From: Pete Herzog (lists@isecom.org)
Date: Thu Dec 07 2006 - 14:20:36 EST
> But I also think certification by itself means next to nothing for the
> most part. I have seen way to many Consultants with certifications and
> degrees not know their head from a hole in the ground.
There are certifications and there are certifications. Knowledge
certifications where one memorizes security trivia and regurgitates it on
an exam has much less applicability in the real world than a formal
education where case studies and experience may be introduced or an applied
knowledge certification.
But a certification should mean something. It should prove that a person
can apply a particular type of knowledge, a specialty, with a measurable
degree of accuracy and efficiency. If a group has convinced you that they
can certify, accredit, or graduate you in a trade or specialty in a manner
which requires no proof of skill then you should question your own critical
thinking skills. Because it just doesn't work that way. Even with
experience, that means nothing if what you learned is wrong from the start.
The US Department of Education has a word for organizations who sell
diplomas for experience alone and often no additional coursework: Diploma
Mills (http://en.wikipedia.org/wiki/Diploma_mills).
I'm saying this because at ISECOM we have been an authority for applied
knowledge security certifications for nearly 5 years because the security
community we work with asked for it. They asked for a security cert that
didn't suck. They wanted one where people actually had to apply their
knowledge of testing and analysis with accuracy and efficiency in order to
pass an exam against a live network. So we built it and you know what, we
still sometimes get complaints that it's too hard and too complicated.
When we first rolled this out in the US, the training organization we
worked with didn't see a future for it because they said they needed an
easier exam, a knowledge-based one, so people can pass and take a
certification back to the office which will bring in more people. Then
they can also promote a high pass rate in their marketing for that
training. So we stopped working with those training companies in the U.S.
that wanted an easy pass to sell easily to the masses. But that's just
mainly a problem in the US and most other regions have been just fine for
us. In those other places the ISECOM certifications really mean something
and get people employed and advanced and vetted for having them.
So please don't lump all security certifications together. Some of us are
working hard to help and such comments don't.
Sincerely,
-pete.
PS: Sure I work for ISECOM so I am biased about the quality of our
certifications but facts are facts and our certifications really are
applied knowledge, hands-on examinations.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:26 EDT