From: techlists@comcast.net
Date: Mon Jul 31 2006 - 20:08:20 EDT
The CISSP cert should be kept in perspective. It is a good certification for people on a managerial level to have because it gives them a fairly broad, high level view of the security field, which they need to do their job more effectively.
It does *not* help anyone working in a hands on capacity because it doesn't go into any depth on that kind of level.
I work in a more technical, hands on kind of role but got the CISSP anyway simply because in the field I work in (government contracting), a lot of contracts specifically ask for CISSPs, and it does raise the amount of money the client is willing to pay for technical staff. The cert realistically hasn't had any practical technical benefit for me, but it has had a financial benefit. (my employer gave me an automatic $2000 raise just for passing the CISSP exam; other companies give a lot more)
PG
-------------- Original message ----------------------
From: "Jim" <jimk@missinglinksecurity.com>
> Wolf
>
> I think you are right on track with this issue. I know people with the CISSP
> certs that should not even be in the industry.
>
> Jim
> Sent via BlackBerry from Cingular Wireless
>
> -----Original Message-----
> From: Wolf <wolfiroc@earthlink.net>
> Date: Sun, 30 Jul 2006 23:28:23 -0400 (GMT-04:00)
> To:Pete Herzog <lists@isecom.org>, David Cross <davidcross@Post-N-Track.com>
> Cc:"Robert E. Lee" <robert@dyadsecurity.com>, pen-test@securityfocus.com
> Subject: Re: Hacker Stories, Certs,
> vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
>
> Hi David and Pete,
> I really take the statement "... mastery of all aspects of security" as a bit of
> a challenge as well as an insult to those who truly have mastered their craft,
> but do not have the CISSP. I do - as well as OPST, OPSA, IEM and IAM. Fact
> -not boasting or professing mastery. Too much comes down the road each day to
> profess mastery at all aspects of security. If there were so many masters out
> there, then we wouldn't have configuration management issues, patch management
> and implementation issues, and every system and network could be certified and
> accredited as being operationally secure.
> I know for a FACT that some CISSPs have little or no experience or
> understanding in the field, yet managed to take a damn good test! If the
> prereqs were checked or truly told, they never would have been eligible.
> Not a rant just something to think about the next time you claim mastery!
>
> -----Original Message-----
> >From: Pete Herzog <lists@isecom.org>
> >Sent: Jul 30, 2006 5:39 AM
> >To: David Cross <davidcross@Post-N-Track.com>
> >Cc: "Robert E. Lee" <robert@dyadsecurity.com>, pen-test@securityfocus.com
> >Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
> Address Changer v3.1 (FREEWARE)
> >
> >Hi David,
> >
> >> The CISSP credential is not a networking credential. It is a general
> >> security credential showing mastery of all aspects of security, not an
> >> in-depth knowledge of one. A CISSP would be expected to serve in an
> >
> >I think "mastery" includes capability and not just knowledge thereof. To
> >master something means to be at the top of a craft. It means to know
> >something deeply and to be able to apply that knowledge broadly. I
> >disagree that a CISSP shows a mastery of all things security.
> >
> >> advisory or audit capacity and not in a network engineer capacity. The
> >
> >Just broad knowledge of security best practices to apply broadly where one
> >sees them is unhealthy to any organization.
> >
> >> If a CISSP with no experience is applying for a networking job then
> >> shame on them. If you hire a CISSP for a networking job when they have
> >> no specific networking experience then shame on you.
> >
> >And yet they do all the time. Many of us know many CISSPs who didn't have
> >the experience, were able to fudge it, and were able to get their
> >certification without having any problem finding another CISSP vouch for
> >them. Talking a solution does not show successful implementation of one.
> >
> >> Credentials can only be looked at to strengthen the credibility of a
> >> person's resume, not to create credibility where this is no experience.
> >
> >Not true. Certification can provide those lacking experience to show
> >ability and be an asset to an organization in that particular field. So it
> >can show credibility where no experience exists. People already do this now
> >looking to switch job descriptions, need to learn a specific aspect of a
> >job, seek to enhance current ability, or to improve their marketability for
> >new jobs.
> >
> >> Either way if you are going to criticize things in public you should
> >> know what you are talking about or you will just point out to everyone
> >> that you don't know the industry as well as you think.
> >
> >I agree with that statement however I also think putting on rose-colored
> >glasses does not make the current industry on-goings any rosier for other
> >people who end up being the victims instead of the benefactors of security.
> >
> >-pete.
> >
> >------------------------------------------------------------------------------
> >This List Sponsored by: Cenzic
> >
> >Concerned about Web Application Security?
> >Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> >Choice Award from eWeek. As attacks through web applications continue to rise,
> >you need to proactively protect your applications from hackers. Cenzic has the
> >most comprehensive solutions to meet your application security penetration
> >testing and vulnerability management needs. You have an option to go with a
> >managed service (Cenzic ClickToSecure) or an enterprise software
> >(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> >help you: http://www.cenzic.com/news_events/wpappsec.php
> >And, now for a limited time we can do a FREE audit for you to confirm your
> >results from other product. Contact us at request@cenzic.com for details.
> >------------------------------------------------------------------------------
> >
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:29 EDT