From: R. DuFresne (dufresne@sysinfo.com)
Date: Fri Jul 28 2006 - 18:32:00 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 28 Jul 2006, David Cross wrote:
>
> CISSP != network admin.
Never on this side was I sating these were "equal", I made a distinction
in how my organization pays both sides. Please don;t try and confuse the
issue with your misinterpretations.
> CISSP = massive amounts of information on how security works, how to
> structure security in an organization, how to manage it, how to audit
> it, how to keep it compliant with laws and how to meet best practices.
> This information is useful only to senior security people who intend to
> manage security.
CISSP is a managment track certification at best. Not a handson massive
skills certification, deal with that fact.
>
> If you want to know the details of what keeping your credential requires
> go to ISC2.org and read the details yourself. I'm not going to spend my
> time babysitting you through it.
And I outlined how that process has changed over time. I guess you are
only familiar with current and lack the history.
>
> Also if you actually read the response you see a cert only serves to add
> credibility to what experience a person claims to have. A cert does not
> magically imbue you with power from above. WHAT IT DOES DO IS PROVE YOU
> KNOW ENOUGH OF WHAT YOU'RE DOING TO PASS A VERY DIFFICULT TEST AND IT
> BINDS YOU TO A CODE OF ETHICS THAT REQUIRES YOU RESPONSIBLY REPORT AND
> RESOLVE VULNERABILITIES. (the industry as a whole needs that)
>
What is does is prove you can study for and pass an exam, nothing more.
> A cert, in most cases is better than none. When I hire people I ask
> them about certifications. People tell me "oh, I'm a security expert"
> and I ask them why they didn't spend the money to prove that they know
> what they're talking about. The response is always, "I don't have the
> money," or "I studied but got too busy to take the test." I've never
> had a person say they didn't think it was necessary. But at this point
> the burden is on me to test them. So I have to spend $99 of my own
> money to set them up with an online test to test their knowledge. I
> have to spend another hundred dollars to have my HR person track down
> all their references and call each one and quiz them at length. I have
> to spend 2 or more hours versus one hour to interview them costing a few
> hundred dollars of my time to try to coax out of them all the insipid
> details of their experience in all the companies they've ever worked
> for. So by the time it's all done I've basically paid for them to take
> the stinking test anyway.
When I've interviewed folks, I avoid asking about certs, I ask pointed
questions that can outline if the person knows his stuff, or if he's
tryinf to bluff his way into something over his head.
>
> A lot of people come to me to find out how they can get certified in
> computer security. Usually it someone who's been programming for 10
> years and they're bummed because they want a more exciting job or a
> better paying job.
And I pointed out how in recent years, sec folks tend to not make the
money that others trained in as my example define, admins do to this day.
There was a time whence sec folks that could demonstrate real skills, real
hands-on experience far beyond whosing a cert number for a passed CISSP
exam made real money. These days it's far from that...
Willl a cert get you past a clueless HR rep, sure, will it automatically
put you into hig paying jobs, far less likely these days.
> They say, "I have always wanted to be a security
> expert. How did you get your certification?" Notice they don't ask how
> to become a security expert... only how to get the piece of paper. When
> I explain what it takes they cheerfully ignore the details and wander
> starry-eyed back to their cube dreaming of how they will be the next big
> security expert. Most of them even go buy a study book or books before
> they get discouraged but there are always one or two that take it a step
> further. But I've never had one come back and ask for an endorsement or
> never known one to actually complete it. What I do know is that some of
> them have gone on to other jobs and convinced companies to hire them as
> "security experts" sans a certification. <<hey that's s pun - sans
> meaning "without" and SANS being a certifying body>>
At least the SAN certs show a level of expertise, and thus perhaps have
more real value to an employer, if they are seeking skilled professionals.
>
> Granted I've known great security gurus without certifications...
> fine... in my opinion if you have a very public and unassailable rep to
> stand on. If you don't have an industry known rep then you'd better
> have a cert or string of CVEs to tack on to your resume to get noticed.
>
> Either way I'm happy with my investment and I earn a modest 6 figure
> income netting a cool 25k more than my cert-less buddies. Plus when I
> consult I can charge well above $100/hr and companies don't even blink.
> So for me the investment in myself and in my test-taking ability has
> paid off. If you can do as well without a cert then I concede you are a
> winner.
>
<smile> I have lots of certs in various areas, some I had to gain at
employer expense, though I seriopusly flout none, I rely upon my
experience, and if need, can tap many persons for a referal that have
knowledge of my skills and abilities. Those referals, pay off better then
any 3-4 letter cert credits I might tack onto my .sig.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFEypBjst+vzJSwZikRAtY4AJ9WuRSqsjkNCNL2togb38uIvGHFrQCfUL2S
ezZhYkgL0Be+iJ1nr+H1F7M=
=NLhl
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:27 EDT