Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Hacker Stories, Certs, vs Projects - the real problem?
From: "Hirsch, Adam" <Adam.Hirsch () dresdnerkleinwort com>
Date: Mon, 31 Jul 2006 15:50:16 -0400


I think that something along the lines of the Law Bar Exams is required. In
the Bar exam there is a mix of multiple choice and essay-style questions
based upon test cases. Using essay style questions requires the test taker
to analyze a scenario and provide actual insight into their level of
knowledge. Instead of memorizing hundreds of multiple choice questions, they
will have to prove their actual knowledge by applying it to different
situations. Even thought grading these are much harder, it does provide a
true sense of the test taker's thought process, skill set, and understanding
of the material. 

While I must admit that I have the CISA, CISSP, and CCSP, I do not think
that any of them truly tested my actual abilities. I have 7 years of
experience in Network/Security Design and none of those exams was able to
tell if I know how to apply the material in a real world scenario. The Bar
Exam and CPA all require one to analyze several different test cases and
apply the knowledge and skills to answer them correctly. 

Another problem I see is the extremely high pass rate for many of these
exams. I think that a 70% pass rate on any exam is way too high. I feel that
a test taker's score must always be scaled and compared to previous test
takers. Raising the bar for a passing grade will ensure that fewer people
are able to just get bye when using a boot camp or a single study guide to
pass. It will ensure that only the upper echelon of people taking the exam
pass. Getting a 75% to achieve a 'Gold' status certification is ridiculous.
Not to put anyone down, but anyone getting a 75% or 'c' does not deserve to
qualify for something being sold as THE 'Gold' status in security. I would
seriously argue that anyone getting 'C' should not be considered as having
even an above average grasp of the information security. 

I think that these are some of the major issues (besides cost and time) why
some more senior security specialists have not gone the cert route. If the
certs had a little more credibility and tested actual knowledge and ability
to apply it, while also enforcing a higher standard for passing, then the
certs would start to hold more value across the industry. 

Currently, I feel that many of the people are getting certs (myself
included) to help use as a marketing tool to current and future employers so
they can get past HR and then let their real experience sell them to the
hiring managers.


If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please 
refer to http://www.dresdnerkleinwort.com/disc/email/ or contact the sender.

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]