Certification and certificates aren't always about self. There are valid marketing reasons for comapnies to want employees "certified". ----- Original Message ----- From: "Paul Cardon" <paulat_private> To: <SECURITYJOBSat_private> Sent: Friday, February 18, 2000 2:26 PM Subject: Re: Jobs thread, CISSP, et al. > "Robert G. Ferrell" wrote: > > I have absolutely no desire to revisit the 'value of certification' debate of a > > few months ago, but I have one quick observation to share concerning the > > certification process. I took the CISSP exam earlier this month, and the > > several weeks of intensive study in preparation for it were invaluable. For any > > of you out there who are like me and are simply too busy to read nearly as much > > as you'd like on emerging technologies or advances in extant ones, this enforced > > discipline is priceless. Simply as a result of the exam preparation process, I > > now understand tedious (to me) things like risk management and elliptic curve > > cryptography a lot more thoroughly than I did before. > > > > What I'm trying to say here is that, while I will readily concede that > > certification has its good and bad points, the focus it takes to prepare for the > > exam was, at least for me, well worth the money spent on registration. I doubt > > that I would have ever been able to justify to myself the singleminded > > concentration on truly comprehending some of the more difficult security topics > > that I found necessary to feel reasonably comfortable taking the test. Despite > > my job title, I spend at least as much time as a WAN engineer, data telecomm > > consultant, programmer, and Unix sysadmin as I do on InfoSec, so absorption of > > new information tends to be gradual and haphazard. > > I see the CISSP and Common Body of Knowledge (CBK) review as a survey of > a broad range of security topics and terminology that any security > professional should know something about. The big picture is usually > valuable in making specific implementation decisions. However, the > CISSP designation is not able to certify that somebody has specific > technical expertise and I don't believe that is its intention. (I > briefly discussed this with Hal Tipton, one of the senior class > instructors and a generally respected security professional). > Unfortunately, it is too often used that way by headhunters and hiring > managers and some people with the designation take advantage of that > fact to obtain positions for which they really aren't qualified. That > is a common problem with all certifications. > > I just went through the review class myself. It is pretty solid in the > policy areas. > > However, I felt that the technical areas are weak in two ways. First, > the Cryptography, and Telecommunication and Networking sections of the > review class contain numerous errors when they attempt to go into > technical detail. I'm not just complaining though. I plan to feed back > corrections and references that verify those corrections so that the > review materials can be improved. > > Second, the Application and Systems Development section has several > general weaknesses. The Handbook of Information Security Management > that also provides CBK related papers is very sparse in this area. It > is a difficult area to teach because of its own breadth and I believe > this weakness is a reflection on our specialty as a whole and not just > the CISSP materials. There are relatively numerous security > professionals with strong operating system and/or networking expertise. > There are far fewer security professionals with strong knowledge of > application design and database security. There are a handful who know > all of it. Most of us just don't have that much time in the day. I do > it through use of the little hourglass gadget from the third Harry > Potter Book. ;^) > > These are some of my observations. Take them for what they're worth. > > -paul
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:45 PDT