Re: How do we do our job?

From: darrenrat_private
Date: Thu Apr 30 1998 - 07:23:10 PDT

  • Next message: darrenrat_private: "Re: How do we do our job?"

    In some email I received from Bennett Todd, sie wrote:
    > To sum up, what I'm hearing is that people with experience working in
    > the computer security field deride certification; they've seen it used
    > primarily as a resume-padder for the unqualified, and note that given
    > the speed with which the field evolves, all a certificate demonstrates
    > is a desire to get certificates. Supporters of certification claim
    > that such approaches could be good; if the computer security industry
    > were like e.g. medicine, perhaps we could have an organization like
    > the AMA. No wait, if the computer security industry were like the
    > practice of law, we could have something like the ABA. No, hang on, that
    > still sounds pretty slimy, maybe if the computer industry were like
    > accounting, we could have certificates like the CPA and the CFA. That's
    > the ticket! Heck, I'd agree, give it a few thousand years to mature and
    > stabilize, and perhaps computer security practice will be as amenable to
    > certification as accounting practice.
    Maybe...but what about those who feel slighted because working
    with computers isn't regarded the same as it is accountancy ?
    What's so good about a Doctors that makes them able to sign for
    passports/statutory declarations but not us ?  Do they have some
    magic about them that we don't, hmmm ?
    My hypothesis about this is that because our profession doesn't
    currently have any use for this, it is convienient for some to
    pick on those that do.
    For example, it's a lot harder for a person to grab a book on
    accountancy, read a bit and then go around charging people $10,000
    to do XYZ for them and not give them value for money.  Whereas in
    the computer industry, what surety do we have that your references
    are worth anything ?  Who has ever given bad references on a resume ?
    If Joe Bloggs puts on a suit, reads an article or two in the newspaper
    on firewalls, learns the jive and then sells his services successfully
    to a person for $10,000, what benefit does it give our industry ?
    Yet, at the same time we're all saying that taking measures that would
    attempt to deal with these scenarios are worthless.
    I can't believe anyone who actually takes pride in their work as a
    computer security professional would want to make it any easier for
    frauds to inhabit the industry but yet here you all are saying that
    taking the time to "certify" those who can at least meet some common
    level is pointless.  Sure, there will always be "good" and "bad"
    people who manage to pass whatever tests there is, but at least if
    they screw up they can be de-bar'd or deregistered or whatever and
    no longer able to legally portray themselves as being certified.
    And if you don't think they exist, just search this list and others
    related to firewalls for reports of people auditting poorly setup
    firewalls, etc.
    Personally, I agree with those who say the certificates only prove you
    can acquire said certificate.  But if said certificate also helps us
    keep scum out of the industry, then that's an evil I'm prepared to

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:57 PDT