RE: Distinctions in Certification

["Bill Hardstone" <rhardstone () eudoramail com>]

Jim, very well said!

It is all about skill sets and educational background… it is not a role of a CISSP to run a port scan or to run a 
vulnerability assessment!

One cannot put a firewall administrator to write security policy handbook of an organization. Likewise, a CISSP may not 
be a good fit to manage a firewall farm.

One should also consider what side of fence they belong to… 

In security arena there 2 tracks that lead up the profession (in my view at least)…

The first camp makes their way thru accounting/ auditing profession, i.e. IT auditing and financial auditing, etc., 
eventually leading into security management. This camp comes with a background in business and computer sciences. These 
folks are loaded with CPA, CIA, CISA, CISSP, Microsoft’s, unix and some other technical certs mentioned below.

The other camp comes from system administration and network engineering role leading into a security role. These 
professionals can be loaded with the most techie certs you could possibly think of… Microsoft’s, Cisco’s, various 
firewall/ PKI vendors, unix experts, etc.

Above all, when I am hiring, I look more their degrees and their experience then their certifications…


Imran







--------- Original Message ---------

DATE: Thu, 14 Aug 2003 01:08:21
From: James Taylor <james_n_taylor () yahoo com>
To: security-basics () securityfocus com
Cc: 

> > ATTACHMENT part 3 message/rfc822 
> > From: "Peter Baxter" <peter.baxter () bt com>
> > To: "'Jarrod Loidl'" <loidlja () corp earthlink net>,
> >   <security-basics () securityfocus com>
> > Subject: RE: Distinctions in Certification
> > Date: Wed, 13 Aug 2003 18:16:09 +0100
> >
> > Well as someone who hires security staff, I look for hands-on real world
> > experience. The CISSP and the rest are all too conceptual based, I've
> > had students with these certs who do not know how to do fragmented port
> > scans.
>
> 'CISSP and the rest'
>
> You've had students with the CISSP certification? Either they hookwinked the
> examiners or perhaps you are confused as to the certification they actually
> have..... You need to make sure you are employing the correct people into the
> right roles with the correct certification.
>
> The CISSP is a management security certification and you have to have at least
> 4 years professional experience in a number of 'domains' before you can sit it.
> Which are:
>
>   Access Control Systems & Methodology 
>   Applications & Systems Development 
>   Business Continuity Planning 
>   Cryptography 
>   Law, Investigation & Ethics 
>   Operations Security 
>   Physical Security 
>   Security Architecture & Models 
>   Security Management Practices 
>   Telecommunications, Network & Internet Security 
>
> There are technical certifications, and managerial certifications. You should
> not be employing CISSPS to run fragmented port scans. You should employ a
> security analyst to do that.
>
> Would I trust a security compliance program/BCP/large website installation
> project to someone with am particular technical exam? Nope. Where is the
> technical project management experience? What about Law? BCP? DR? Programming
> techniques? I've seen a few 'firewall engineer' who knows not much more than
> TCPIP ports.
>
> Of the people I have met who have taken the CISSP, they all agreed it was one
> of the toughest exams they had ever taken, and definitely not some boot-camp
> qualification. In general they are 1) experienced. 2) mature, 3) respected in
> the industry and 4) can be trusted and have the know-how to complete projects
> on-time and on-target. 
>
> Perhaps you should think about taking it yourself, then pass more informed
> comment.
>
> James
> CISSP MIEE BEng
>
>
> > From my experience a pratical security certification such as the ESA
> > from www.securityassociate.org really puts into practise text-book
> > knowledge. We have around 20 ESA's at BT and are happy with the skills
> > of the engineers. 
> >
> > But nothing beats real world experience and no cert can give you this. 
> >
> >
> > Peter Baxter
> > British Telecommunications PLC
> > Head of Information Security - Europe and Asia
> > Tel: +44 (0)20 450 5000 ext. 4456
> > [Email is spam protected]
>
> > ATTACHMENT part 7 message/rfc822 
> > Subject: RE: Distinctions in Certification
> > From: Jaymz Ringler <jringler () nebrinfosecurity no-ip com>
> > To: peter.baxter () bt com
> > CC: security-basics () securityfocus com
> > Date: 13 Aug 2003 17:28:33 -0500
> >
> > I agree.  I've had a few employees and interns that have certs, such as
> > a 2k pro MCP.  One of which I went to school with in the same
> > classes...  and he didn't know how to add a user.
>
> > I've come to find that even someone with a bachelors degree in IT has no
> > clue what a subnet mask is for.  They remember reading about them..
>
> What a complete load of claptrap! If there is one single goal of any engineers
> degree - and that is to teach the engineer in how to be an engineer - if I can
> sum it up (and not do it justice) - project management and problem solving
> ability. They might not have a clue what a subnet is, but for sure they have
> the capacity to learn (on their own) what it is, and what to do with it in the
> wider world...
>
> > Degrees and Certs don't mean anything other than they can absorb some
> > information and retain it to take a test.  The Hands On Experience is
> > everything.
>
> Yes, certain certifications are not worth the paper they are written on, but
> all of them? Degrees teach you much much more than how to retain information,
> they teach you how to apply yourself. However, what no degree or certification
> will teach you is work ethic.
>
> James
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------



Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------