In some email I received from Bennett Todd, sie wrote: [...] > To sum up, what I'm hearing is that people with experience working in > the computer security field deride certification; they've seen it used > primarily as a resume-padder for the unqualified, and note that given > the speed with which the field evolves, all a certificate demonstrates > is a desire to get certificates. Supporters of certification claim > that such approaches could be good; if the computer security industry > were like e.g. medicine, perhaps we could have an organization like > the AMA. No wait, if the computer security industry were like the > practice of law, we could have something like the ABA. No, hang on, that > still sounds pretty slimy, maybe if the computer industry were like > accounting, we could have certificates like the CPA and the CFA. That's > the ticket! Heck, I'd agree, give it a few thousand years to mature and > stabilize, and perhaps computer security practice will be as amenable to > certification as accounting practice. Maybe...but what about those who feel slighted because working with computers isn't regarded the same as it is accountancy ? What's so good about a Doctors that makes them able to sign for passports/statutory declarations but not us ? Do they have some magic about them that we don't, hmmm ? My hypothesis about this is that because our profession doesn't currently have any use for this, it is convienient for some to pick on those that do. For example, it's a lot harder for a person to grab a book on accountancy, read a bit and then go around charging people $10,000 to do XYZ for them and not give them value for money. Whereas in the computer industry, what surety do we have that your references are worth anything ? Who has ever given bad references on a resume ? If Joe Bloggs puts on a suit, reads an article or two in the newspaper on firewalls, learns the jive and then sells his services successfully to a person for $10,000, what benefit does it give our industry ? Yet, at the same time we're all saying that taking measures that would attempt to deal with these scenarios are worthless. I can't believe anyone who actually takes pride in their work as a computer security professional would want to make it any easier for frauds to inhabit the industry but yet here you all are saying that taking the time to "certify" those who can at least meet some common level is pointless. Sure, there will always be "good" and "bad" people who manage to pass whatever tests there is, but at least if they screw up they can be de-bar'd or deregistered or whatever and no longer able to legally portray themselves as being certified. And if you don't think they exist, just search this list and others related to firewalls for reports of people auditting poorly setup firewalls, etc. Personally, I agree with those who say the certificates only prove you can acquire said certificate. But if said certificate also helps us keep scum out of the industry, then that's an evil I'm prepared to endure.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:57 PDT