mailing list archives
Re: Credibility (was User Insecurity)
From: Ron DuFresne <dufresne () winternet com>
Date: Mon, 22 Mar 2004 09:18:12 -0600 (CST)
On Fri, 19 Mar 2004, Gregory A. Gilliss wrote:
Actually what he is describing is what I refer to as "credibility".
The CISSP after my name is a measure of my credibility. It tells otherwise
clueless people, people without first hand experience and knowledge,
something about me. Perhaps it tells them that I exhibit some measurable
degree of knowledge or experience in my chosen field (security).
No it does not, it simply indicates you can 'test' well. it states
nothing about your experience, or knowledge levels and cluefullness. I
constantly work with CISSP's that have not a clue about the basics of
tcp/ip, give blank looks when you mention that udp as well as IP
What those letters behind your .sig do do is allow clueless HR and
recruiting folks something to key on when pouring over hundreds if not
thousands of resumes, to do 'keyword/phrase' matching. Nothing more or
people who know me or know security, it may tell them nothing more than
the fact that that I am a person who can afford $450 and can pass a
standardized test. The letters mean something different than they do for
people without experience, since each group (a) bases their measure of my
credibility on something different (personal experience, word of mouth,
rumor, slander, etc).
Credibility is a function of perception (my assertion - YMMV). Sales
people with crappy clothes and long hair may be "less credible" than "Ken
dolls". MCSE is "more credible" than "pimply-kid-who-knows-how-to-install-
NT". Doesn't necessarily mean that MCSE is "more knowledgeable" or "more
professional" than "NT kid", but if *you* see it that way then *you* have
defined the credibility. A hiring manager may look at two resumes and,
all else being equal, will likely hire the one with the college degree or
the certification because that person is "more qualified" - or, IOW, that
person has more credibility. May not be the best choice, but that's what
goes on. (Hiring managers who take exception may email me off list pls).
Credibility comes from either direct experience or iin some cases feedback
from others with established Credibility. For most credability and trust
go hand in hand. and once lost it can take leaping tall buildings to
regain. Such as swerving away from ics2's ethics clause.
Credibility equates to experience equates to clue (my assertion). In a
"trust" relationship, you can start from "no trust" or "full trust" or
anywhere in between (some trust, limited trust, etc). SSL is a good example
of "full trust". Holes, exploits, etc reduce "trust" for a time (until the
hole is patched). Microsoft suffers from a credibility problem because
(a) people keep finding holes, (b) Microsoft often denies/ignores the
holes, and (c) Microsoft takes a subjectively long period of time to
patch the holes found in (a) and denied in (b).
Credibility. We live and die by it in the security world as much as any
mechanic/lawyer/doctor/insert other professional designation here...
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Full-Disclosure - We believe in it.