RE: Re: CISSP

From: Clement Dupuis (cdupuis@cccure.org)
Date: Tue Dec 05 2006 - 08:10:15 EST


Good day Danny, Cony, and all,

Of course the CISSP certification was never meant to be a technical
certification. It is means to validate your overall knowledge of security
and whether or not you understand that specific jobs and hardware such as
IDS, IPS, Security Analyst, Intrusion Analyst, etc... are just one piece of
the whole security puzzle and none of these by itself can solve the whole
puzzle.

There are tons of security professionals (or proclaimed professionals) who
could not even tell you what is taking place behind their fancy GUI when a
connection to a secure web server or a VPN gateway is taking place. They
simply have no clue and when they attempt to troubleshoot problems they lack
the know how to understand what are the logical steps required.

There are other people who are extremely skilled on the technical side, they
will read packet in Hexadecimal format while coding low level exploit in
some esoteric language, however often time they lack understanding of the
business side and how their employment fit in the grand scheme of things.

Right now there are lots of people who are required to take the CISSP
because of the 8570 directive that came out of DoD. Is this the best
investment for a Firewall Analyst to take a CISSP class, I am not convinced
at all, it would be a better investment to have him go through a GCFW class
instead. If you work into a technical role, the SANS, CEH, CISCO, MS, and
other vendors certifications are probably more adapted to what you are
trying to do and will give you the technical skills to do it.

That being said, for many years the technical side of security was driving
the orientation that security would take within most company. I think that
it has changed a bit over the past few years and it will change more in the
future. We need to deploy a security architecture that meets the business
requirements and that can support the functions we need to provide to our
customers. This is where the CISSP will come into play, you do not deploy
countermeasures only because they are great product, the product has to make
sense for what you are trying to protect and it has to make sense on the
cost and benefit side as well.

You could stack 25 of the best firewall/security devices and that does not
guarantee that you will get instant security if you do not have trained
people to manage those boxes (the soft side), if you do not have a process
in place to keep them updated, and if you no not have any policies about
what can and cannot be done on those devices. You need a mix of all of the
above and this mix has to be customized to fit your business needs.

The CISSP was never meant to make you a Guru in all of the 10 domains.
Anyone who claim to be would simply be filling you with BS. There is no way
one could be an expert in all of the domains and remain current in all of
them.

The CISSP forces an individual to learn about key areas of security that he
would have never touched by himself. It forces him to better understand
that security is more than a black box and that people, process, and
policies must be in place to succeed. It will give you enough knowledge to
understand the different subjects within each of the domains at a high
level. The next time you interact with someone who does development for
example, you will have the basic foundation to understand what they are
speaking about, and whether or not they have basic competency in the domain
they claim to be experts.

In summary, even if you are a pen tester with GCIH and GHTQ and you are
really good at what you do, I think the CISSP could still benefit you by
making you understand where pen testing fit within the whole security
architecture, what are the benefits to your clients, how this can be
justified as a cost. If you wish to interact with CISO and other C level
executive, it might help to talk their cost/benefit language and be able to
demonstrate how it can help them within their security plan.

As you well know, FUD (Fear, Uncertainty, and Doubt) used to be a nice way
to sell services. Today, this no longer work and this is not how you will
build long term relationship with your clients. If you really understand
the business side and demonstrate to your clients how they can avoid or
minimize losses, I am sure your client will listen very carefully to what
you have to offer.

As far as glorifying the CISSP and offering a chicken once a week to the
ISC2 god, I do not think it is necessary. The problem right now is we need
to educate people in HR about what is the CISSP and other certifications are
and also what they are NOT. That's the problem.

Take care

Clement

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:25 EDT