on security based skills and titles with their CS degrees but would I trust a student fresh out of school to hire? Hell no! Experience is a must, of course! Oh, and don't get me started on CISSPs (esp. the grandfathered ones, of whom I'll spare you all my usual discourse wherein I question just about everything about the subject matter) and their smug attitudes. I was accused recently of being 'glib' with some of my postings on this list. Personally, I'd rather be glib than smug :) > To boldly state, as a few of you have, that all certifications are > basically useless is not to understand the goals of these > certifications. I'll boldy state the opposite and say that all certs are useless because of their goals: "showing that the bearer could repeat requisite material without necc. understanding how to apply that knowledge in a real-world situation". That some skilled people *do* have certs does not legitimize the cert at all. -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 07:06:49 PST