Security Basics mailing list archives
RE: Distinctions in Certification
From: "Bill Hardstone" <rhardstone () eudoramail com>
Date: Thu, 14 Aug 2003 14:27:48 -0400
Jim, very well said! It is all about skill sets and educational background it is not a role of a CISSP to run a port scan or to run a vulnerability assessment! One cannot put a firewall administrator to write security policy handbook of an organization. Likewise, a CISSP may not be a good fit to manage a firewall farm. One should also consider what side of fence they belong to In security arena there 2 tracks that lead up the profession (in my view at least) The first camp makes their way thru accounting/ auditing profession, i.e. IT auditing and financial auditing, etc., eventually leading into security management. This camp comes with a background in business and computer sciences. These folks are loaded with CPA, CIA, CISA, CISSP, Microsofts, unix and some other technical certs mentioned below. The other camp comes from system administration and network engineering role leading into a security role. These professionals can be loaded with the most techie certs you could possibly think of Microsofts, Ciscos, various firewall/ PKI vendors, unix experts, etc. Above all, when I am hiring, I look more their degrees and their experience then their certifications Imran --------- Original Message --------- DATE: Thu, 14 Aug 2003 01:08:21 From: James Taylor <james_n_taylor () yahoo com> To: security-basics () securityfocus com Cc:
ATTACHMENT part 3 message/rfc822 From: "Peter Baxter" <peter.baxter () bt com> To: "'Jarrod Loidl'" <loidlja () corp earthlink net>, <security-basics () securityfocus com> Subject: RE: Distinctions in Certification Date: Wed, 13 Aug 2003 18:16:09 +0100 Well as someone who hires security staff, I look for hands-on real world experience. The CISSP and the rest are all too conceptual based, I've had students with these certs who do not know how to do fragmented port scans.'CISSP and the rest' You've had students with the CISSP certification? Either they hookwinked the examiners or perhaps you are confused as to the certification they actually have..... You need to make sure you are employing the correct people into the right roles with the correct certification. The CISSP is a management security certification and you have to have at least 4 years professional experience in a number of 'domains' before you can sit it. Which are: Access Control Systems & Methodology Applications & Systems Development Business Continuity Planning Cryptography Law, Investigation & Ethics Operations Security Physical Security Security Architecture & Models Security Management Practices Telecommunications, Network & Internet Security There are technical certifications, and managerial certifications. You should not be employing CISSPS to run fragmented port scans. You should employ a security analyst to do that. Would I trust a security compliance program/BCP/large website installation project to someone with am particular technical exam? Nope. Where is the technical project management experience? What about Law? BCP? DR? Programming techniques? I've seen a few 'firewall engineer' who knows not much more than TCPIP ports. Of the people I have met who have taken the CISSP, they all agreed it was one of the toughest exams they had ever taken, and definitely not some boot-camp qualification. In general they are 1) experienced. 2) mature, 3) respected in the industry and 4) can be trusted and have the know-how to complete projects on-time and on-target. Perhaps you should think about taking it yourself, then pass more informed comment. James CISSP MIEE BEngFrom my experience a pratical security certification such as the ESA from www.securityassociate.org really puts into practise text-book knowledge. We have around 20 ESA's at BT and are happy with the skills of the engineers. But nothing beats real world experience and no cert can give you this. Peter Baxter British Telecommunications PLC Head of Information Security - Europe and Asia Tel: +44 (0)20 450 5000 ext. 4456 [Email is spam protected]ATTACHMENT part 7 message/rfc822 Subject: RE: Distinctions in Certification From: Jaymz Ringler <jringler () nebrinfosecurity no-ip com> To: peter.baxter () bt com CC: security-basics () securityfocus com Date: 13 Aug 2003 17:28:33 -0500 I agree. I've had a few employees and interns that have certs, such as a 2k pro MCP. One of which I went to school with in the same classes... and he didn't know how to add a user.I've come to find that even someone with a bachelors degree in IT has no clue what a subnet mask is for. They remember reading about them..What a complete load of claptrap! If there is one single goal of any engineers degree - and that is to teach the engineer in how to be an engineer - if I can sum it up (and not do it justice) - project management and problem solving ability. They might not have a clue what a subnet is, but for sure they have the capacity to learn (on their own) what it is, and what to do with it in the wider world...Degrees and Certs don't mean anything other than they can absorb some information and retain it to take a test. The Hands On Experience is everything.Yes, certain certifications are not worth the paper they are written on, but all of them? Degrees teach you much much more than how to retain information, they teach you how to apply yourself. However, what no degree or certification will teach you is work ethic. James __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Distinctions in Certification Jarrod Loidl (Aug 13)
- Re: Distinctions in Certification Meritt James (Aug 13)
- RE: Distinctions in Certification Peter Baxter (Aug 13)
- RE: Distinctions in Certification Jaymz Ringler (Aug 13)
- RE: Distinctions in Certification Dustin Howard (Aug 14)
- RE: Distinctions in Certification Jaymz Ringler (Aug 13)
- <Possible follow-ups>
- RE: Distinctions in Certification Sadanapalli, Pradeep Kumar (MED, TCS) (Aug 13)
- RE: Distinctions in Certification Chai Chi (Aug 13)
- RE: Distinctions in Certification Nelson, Ernie (Aug 13)
- RE: Distinctions in Certification DeGennaro, Gregory (Aug 13)
- RE: Distinctions in Certification James Taylor (Aug 14)
- RE: Distinctions in Certification Bill Hardstone (Aug 14)
- RE: Distinctions in Certification Mitchell (Aug 14)