-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Elizabeth Tolson
Sent: Friday, April 27, 2007 1:57 PM
To: Simmons,James; andrews () rbacomm com
Cc: security-basics () securityfocus com
Subject: CISSP Question
I am in the process of getting my Master's in Information
Systems Security and my CCE for KSU.
As far as the CISSP, it is my understanding that you need
four years of experience in computer security or IT
Management. Is that true?
Elizabeth
-----Original Message-----
From: "Simmons, James" <jsimmons () eds com>
Sent: Apr 27, 2007 3:24 PM
To: andrews () rbacomm com
Cc: security-basics () securityfocus com
Subject: RE: Value of certifications
ISACA does have a standard that is used in many places. So does DISA
(government entity), ISECOM, OWASP, and many others. Of
course if you
just blindly follow a standard procedure then you are not
worth your
pay as a professional to begin with. If you are not
re-evaluating your
own procedure constantly let alone someone else's, then you
are already
behind the power curve. Base procedures are a good way to cover the
basics, and ensure you don't forget something small. That is
why they
are considered a set of best practices. There is never a
single common
procedure that will fit 100% of the situations. That is what you are
being paid for as a professional. It is a lot like a lawyer. You can
easy use a cookie cutter form for any legal document, but you pay a
lawyer to ensure that your particular situation is covered.
Are you seriously arguing that most people who get their
CISSP didn't
learn anything new >to pass? Would the same apply to the
CISA and CISM
tests from ISACA?
I am not arguing that people do not learn anything new in
the process.
I am saying that the purpose of the cert is to prove that you have a
baseline of acceptable knowledge in that field. I am making
the point
that if you are taking a cert to learn something new, then you are
confused as to the purpose of a certification. If you are taking the
CISSP to learn about security, then you are providing a great
disservice to your employer. It is a sampling issue, the difference
between creating a test to ensure knowledge, and creating
knowledge to
pass a test. Unless you want to argue that the CISSP test
covers all
information that is relevant to computer security, in which case I
would just have to laugh at you, and then silently cry at the turn
humanity has taken. I would hope that not even ISC2 would
take that stance.
On a side note, look at the board of directors for ISC2.
They are all
computer security people. So granted they have enough people for the
technical experience, but where is the resource for education and
psychology? Only one person (the only professor) has any sort of
background in education and training. So how is a group of people
suppose to make a general certification to determine the knowledge
level for everyone that takes this test?
One teacher is not enough for a valid education system. When was the
last time you had a horrible teacher/ professor? What are
the chances
that this guy is such a savant in teaching that he can
handle all the
executive level education decision needs of this company by
himself? At
least ISACA has three professors on their board of directors.
While I wish they cost less, since I will be paying for any tests
myself, the are at
what the market will bear. If you can make one cheaper that is just
effective, go ahead
and do so. :)
And that is my point. This is a call to arms of sorts. We need a new
system. Who doesn't agree? What points do you have that this
system is
the best and doesn't need to be changed drastically? I am
proposing as
an example a system that has been working (ASE). It is far from
perfect, but it is better then our current system. The
problem, is that
nothing is going to change until more people wake up and see
the flaws
in the current system. Especially with computer security, an
industry
that was created with the mindset that you can never really
trust what
people say, because we are always looking for man-in-the-middle
attacks, social engineering, and other anomalies that we have to
protect against. This should go out to hiring managers, and the
decision makers. Point out the flaw in the hiring practices.
I can not
be the only one who is tired of having to work with someone who is
completely unqualified and believes that they are the best.
Regards,
Simmons
-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of andrews () rbacomm com
Sent: Friday, April 27, 2007 10:13 AM
To: security-basics () securityfocus com
Subject: RE: Value of certifications
Quoting "Simmons, James" <jsimmons () eds com>:
Do you honestly think that any of these companies have put
that much
time and effort into their tests?
The ISC2 is far from a startup company. ISACA has also been
around a
while. And their COBIT standard is used many places....
I may be wrong, but I think they have put some thought into
their tests.
They are not getting the certs to learn anything new. They are
getting
them to prove that they know.
Are you seriously arguing that most people who get their
CISSP didn't
learn anything new to pass? Would the same apply to the
CISA and CISM
tests from ISACA?
And at that
point I question why these certs have to cost so much?
While I wish they cost less, since I will be paying for any tests
myself, the are at what the market will bear. If you can make one
cheaper that is just effective, go ahead and do so. :)
Brad
Intro
