Yeah, I guess you called it so to speak. So, let me make sure I understand this. I work in the security industry and the job market is getting tight. Therefore, in order to make sure I have a "leg up" on the competition I should make sure I get my CISSP. Furthermore, the CISSP costs money. Therefore I better pony up to stay ahead. Many people take issue with the pay for certification. Sure, the tests may be intense and you could learn quite a bit, but again you are paying for a paper. I know many Head hunters who end up getting burned because they place someone with this and that certification but not a whole lot of experience, be it business or engineering. Then they start attempting to weed out the "Paper" MSCE, CCNA, etc. It also seems ironic that quite a bit of the exploits, risks, code, papers, etc. come from people who are essentially donating their services. It seems like they are inspired by the challenge and curiosity of looking into something difficult to see. They publish some code, a paper, etc. and the BIG company takes evasive action and releases a security advisory as a "Response." Generally, it is a good practice to identify recurring issues and fix them at the source. Response by its very nature is reactive, not proactive. At some point these professional vulnerability researchers might just form some type of organization and also start charging money for their service. There may come a time when a quality certification is offered for free to anyone who can pass. For some reason with security, you don't always pay for what you get. On 05-Jul-2001, Meritt James wrote: > Article "New IS Security Requisites" at > http://www.informationweek.com/765/65uwjm.htm dated December 13, 1999. > Called it or what? > > > -- > James W. Meritt, CISSP, CISA > Booz, Allen & Hamilton > phone: (410) 684-6566
This archive was generated by hypermail 2b30 : Fri Jul 06 2001 - 08:14:48 PDT