RE: [ISN] INFOSEC: Certifiably Certified

From: InfoSec News (isnat_private)
Date: Tue Oct 29 2002 - 03:04:52 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - October 28th 2002"

    Forwarded from: Brad Bemis <Brad.Bemisat_private>
    [OK, seriously, this is the last reply on this topic, I'll start 
    sending replies to Rick Forno for his next essay. ;)  - WK]
    Hash: SHA1
    Odd...  This never happens...  Security practitioners locked in a vocal debate
    over the value of certification?  Who would have thunk it?  ;-)  
    - From one side, you have those that believe that certifications have little
    or no value to those operating in the security industry.  These
    anti-certification pundits focus on experience as the prime attribute of a
    capable security professional.  They see certifications as a pathetic
    attempt by the uninitiated to lure hiring managers into slapping down a big
    fat pay check, or as a play by the certifying entities for the unearned
    dollars of lemmings that simply follow a trend.  
    On the other end of the spectrum sits the certification advocate who voices
    that certifications provide a common yardstick by which all security
    professionals across a diverse field can be measured against an industry
    standard.  They see certifications as a common denominator separating the
    wheat from the chaff.  They smile down their noses at those who lack the
    air of authenticity that comes from a rolled up piece of parchment.  
    I find it so interesting to see security practitioners voice such absolutes
    about their position on this matter when the basic tenants of our
    profession clearly underscore the role of certification...  You just need
    to step back and take another look.  How many times have you been told (or
    even said yourself) that there is no panacea for information security?  How
    many times have we called upon the essence of 'defense-in-depth' as our
    guiding light in a dark digital world?  Who among us has learned all there
    is to learn about information security and can cast disparities at those
    still trying to find their way?  
    Let us apply this same series of concepts to the role of certifications as
    one of the myriad of responsibilities assigned to those calling themselves
    professionals within this dynamic field.  
    Yes, demonstrated experience on the front lines, above all other things,
    stands the best chance of differentiating between varying levels of skill,
    but let's not forget some of the other elements that compose the foundation
    for what I will now refer to as security "competence-in-depth".  I think
    you will find that there are many of us (probably a vast majority) that
    would much rather denote competence through a series of activities rather
    than a singular focus.  
    I see it as a lifecycle process (yet another concept that we within the
    security community should be intimately familiar with as a critical success
    factor in most of our endeavors) consisting of (in no particular order
    because they should all be continual processes):   
    	Formal Education (school)
    	Professional Education (courses)
    	Hands on Learning (daily exposure)
    	Experience (long-term exposure)
    	Reading (self learning)
    	Writing (sharing your experiences)
    	Involvement (professional associations)
    	Teaching (course instruction)
    	Certification (milestones)
    	Recognition (awards)
    	Again, and
    	Again, and
    Certifications play an important role in the development of those who
    recognize their value as yet another opportunity to grow as a professional.
    No, not everyone with a certification is qualified to do the job defined by
    the test objectives.  You may judge the competence of a certified
    individual based on your own experiences and biases for or against a
    specified credential, but I would be more interested in seeing what kind of
    conversation I might have with someone who has achieved the title of a
    CISSP by way of comparison to a conversation with someone who has earned
    the title of CCIE-Security, of CISA, or of CCP for that matter.  The point
    here being that most certifications today focus on a specific aspect of
    information security (yes, even the CISSP with its ten domains is focused... 
    on security management, not technical security implementations).  As a 10
    year veteran of information systems and security, I would never hold a
    CISSP to the same level of accountability for the technical implementation
    of a CiscoSecure PIX firewall that I would a CCIE-Security any more than I
    would hold a CCIE-Security accountable for the development of a corporate
    information security policy framework.  
    The field of information security is so broad and dynamic that there is no
    one way for any of us to define what does and does not 'qualify' an
    individual to share with us the coveted title of information security
    professional (or whatever moniker you associate with your position) . 
    There must be ways to categorize levels of professionalism and competence
    in a way that makes sense to those of us who rely on each other to see our
    way clear to the other side of the common challenges we face.  Judge not
    the certification, judge its bearer.  Not just on a single criteria, but on
    a broad range of disciplines that will give you greater insight into the
    true caliber of the individual.  
    I for one believe that someone with the appropriate background, skills to
    demonstrate, a thirst for knowledge, a desire to succeed, and a drive to
    dominate would simply take the time to ante up and get certified as a
    professional responsibility.  You see, I sit in the middle of the road,
    somewhere between the two primary poles of opposition.  I see
    certifications and individual attitudes toward them as yet one more way to
    differentiate between practitioners and professionals.         
    Of course that is just my opinion, I could be wrong...
    P.S.  And yes, I know many practitioners that are excellent security people
    without a certification and many certified people that I wouldn't let touch
    my child's Playschool computer.  If your arguments to this message are
    based on this or similar arguments, please reread the message. 
    Certifications are A SINGLE ELEMENT of the process that defines a true
    security professional.  This is simply my opinion...  yours is just as
    Thank you for your time and attention,
    Brad Bemis, CISSP, CISA, CBCP
    MCSE, MCP+I, CCNA, CCDA, NNCSS, Network+
    Information Security Officer
    Version: PGP Freeware, Ver 6.5.8CKT - Build 8
    Comment: KeyID: 0x691D248A
    Comment: Fingerprint: ECF3 F29A 65FD 3437 46FC  FADF 54B9 6BD1 691D 248A
    -----END PGP SIGNATURE-----
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 06:09:26 PST