Re: Trust validation of programmers

["Bruce K. Marshall" <bkmarsh () feist com>]

tqbf () pobox com wrote:

> > CISSP cert does look good on your resume. (How is the non-security

> Not everywhere. In places staffed with savvy security people, having
> "CISSP" on your resume may put you at a distinct disadvantage (you will
> wind up having to demonstrate to your potential employer that you are not
> a clueless certificate weenie).

    Let's realistically qualify that statement by changing it to "In _some_
places..."  My experiences have shown the converse to be true (whether
justifiably so or not).

> Certification tests have absolutely nothing to do with the ability to
> perform well as a security consultant.

    I can agree with this only somewhat.  A multitude of factors affect
whether you will perform well as a security consultant including your
personality, geographic location, certifications, ability to
innovate/improvise, employer, education, area of focus, etc..  It's easy to
single out one of these factors and say it doesn't have any value in a
given situation.

    Certification tests DO have a lot do to with your ability to learn the
materials such tests cover and how well you take tests in general.  This
ranges in value from certification test to certification test.

    One could argue that because I knew what X* was for the 250 questions
on my CISSP exam I've improved my value as a security consultant and shown
an inclination towards being successful.

    Nonetheless, this doesn't qualify me to install/secure/design
firewalls, servers, networks, applications or anything else that the test
doesn't cover.  Assuming otherwise is your own fault.

    And to be further honest, one could spend around $3,000 on sending a
reasonably intelligent person with no security experience to the CISSP
review seminars and expect a good score on the following exam.  But unlike
most vendors or associations, the (ISC)^2 discourages this by requiring
prior, verifiable experience in the industry along with continued proof of
education & activities.

    I obviously have a vested interest in showing the value of a CISSP
certification, but I think my opinions are founded in simple logic and
reality.  I can't speak as highly for the other certifications I hold or
have seen in our industry.

    On a topic related to the original note, I don't think it was here that
I recently read news about Texas looking into requiring/advising
programmers to be state licensed.  Can anyone provide a link to such
information?

* With "X" being any piece of information from the ten diverse domains
being tested over on the CISSP exam.  Check out http://www.isc2.org for
more details.

-- 
Bruce K. Marshall, CISSP - bkmarsh () feist com - Feist Communications
      2424 S. St. Francis - Wichita, KS 67216 - 316-264-2248

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature