>If you are a "security professional", or want to be, I would recommend >taking a certification course from a company that has pull within the >industry. I have worded this very specifically. The valid derision of >current security professionals notwithstanding, a security certification >will provide you with enhanced credibility when presenting yourself as an >authority on security. I'd like to mention that I do not think certification is a bad thing. The place where certification hurts is when it's used as a barrier to entry to newcomers in the field. If, for example, there was a Union of Computer Security Guys and you had to pass a test and be a member of the union before you could do security, then all innovation and energy would be lost from the field, which would die an intellectual heat death. The reason that the Internet is such a happenin' place is because ANYONE with a good idea can get in front of millions of people - fast. Someone out there right now may be about to invent some incredibly wonderful security tool and if there was a barrier to their entering the field, it wouldn't happen. The argument in favor of certification that the pro-certification forces should make (but fail to!) is that in the default of some kind of way of proving your credentials, the customer will turn to large, recognized, big names. This is known as "branding" in marketeer. I.e. "Arthur Andersen" or "Ernst & Young" become brand names. As the market grows that smaller brand names become diluted because they cannot market against all the noise. This process is taking place -- it's not bad -- it's just evolution. There are probably more CIOs now who know the name ICSA than Steve Bellovin. That doesn't mean that Steve'd be out of work; it just means that broad appeal transfers to specific targeted projects. At a previous job, I thought I was gonna get filthy stinking rich, and one of the projects I was going to do with my free time was become a certifier of experts. For free. The requirement would be to write a paper on some relevant topic, then be willing to pay your way to come take an essay test and a brief oral exam with a board of your peers. Again, for free. I'd use the exams as an excuse to get cool security people to come hang out and drink beer before the board exams. :) Unfortunately, I didn't get rich on the deal, so there ya go... The trick to certification is to prove that the proposed expert can reason about problems in their area of expertise, not simply memorize test answers. I don't know enough about the test procedures used by the various testing boards, but I do not believe in static testing. A dissertation/essay exam/peer board review is something I'd have no problem with at all. I'm showing a lot of bias I inherited from my dad the professor, who believes you can't be said to know something unless you can stand up without preparation, and talk about it until everyone else falls asleep (his description of a doctoral defense). mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:47 PDT