Full Disclosure: Re: [OT] CISSP Test

[Anders Langworthy <hades () psilanthropy org>]

SecurityLSI wrote:
> I wholeheartedly agree that there needs to be an industry benchmark,
> something that says you cannot operate in this field unless you have passed
> x. I'm thinking along the lines of something similar to the Bar exam that
> lawyers have to take, or perhaps a license like what doctors are required to
> obtain before being able to practice. I fear its going to take something of
> that level to truly separate the chaff from the wheat. Anything less and you
> only end up with braindumps and bootcampers throwing resume after resume at
> you.
There is an important distinction between something like the Bar, and 
medical licensure.  The InfoSec equivalent of the legal Bar would be 
impossible to implement, because unlike a courtroom, a network is not 
under regulated control.  If you wish to practice law, you must do it in 
a government-controlled courtroom*, and that government says that you 
must pass the Bar before doing so.
My network, on the other hand--like my body--belongs to me.  Nobody has 
the right to tell me who I can and cannot hire to work on them.  In the 
same way, I could pay somebody off the street to perform surgery on me 
if I wished.  I wouldn't recommend it, and they wouldn't be a licensed 
doctor, but nobody can stop me.
So what difference does it make if we add another benchmark/"cert"?  We 
already have plenty.  Even if it were possible, would we really want to 
grant absolute power to something like the medical AMA?
* Judge Judy doesn't count.

--
Anders
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/