1998-04-30-11:28:08 Darren: > 1998-04-29-17:05:16 Bennett Todd: > > 1998-04-29-16:01:00 Darren: > > > What about cases where there's a need to get certificates in order to > > > get business? > > > > Never worked in such a field. Some of my employers have, but never > > anywhere near the computer side of operations. > > Really ? Never seen a job advert asking for a CNE or MCSE ? Nope. I'm not a Cisco networking specialist, nor a Microsoft Windows supporter (``I don't do windows''). More importantly, I've never billed myself as a single-vendor specialist, for which a vendor certification would be a benefit. Never been around the hiring of same, either. In fact, I've never seen a job advert for anyone doing anything like the work I do. Where do people advertise for security analysts and senior systems analysts? I've only heard of positions via word of mouth, and the mouths whose words I listen to have never mentioned certifications as a desireable job qualification. > > [ Bennett said basically, ISO 9000 is for deceitful vermin ] > Are you sure you want to make a generalisation like this? I'm not really basing my sweeping generalization on personal experience, more on hearsay and lack of personal experience:-). It may or may not be significant that no organization I've worked in has regarded ISO 9000 as anything other than a topic of derision. Can anybody out there cite an example of a respectable and reputable company that has pursued ISO 9000 certification, or a customer that has mandated it in a contract to their benefit? > > > In my mind, it is reasonable to expect that some certificates > > > are there because they don't represent just a desire to get the > > > certificates, but a desire to do the work required to get them too > > > and a desire to meet a client's needs. > > > > In some industries this is true. Such industries aren't places where > > I'd work. Interestingly, such industries have been quite impressively > > conspicuous for poor security. Hmm. > > You must be talking about the computer industry then :-) I wouldn't say so, no. Parts of the computer industry. Government contractors, for instance. In the financial sector, where I've been working the last 8 years, people take security very very seriously, and there are very few incidents, which get a lot of publicity. By contrast, it's hardly news anymore when a government system gets burgled; certificates notwithstanding, they get burgled all the time. Fortunately the cost is small; they just run off another mimeograph of the press release that states that no classified computers are attached to the internet, so this incident isn't significant. To sum up, what I'm hearing is that people with experience working in the computer security field deride certification; they've seen it used primarily as a resume-padder for the unqualified, and note that given the speed with which the field evolves, all a certificate demonstrates is a desire to get certificates. Supporters of certification claim that such approaches could be good; if the computer security industry were like e.g. medicine, perhaps we could have an organization like the AMA. No wait, if the computer security industry were like the practice of law, we could have something like the ABA. No, hang on, that still sounds pretty slimy, maybe if the computer industry were like accounting, we could have certificates like the CPA and the CFA. That's the ticket! Heck, I'd agree, give it a few thousand years to mature and stabilize, and perhaps computer security practice will be as amenable to certification as accounting practice. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:01 PDT