Re: Information security certifications diversity andgetting lost

["J.M. Seitz" <lists () bughunter ca>]

Hey Mike,

> The CISSP is the undisputed king of information security 
> certifications. Currently, every now and then a security 
> company starts pushing their employees towards certification 
> programs. These are usually known for featuring insanely long 
> exams, absurdly pedantic requirements and other kinds of 
> doubtfully respectable necessities.

I wouldn't say it's the king, I would say it has some very broad objectives,
but is moreso a Security+ on steroids. When the CISSP got traction, you have
to look at the timing of the certification, and the fact that the only other
certification that would get you a high paying job was a CCIE, and the CCIE
is a nasty cert to get to say the least. SANS has put out some incredibly
strong programs that can range from technical (GCIH/GCFA/GREM) to CISSP-like
certifications.


> We all know that there are several other certifications, but 
> CISSP brings, without doubt, the very best. Be it a security 
> operations manager, a field operative or some other kind of 
> consulting freak, a CISSP will always deliver.

I still disagree, and to be honest, I have interviewed more CISSP's that
couldn't answer questions like "What does PKI stand for?", "Give me an
analogy of a buffer overflow.","What is transparent proxying and why is it
important in some circumstances?". Come on, certs are as good as the people
who take them, I again disagree.


> My question for people out there, is this madness _that_ 
> necessary? Do we have a good reason for spending loads of 
> budget on certification programs and wasting our companies' 
> money in such investments?

Yep, again it's a baseline, one for HR. The people to watch out for are the
ones who go the extra mile, some who has a GCIH most definitely doesn't make
me giggle with glee, but someone who has a GCIH Gold I look forward to
meeting with, and definitely love to engage on their research topic. It's
worth a company's time and money to do it (a) employees are more loyal to
companies that give (b) you'd be amazed at how often you will apply things
straight from a certification.
 
> Employees feel constrained since they might lose the 
> certification after quitting their jobs, surfing towards 
> another employer as intrusive and wasteful as the previous one, etc.

Not sure how you would lose a certification if you left your job? Once you
write the exam, it's yours not your company's.

> If certifications exist for ethical hackers, are we going to 
> see certifications for unethical hackers anytime soon? What 
> if the mob and shady underground organizations needed to 
> certify that they are employing the very best of the federal 
> prison's Module 5? Will a Certified Unethical Software 
> Security Expert (CUSSE) certification ever exist? "My name is 
> Lincoln Six Echo, Certified Information Insecurity Systems 
> Professional".

http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html

There ya go :) I bet one or two unscrupulous people are "black-belts" :) 

In the end, certifications are good, but the reality is that they are only
good if you are looking for work, and you get what you put into them. You
want to get noticed in the security world? Build a tool, join and help
people on forums, help Sourcefire write signatures (they need it), contact
George Theall at Tenable and ask if you can help write NASL plugins, help
the OSVDB with mangling. These are all things that will help round out a
newcomer, and add it to the list of things that can benefit you when its
time to go job hunting. Now, if you _really_ want to get noticed, tackle the
tough problems, write books, and try to talk at Black Hat, etc.

Coming from an unknown security guy, low profile, I am still in the phase of
doing all of these things. As such I have a Sec+ and a GCIH (which I am
wrapping up my research paper on), and I can honestly say I do use some of
it in my day-to-day. You don't see these acronyms on my email signature but
that's because I am not looking for work :)

JS



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave