all this talk about "CISSP" and "CBK", i've never even heard of these certs, where, in sandiego, would i find more information (price & curriculum)about them? i didn't want to pollute the thread with "off kilter" questions, but my curiousity is killing me. drew --- Pete Pfeiffer <pfeiffepat_private> wrote: > Certification and certificates aren't always about > self. There are valid > marketing reasons for comapnies to want employees > "certified". > ----- Original Message ----- > From: "Paul Cardon" <paulat_private> > To: <SECURITYJOBSat_private> > Sent: Friday, February 18, 2000 2:26 PM > Subject: Re: Jobs thread, CISSP, et al. > > > > "Robert G. Ferrell" wrote: > > > I have absolutely no desire to revisit the > 'value of certification' > debate of a > > > few months ago, but I have one quick observation > to share concerning the > > > certification process. I took the CISSP exam > earlier this month, and > the > > > several weeks of intensive study in preparation > for it were invaluable. > For any > > > of you out there who are like me and are simply > too busy to read nearly > as much > > > as you'd like on emerging technologies or > advances in extant ones, this > enforced > > > discipline is priceless. Simply as a result of > the exam preparation > process, I > > > now understand tedious (to me) things like risk > management and elliptic > curve > > > cryptography a lot more thoroughly than I did > before. > > > > > > What I'm trying to say here is that, while I > will readily concede that > > > certification has its good and bad points, the > focus it takes to prepare > for the > > > exam was, at least for me, well worth the money > spent on registration. > I doubt > > > that I would have ever been able to justify to > myself the singleminded > > > concentration on truly comprehending some of the > more difficult security > topics > > > that I found necessary to feel reasonably > comfortable taking the test. > Despite > > > my job title, I spend at least as much time as a > WAN engineer, data > telecomm > > > consultant, programmer, and Unix sysadmin as I > do on InfoSec, so > absorption of > > > new information tends to be gradual and > haphazard. > > > > I see the CISSP and Common Body of Knowledge (CBK) > review as a survey of > > a broad range of security topics and terminology > that any security > > professional should know something about. The big > picture is usually > > valuable in making specific implementation > decisions. However, the > > CISSP designation is not able to certify that > somebody has specific > > technical expertise and I don't believe that is > its intention. (I > > briefly discussed this with Hal Tipton, one of the > senior class > > instructors and a generally respected security > professional). > > Unfortunately, it is too often used that way by > headhunters and hiring > > managers and some people with the designation take > advantage of that > > fact to obtain positions for which they really > aren't qualified. That > > is a common problem with all certifications. > > > > I just went through the review class myself. It > is pretty solid in the > > policy areas. > > > > However, I felt that the technical areas are weak > in two ways. First, > > the Cryptography, and Telecommunication and > Networking sections of the > > review class contain numerous errors when they > attempt to go into > > technical detail. I'm not just complaining > though. I plan to feed back > > corrections and references that verify those > corrections so that the > > review materials can be improved. > > > > Second, the Application and Systems Development > section has several > > general weaknesses. The Handbook of Information > Security Management > > that also provides CBK related papers is very > sparse in this area. It > > is a difficult area to teach because of its own > breadth and I believe > > this weakness is a reflection on our specialty as > a whole and not just > > the CISSP materials. There are relatively > numerous security > > professionals with strong operating system and/or > networking expertise. > > There are far fewer security professionals with > strong knowledge of > > application design and database security. There > are a handful who know > > all of it. Most of us just don't have that much > time in the day. I do > > it through use of the little hourglass gadget from > the third Harry > > Potter Book. ;^) > > > > These are some of my observations. Take them for > what they're worth. > > > > -paul > ===== "We're going to turn this team around 360 degrees." - Jason Kidd, upon his drafting to the Dallas Mavericks __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:52 PDT