Re: CREST or TIGER?

From: cwright@bdosyd.com.au
Date: Sat Oct 20 2007 - 17:23:02 EDT


('binary' encoding is not supported, stored as-is) Hi Danny et. al.,
One of the main points that I am trying to convey is that we should not be distinguishing and/or classifying ourselves quite so readily. In your post you are effectively making a clear distinction between them and us. “Them”, being HR, business groups and non-IT people in general. The “us” being a cadre of IT specialists.
You talk of an effective measuring system. This is achievable for an individual task. The issue however is that each organisation will vary both in its risk appetite, its competency and its focus. The difficulty is in finding which metric would then suit which organisation. This would be compounded further as technology changes, the company changes in the systems and processes change.
More importantly, it only covers one leg of the three apexes of security. The commonly overlooked areas of people and processes come second in this view. It leads to a projection that information security technical people are solely responsible and capable in mitigating information risk. The difficulty on this point is that many technically adept penetration testers fail to understand business rules. The result is that they concentrate on system vulnerabilities and technical failures to the exclusion of what is often much simpler to bypass.
As for my own, all I have completed still fails as proof. To give an example, I am now a pointy haired manager, Corp, suit or any other term that you may wish to apply. As a consequence, many people will not take what I say seriously. There are those who believe that external factors (such as wearing a T-shirt) add to credibility.
Actions speak louder than words. What certification will do is give you an opportunity to prove yourself. This is when your actions have to speak. After you get past HR, when the client has selected you for the job or whatever other initial gate has been passed as a result of the certification then comes to your actions. So the certification can be an enabler. I do agree that they don’t prove skills in many cases, but if you can get through the first gate you don’t get to prove anything.
Regards,
Craig

_____ In Reply to ____
Hi Craig,

look like you misinterpreted most of what I said or somehow, I did not
explain myself enough clearly. So let me rephrase.

"penetration1_googlemail.com" talked about being taken seriously and I
was arguing that certification and studies was not what I use to make an
opinion on competency level among security professional. I never said it
was crap. My own experiences prove certifications/studies were
absolutely not a perfect match with people competency. In your case, the
hole thing (publications, books, certifications, etc) would prove to
anyone you have large and proven competency. Your case is quite
different from the one who only did one or two certs and nothing else
really related to security.

As I said, I found certifications and studies really useful when dealing
with external people. It's not a perfect and/or always fare system but
it do help external people unable to measure themselves security
professional competency (clients, RH, etc). I guess a better system
would have to be free and complex while covering every aspect of
security professional abilities in order to be a really effective
measurement program. But I doubt this could ever be done.

Everything I said was without any pretension and signed has being my own
opinion. Still, for all those reason, my opinion does not change. My
only hope is to make the latest understood correctly.

---
Danny Fullerton
Founder
Mantor Organization

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT