"Robert G. Ferrell" wrote: > I have absolutely no desire to revisit the 'value of certification' debate of a > few months ago, but I have one quick observation to share concerning the > certification process. I took the CISSP exam earlier this month, and the > several weeks of intensive study in preparation for it were invaluable. For any > of you out there who are like me and are simply too busy to read nearly as much > as you'd like on emerging technologies or advances in extant ones, this enforced > discipline is priceless. Simply as a result of the exam preparation process, I > now understand tedious (to me) things like risk management and elliptic curve > cryptography a lot more thoroughly than I did before. > > What I'm trying to say here is that, while I will readily concede that > certification has its good and bad points, the focus it takes to prepare for the > exam was, at least for me, well worth the money spent on registration. I doubt > that I would have ever been able to justify to myself the singleminded > concentration on truly comprehending some of the more difficult security topics > that I found necessary to feel reasonably comfortable taking the test. Despite > my job title, I spend at least as much time as a WAN engineer, data telecomm > consultant, programmer, and Unix sysadmin as I do on InfoSec, so absorption of > new information tends to be gradual and haphazard. I see the CISSP and Common Body of Knowledge (CBK) review as a survey of a broad range of security topics and terminology that any security professional should know something about. The big picture is usually valuable in making specific implementation decisions. However, the CISSP designation is not able to certify that somebody has specific technical expertise and I don't believe that is its intention. (I briefly discussed this with Hal Tipton, one of the senior class instructors and a generally respected security professional). Unfortunately, it is too often used that way by headhunters and hiring managers and some people with the designation take advantage of that fact to obtain positions for which they really aren't qualified. That is a common problem with all certifications. I just went through the review class myself. It is pretty solid in the policy areas. However, I felt that the technical areas are weak in two ways. First, the Cryptography, and Telecommunication and Networking sections of the review class contain numerous errors when they attempt to go into technical detail. I'm not just complaining though. I plan to feed back corrections and references that verify those corrections so that the review materials can be improved. Second, the Application and Systems Development section has several general weaknesses. The Handbook of Information Security Management that also provides CBK related papers is very sparse in this area. It is a difficult area to teach because of its own breadth and I believe this weakness is a reflection on our specialty as a whole and not just the CISSP materials. There are relatively numerous security professionals with strong operating system and/or networking expertise. There are far fewer security professionals with strong knowledge of application design and database security. There are a handful who know all of it. Most of us just don't have that much time in the day. I do it through use of the little hourglass gadget from the third Harry Potter Book. ;^) These are some of my observations. Take them for what they're worth. -paul
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:43 PDT