Re: Network Security Certification

From: Bruce K. Marshall (bkmarshat_private)
Date: Wed Apr 29 1998 - 08:19:12 PDT

  • Next message: Marcus J. Ranum: "Re: How do we do our job? (was Re: Network Security"

    This is a cryptographically signed message in MIME format.
    
    --------------msC45EFBFEC64684B77C0E3C2C
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    
    Paul D. Robertson wrote:
    
    > I seriously questioned the real-world value of such certifications
    > based on my experiences with the people who held them.  I know folks who
    > have them who are _seriously_ missing pieces of the real-world puzzle.
    > Some of them are fair at the business side things, but I've yet to meet a
    > certificate holder who impressed me because of the certifcation
    > process, or other than one case, their grasp of real-world security problems.
    > 
    > In the ensuing time since this went around, I've met another couple of
    > holders, one of whom I would actually trust to do real-world
    > evaluations of my networks.  All the experience and knowledge said person gleaned
    > that made them meet my criteria was prior to them even considering the
    > test.
    
        And this really is the criteria that certifications focused on in
    the beginning.  A CDP or CNE was supposed to be a standard of proving
    that you had experience in your given field.  Of course, people who
    didn't have this experience also wanted to become certified so
    vendors/organizations designed courseware to "supplement" a person's
    knowledge and essentially prepare them for the exam.  Some trainers
    still mention (tongue-in-cheek) that this course is for education and
    not to prepare you for a test, others have dropped the charade
    altogether.
    
        In my opinion, some courseware has continued to lower their
    requirements for prior knowledge so that you really only need to be
    familiar with using a mouse and keyboard to become a certified
    something.  The term "paper" CNEs/MCSEs/etc. has gained popularity among
    those of us having experienced the real lack of knowledge among some
    certified individuals.
    
        After all, what is that rule about learning and retention? 
    Something like you lose 50% after a few weeks or so.  It takes real
    world experience to be able to truly understand and utilize computer
    concepts.  The more the better, since everything tends to have some
    relation in computing.
    
        Certification isn't necessary to do this, but with some people it
    helps to put the point across in the beginning (or on resumes). 
    Obviously this depends on your prior experiences with certified
    individuals, as you state.
    
    > If your resume came accross my desk, and you had certification but not
    > experience, it wouldn't mean much to have the certification.  If you
    > had experience but not certification, it wouldn't mean much not to
    > have the certification.
    
        The (ISC)^2 has been fairly sensitive of this fact and tries to
    address it through several measures.  Foremost is their requirement that
    you have at least 5 years of related experience in the information
    security industry before you can take the CISSP exam.  This doesn't stop
    people from lying, but they would risk possible detection and
    certification stripping.
    
        Ongoing education and training is also required for you to maintain
    your certification.  Over a three year period a certified individual
    must earn 120 Continuing Professional Education credits (CPEs) through a
    variety of methods.  Essentially things like attending classes,
    conferences, teaching, writing articles/books, self study, submitting
    new exam questions, or retaking the exam all count towards earning
    CPEs.  Plus, they limit how many CPEs you can earn doing certain
    activities.  More info on this can be found at
    http://www.isc2.org/recert.htm
    
        The biggest complaint about the (ISC)^2 and the CISSP exam is the
    age of the material (it does have a slight mainframe slant due to the
    founder's own experience) and the quality of the exam.  I understand
    that since I sat for the exam some significant steps (including an open
    two day meeting to review questions) have been taken.  The CISSP will
    gain a lot more value if this path of improvement is continually
    followed.
    
    > I've been RACF "special", I've been a VM sysprog, my first job had IBM
    > 360 mainframes running DOS.  I've yet to see a certification process
    > that tests enough current knowledge to be more useful than the same ammount
    > of time spent doing individual research.
    
        This is indeed the main fault with current certification testing
    which in turn can place the blame on our industry's rapid growth and
    expansion.  Some organizations obviously make more of an effort to keep
    up to date than others.  Unfortunately, most people are left to find
    this out for themselves during a test.
    
        Your other point about individual research is also quite valid.  I
    would love to tell management that I'm taking off a week (non-vacation
    time) to study the intricacies of IPv6 and have them accept it.  Somehow
    they seem a little more receptive to letting me go for a week to sit in
    a classroom and learn the basics of TCP/IP from Microsoft.  Luckily this
    doesn't prevent me from also supplementing my textbook education with
    any other materials either during this time or off-hours.
    
        It also boils down to what type of a learning you respond to the
    best.  Some people are able to grasp concepts better when they provided
    by an instructor.  Some people hate classroom environments and won't
    utilize them.  Each to his own, I suppose.  The main goal should always
    be to achieve an accurate and useful education.
    
    -- 
    Bruce K. Marshall, CISSP - bkmarshat_private - Feist Communications
          2424 S. St. Francis - Wichita, KS 67216 - 316-264-2248
    --------------msC45EFBFEC64684B77C0E3C2C
    Content-Type: application/x-pkcs7-signature; name="smime.p7s"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="smime.p7s"
    Content-Description: S/MIME Cryptographic Signature
    
    MIIKRwYJKoZIhvcNAQcCoIIKODCCCjQCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
    CLUwggP+MIIDZ6ADAgECAhASMtOqZaMJeG30ywZY4yTCMA0GCSqGSIb3DQEBAgUAMGIxETAP
    BgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVy
    aVNpZ24gQ2xhc3MgMiBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzEwMTQwMDAw
    MDBaFw05ODEwMTQyMzU5NTlaMIIBUTERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZl
    cmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVh
    bCBTdWJzY3JpYmVyMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BT
    IEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAYDVQQLEx1EaWdpdGFsIElEIENs
    YXNzIDIgLSBOZXRzY2FwZTEZMBcGA1UEAxMQQlJVQ0UgSyBNQVJTSEFMTDEgMB4GCSqGSIb3
    DQEJARYRYmttYXJzaEBmZWlzdC5jb20xQDA+BgkqhkiG9w0BCQgUMTExMCBTLiBNYWluIFN0
    LiBTdWl0ZSAxMDANCldpY2hpdGEsIEtTDQo2NzIwMg0KVVMwXDANBgkqhkiG9w0BAQEFAANL
    ADBIAkEAsKYQn7JBE7++l+hVz8VC1OL2epHSSqfF7KaXAV1cKftarzRuUtChZbeDxBQdgcws
    Np6muw6AOh1Q7tdic/+DuwIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrwYDVR0gBIGnMIAw
    gAYLYIZIAYb4RQEHAQEwgDAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
    L0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWduJ3Mg
    Q1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24AAAAA
    AAAwEQYJYIZIAYb4QgEBBAQDAgeAMDAGCmCGSAGG+EUBBgcEIhYgMWVlMWQxOWY1NzZlNTk3
    ZmQ0Zjg0ZTNkZWM0N2Y3YzIwDQYJKoZIhvcNAQECBQADgYEAespR+mMJpn3oXGU3GiL2Lw+g
    AFZe49HBdpzrCNZK08yiqgGoh91QRB1c0TdnrwZCqzHXDtL0HoGxctfRUpMlgR/3KqmuhxsZ
    GCUn8As0P4k0/KQfRNpuqHkUQPtYr8BJNmzk5vxQTfCDwud09j4ZaIhykCxGIJmoYaSgSYrL
    0rEwggJ6MIIB46ADAgECAhEAlbB2hEzFCiJmppNpv4KenTANBgkqhkiG9w0BAQIFADBfMQsw
    CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDIg
    UHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAw
    WhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNp
    Z24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDIgQ0EgLSBJbmRpdmlkdWFsIFN1
    YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALoD7ZzMoZFxgx+byB2eT7R1
    731MMPOyqjS/mdtGxtSYxx1FDuewxtFZ7RIBv/1CgtNn9wnSI4Gp2uTPtSmqopqtWhNJ2VIx
    Uz3a1andsmdxkdAPW3jF3qVBV0jX9PpH7knRPW6Q52wj0mZ/4XbxLqDdHcvVIXCIcp5kpm/P
    7v3fAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIB
    AQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQCqdS6/6yt/yp7Tb22NPA8Jzls4mN1PgCE5WFv9
    dzFOBhIXX9mSoZG7IKLTiDyntlJpFyzubCyfTshbvUTBwIr2jy3SVfxhgU1yR8INx248s7HZ
    AbJgNW03oRXfwmCPhdqcZfzrvskLRXbd0OI0FGnWTHa5h0RwYZlryPw/GhiueDCCAjEwggGa
    AgUCowAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNp
    Z24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlv
    biBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQswCQYDVQQG
    EwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDIgUHVibGlj
    IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
    MIGJAoGBALZai6MNaiODgGvPOYf0IRMzBkwlou1VEpfFp4C5+oPBIKD6LxUNfKFga355LPoG
    Dzqu9htvsdL/LyhSX4N9S8R6t/hmH4BU/LfCjllKFFdG0ZqTvkGRA7sVgJNc6+fMCGw/PrNK
    /P9LbCPVUIImRBmOI8Nx6hkkRwSedb/IpgAfAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAe6+k
    HC/Amw47XPyo5tGWD0hySYXlrxojAOPpu4A0bLI/hKg8cnCzTN5z+nyE0pKlADcJwgM0IwO3
    7XaW3D5Phf1YF/QEvuxRHtx629uu6GF42mU4R6wdA3Bt6eO7oEqfQOq823O/Z01dxnwgXOfo
    ogorwgl010z+2+lrAmNdOacxggFaMIIBVgIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcw
    FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMiBDQSAt
    IEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQEjLTqmWjCXht9MsGWOMkwjAJBgUrDgMCGgUAoH0w
    GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAjBgkqhkiG9w0BCQQxFgQUJ8EY2uW86zjeHu4T
    P/T3UfC7huAwHAYJKoZIhvcNAQkFMQ8XDTk4MDQyOTE1MTkxMlowHgYJKoZIhvcNAQkPMREw
    DzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARATIoJL4Xn/48f1heb49X9vRB5tgnE
    IlO6FVEpC6+0XjOomAIU/Ats3XiuhbYbuELlE6P9wAaiyBMRnwqgqlwQeg==
    --------------msC45EFBFEC64684B77C0E3C2C--
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:42 PDT