RE: Value of certifications

["Simmons, James" <jsimmons () eds com>]

I love the fact that you brought up being a lawyer. Because that is a
great parallel.
I have found that in a lot of states (I can not say how many exactly
since my research is sporadic and based on the state I am living in at
the time), that you don't need to go to law school to become a lawyer.
They still push experience, by having to fulfill requirements like
working for a judge, or law firm or what not, Taking the State of
California for example (http://tinyurl.com/2ellg2), you just need 2
years of college work (General Education) and then Legal education which
includes four years of experience in the legal system, and then you can
take the Bar exam and practice law.
So if you are a very smart and capable individual (IT or Law) then the
experience gets you what you want.

As for your other comments Craig, I agree, and I have thought long and
hard about trying to start up my own, but it is tricky so that I do not
end up sounding like every other cert company. I hope that no one has
thought I was just "whining" about all this and pouting that no one is
going to do what I want.  Of course the only way is to do it myself, but
if someone does it before me to a level of standard I agree with, then I
would not have anything to say.  I would probably line up and take the
test as soon as I can. Hell, for $57 I could afford to risk the test
once just to get a feel of the questions and then brush up and pass it.
Which I believe is an issue that current companies are missing is that
at the more expensive prices, people are worried about taking the test
and failing, cause they could not afford to take it again. Some people
do not test well, with that added on fear, though would make anyone
nervous. 

Now I am surprised that no one has mentioned that if the prices was $57,
what is stopping the idiots from just taking the test over and over
again until they pass it? Does anyone have any ideas about thwarting
that method of Certification attack? I was thinking either a long retake
window (i.e. you fail, you have to wait a year before you can retake),
or on the final cert, it states how many times you had to take the test
before you passed? (Public humiliation is not my personal preference,
but it is still a valid way.)
Ideas?

Oh and GSEC? At $800 just to challenge the cert? I will say that I am
more prone to look at GIAC certs in a higher light. Just because their
structure is something I agree with (A tiered approach vs. a single
cert). But seriously, everything about it screams greedy. They push the
classes at a few thousand a pop, and then the tests at $800, just to
challenge something that you think you can passes. Unless I get a
company to pay for it, I don't think I will ever even try for SANS
certs. 
I even got the GSEC book they push, and to me it reads like a HACKING
EXPOSED book. "Here is the tool, here is how to use it, don't worry
about the underlying theories or how it works." Now granted it is just
one book, so this is by far not a complete analysis, but for $50+, the
books should be a wealth of information that I can use at work as a
reference, or be able to hand to an underling to help them catch up to
speed. Hell I bought Google Hacking (which I use a lot more in everyday
life, and inline with my job) for less then that, or Hacking Exposed.

But, of course what do I know. 

Regards,

Simmons

-----Original Message-----
From: Craig Wright [mailto:Craig.Wright () bdo com au] 
Sent: Friday, April 27, 2007 2:25 PM
To: Yousef Syed; Simmons, James
Cc: security-basics () securityfocus com
Subject: RE: Value of certifications

Hi,
I am a nerd and have never been out of university(1). I finish one
course and than start another. Basically distance ed and work at the
same time. I am also on the Faculty Board of one Uni. So having 19 years
in 5 uni's I have some knowledge of them. So I have to ask where the
idea that Universities are not economically driven came from? In my
experiance there is a lot of economic focus on underpreforming courses
these days.
 
If you want to make certifications more cost effective, than you have to
offer something that will add a greater utility value than the existing
offering. As they currently stand, people see value. The percieved va;ue
is due to the story/myth of the person who does a few courses and gets a
6 figure job. The reality is that this person would have been in the
industry a long time and also have other skills/training, but this is a
perception issue.
 
Next, employers do not wish to discover everything to do with IT and
security. This is likely why they are hiring. A certification is
something to match people. Most people going for a job who are currently
employed do not use their existing employer as a reference. Thus you
have to base the decision on something.
 
James, there is as a result a simple answer to this issue. Start your
own. Make it more effective and add more value. I have stated this to be
an economic issue in a prior post. The solution is an economic one. If
you feel that there is a solution to this that will offer more value -
do it.
 
What I would suggest:
1. Setup a training and education program that could be tied to a
professional association (eg as accountants, engineers and lawyers
have). 
2. Make at least a national framework and add enough utility/value such
that you have the majority or people in the industry who have skills
join.
3. Convince government of the value and have them implement a compulsary
requirement to be a member (ei bar exams for lawyers, CA/CPA exams etc).
Draft legistlation. Add PI insurance etc.
4. Make this entire process economically cost effective. 
 
Number 4 is maybe the most difficult. You feel that certifications are
expensive, try looking at the real cost of a CA/CPA exam or the costs in
becoming a solicitor/bassing the bar. I would for a Chartered
Accountancy and am finishing my LLM this year. I can tell you that the
CISSP and CISA and CISM ...and about who knows how many other certs I
have all together cost less than the law degree and they cost way less
than a CA and I would assume less than a CPA.
 
Are you looking to make IT a profession like law or accountancy? Will
the majority or people work for professional services firms? I work with
one now, but I do not believe that most IT people should be employed
this way. Having people with IT security skills in commercial firms is a
good thing.
 
It is easy to focus on the negative, it is difficult to do something.
CA's have been arround for several hundred years (sorry I have no idea
about CPA's). Laywers have been charters since the 11th C. So maybe the
time means something, but look at their mistakes and evolution and found
an equivilant organisation for IT. Unfortunately this is not as easy as
it seems and I would also venture not what most IT people want.
 
Regards,
Craig
(1) Physically out yes, but enrolled. I am also not counting vacations.



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497 www.bdo.com.au

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains.  If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system. 

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls.  You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls.  It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects.  BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached.  A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

________________________________


From: listbounce () securityfocus com on behalf of Yousef Syed
Sent: Sat 28/04/2007 2:41 AM
To: Simmons, James
Cc: security-basics () securityfocus com
Subject: Re: Value of certifications



James,
On the matter of Vendor certs I would definitely have to disagree.

I've met plenty of MCSE people that just happened to study hard for the
exam and passed it, but haven't the first clue about setting up an
enterprise Windows system.

For a previous consultancy that I worked at, I was forced to take the
Sun Java Certification (despite the fact that I already had 8years
Java/J2EE real world experience). It is the the most worthless
certification that I've ever come accross and it actually teaches you
things that you'll NEVER do in the real world! I'd gone so long in my
career without it, in-part, due to the fact that so many
"Java-Certified" types that I'd meet, were useless developers.

The vendors care just as little about the student's knowledge as anyone
else - they are also in it for the money. Anytime they change the OS,
you need a new Cert. Anytime a new version of Java comes out, they want
a new Cert... KER-CHING!

What I like about the CISSP is that you are expected to have atleast 4
years prior experience before you take the exam. It covers ten different
security domains. It isn't a technical paper where you memories a bunch
or procedures; rather, you really have to know what you are security,
why it needs security. It isn't at such a high-level to make it
irrelevant, and nor is it at such a low-level as to make it too
technically demanding for people that might never have used a firewall
before.

Are you going to get Fakers picking a CISSP; ofcourse you are (just as
is the case with any qualification); but such persons will be weeded out
swiftly once they are in the workforce and can't produce.

Is it a substitute for experience, no. But it does complement your
experience and if all your experience is only in one particular security
domain, it shows you that there are other security domains and they all
need to be considired together.

Yes, I would prefer to have externally audited orgs performing such
certifications that aren't profit driven; but outside of Universities,
they don't exist - and accademic knowledge and real world knowledge are
two very different things.

ys

On 26/04/07, Simmons, James <jsimmons () eds com> wrote:
> Yes, I agree about determining the pecking order, but what is a better

> way of proving that you know something? Actually going out there and 
> demonstrating that you know it. Or taking some cheaply made test, that

> no one knows how it was formed, as your validation?
> I am not saying that certifications do not serve a purpose, but I have

> found very few that are actually good enough to live up to that
purpose.
> My example differs between vendor certs (CCNA, MCSE, etc.) and general

> knowledge certs (CISSP, security+, etc.)  The vendor certs are by far 
> superior (though expensive for no reason) because who would know the 
> subject matter better then vendor.  The general knowledge certs are a 
> joke. What designates these people as experts? Both in the field that 
> the cert is focusing on, and in creating a meaningful cert?
> In my rant off my link I make reference to the ASE certs for 
> Automotive technicians. ASE was formed by the major automakers of the 
> day to maintain a acceptable skill level. They employed psychologists,

> professors, and other education experts to research and ensure that 
> their testing methods give an accurate portrayal of the skill level of

> the individual. Do you honestly think that any of these companies have

> put that much time and effort into their tests? These are start-up 
> companies that believe they can make some money off of trying to 
> sudo-train individuals to do a complicated job. And companies are 
> trusting these "certified" professionals to protect them and conduct 
> business critical work on their systems.
> And I am not saying that this is the case for everyone. Some very 
> intelligent, and capable individuals are getting the certs because 
> that is what will attract customers. They are not getting the certs to

> learn anything new. They are getting them to prove that they know. And

> at that point I question why these certs have to cost so much?
> While every other question I see in this forum about certs is "I want 
> to learn about security, what is the cert I should go after?".
> It is just a messed up system that really needs an overhaul.
>
> Regards,
>
> Simmons



--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb