mailing list archives
Re: [PEN-TEST] Evaluating Auditors Abilities
From: "Benjamin P. Grubin" <bgrubin () GUARDENT COM>
Date: Thu, 7 Sep 2000 16:28:10 -0400
While certifications can be extremely important to showing mastery of
conceptual material, which is essential for high-level tasks, they do very
little to assess the true practical capabilities of the practitioner. In
security, the CISSP is indeed a good set of guidelines for assessing
familiarity with a broad range of security concepts, but in terms of
determining the skill level of assessment or attack and intrusion personnel,
these certifications do very little to judge skill level.
The best ways to select potential auditing, assessment or attack &
penetration people is to:
a) obtain and check references
b) generate a technical interview guide that covers the specific
technologies that your company uses, and have a technical employee conduct
Benjamin P. Grubin bgrubin () guardent com
Guardent, Inc. http://www.guardent.com
"The world isn't run by weapons anymore, or energy, or money. It's run by
little ones and zeros, little bits of data.. it's all just electrons."
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Tansey, Don
Sent: Thursday, September 07, 2000 2:18 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Evaluating Auditors Abilities
This is just my $.02, the opinions are mine and mine alone.
The major certification out there is a CISSP, from
(ISC)<superscript>2; you can check them out at
http://www.isc2.org. They have what I consider to be an
excellent set of standards.
That said, I don't think certification itself in _any_
discipline is a _guarantee_ of competence; but an indication
of competence. (And yes, I do hold some certifications myself
- and think IT Certification has tremendous value.)
I would approach hiring a security consultant the same way I
would approach any other outsourcing. Solicit proposals,
select likely candidates, have them in to present what
they're going to do and how they're going to do it, and then
ask for and check _references_.
In the end, there are no guarantees, but a process like this
will winnow out much of the chaff.
Also, in the unlikely event anyone ever made me management, I
sure as heck would trust my employees over a third party
consultant. If I couldn't count on the people that work for
me, they wouldn't work for me for very long.