RE: RE: Value of certifications

["J.M. Seitz" <lists () bughunter ca>]

I completely agree, coming from someone who has enough knowledge to get a
decent security job, but has no certifications. I am taking the opportunity
this year to get a few certs under my belt to round-out my resume. On the
other hand, in our hiring process, whenever there is a security-related job
that comes up we back it with a very tight technical interview.

I personally enjoy it when I have people who are CISSP, GCIH, CEH, etc. come
in for interviews for either sys-admin type work or for more of a QA role,
and not understanding the basics of how an attacker will cover their tracks
to how to analyze exploits. In fact, if I see someone with 4 initials behind
their name, I make an even more honest effort during the technical
evaluation to make sure that people think twice before swaggering into my
office waving their CISSP number around....for the record, not one of the
people who had certs got hired here because they didn't survive our
technical eval, you may get into the lion's den but you won't survive if you
don't understand.

On that note, I am studying for the Security+ which is a very newbie-like
baseline certification, and for someone who DOES have experience you have to
realize that if you take the studying seriously and you really want to
understand how everything works, you WILL get something out of it. I am
learning something new everyday in studying for the Security+ :) And for the
love of the lord Jesus above people, I encourage you to list your
certifications at the BOTTOM of your resume behind all your relevant
experience, the hardcore technical people are going to eat you alive
otherwise.

JS 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of nomail () hotmail com
> Sent: Monday, April 30, 2007 9:48 AM
> To: security-basics () securityfocus com
> Subject: Re: RE: Value of certifications
>
> There are some good points in this thread. I think the 
> current schema of IT related certifications is broken. The 
> certs that exist are largely irrelevant or overly broad or 
> narrow in focus. They are also ridiculously expensive. I took 
> the CISSP last year and went into the test sweating bullets. 
> After the test, I realized how painfully easy it was, and was 
> thankful that my employer had paid for it rather than myself, 
> because the test was not worth $500. If a vendor wants to 
> limit the number of people that take and pass a test, then 
> they should do so by making the test challenging, not 
> expensive. SANS is also guilty of this, as James has 
> illustrated. I am confident that I have the knowledge to pass 
> several of their tests, but I am not going to try unless my 
> employer pays, as they are also expensive. Especially if one 
> wants to take a test without attending one of their classes. 
> It is clear that SANS is out to make money, and while they 
> should make some coin on their certificatio  n and training 
> program, their current cost model is prohibitively expensive 
> for all but the independently wealthy and those with generous 
> employers. 
>
> Add in some of the other cert programs, like EC Council and 
> some vendors, and you get cheaper certifications, but the 
> tests for these certs are often poorly written and not very 
> challenging, either. And vendor tests often test for the 
> "vendor answer," which in most cases is not necessarily the 
> right answer. As the saying goes, "there is the right answer, 
> the wrong answer, and the Microsoft answer..."
>
> Furthermore, the recertification process for many 
> certifications is a circus. While I understand the need to 
> maintain a current level of knowledge to keep current in the 
> industry, trying to use that as a measuring stick for 
> maintaining a certification is counterproductive (as in the 
> CISSP). Especially when a person is presented with few actual 
> formal training opportunities. Retesting is also ineffective, 
> because it requires the tests to be revised at the pace of 
> the technology they are based on, and in most cases a current 
> certification holder will crash the week before the test (or 
> get a braindump) and pass. At that point, are they being 
> tested on their knowledge of the industry, or on their 
> ability to quickly memorize some key facts?
>
> But if we take away the certifications, then there is no real 
> way for an employer to gauge a prospective employee's 
> knowledge and experience level. While placing all of one's 
> stock in a candidate's ability to pass a test is admittedly 
> flawed, it is also admittedly hard to compare a candidate 
> with a lot of initials after their name with one who hasn't 
> one cert. With the increase in emphasis in certs, the problem 
> is going to only get worse, not better. Everyone in our 
> industry needs to realize that certs are not the end-all, 
> be-all that their purporters claim, and more importantly, we 
> need to act on this knowledge just as we do other snake oil 
> salesmen and knock the importance of these tests down a few notches. 
>
> Certifications have their place, but they need to be fairly 
> priced, accurately represented, not used as a marketing tool, 
> and industry-recognized.
>
> I like the ASE analogy. Too bad it won't happen here.