Firewall Wizards mailing list archives
Re: How do we do our job?
From: "Bruce K. Marshall" <bkmarsh () feist com>
Date: Fri, 01 May 1998 11:28:22 -0500
Bennett Todd wrote:
I don't propose making it easier for frauds; I'm all in favour of effective measures to make their life harder. Sadly, certification in computer security doesn't seem to profit anyone except those same frauds.
I would also take exception to your blatant generalization. Not because I'm certified, but because I know of many more qualified people who do carry industry/vendor specific certifications and they are most definitely not frauds. You sound a lot like I used to be in regards to college degrees. Having decided not to pursue a college degree myself I proceeded to denounce their importance and worth to my peers. After all, what is the value of a piece of paper, especially when it is borne from studies of COBOL and Microcomputer basics? After realizing that the Sun and Earth didn't revolve around me, I started looking a little deeper into what a college degree consisted of. First, I realized some employers simply won't hire you unless you have a degree. I still find this quite ignorant, but have learned to deal with the fact that they are losing out, not me or many other people. Second, I saw that even if some of the coursework was what I would consider outdated, they were teaching concepts that applied to many other aspects of computers and networking. Third, most computer geeks weren't just relying on their classes to provide them with an education. Extra-curricular activities or independent projects served a great deal of education and growth. Internships, hands-on lab time, library resources, etc.. all contribute to the potential value of a college education. I still don't think that I'm at much of a disadvantage when compared to those who attended college because I took measures to pursue a lot of these same areas on my own. But, I don't immediately dismiss the value of a college education either. I have to weigh that in any decisions about a persons worth or qualifications. Whether they took advantage of their opportunities there usually becomes quite clear. Certifications can be in this same boat. Because I took the time to learn about physical security and how the legal system deals with computer crime for the CISSP exam makes me better at doing my job and understanding how the industry functions. It doesn't mean that an employer should hire me over you. As I said, this should just be one factor in your judgment of me or anyone else, but you have to consider it. My point being, don't make broad characterizations (negative or positive) about something until you've thought through the process and met enough people to make a valid decision. It just doesn't seem like you've really done that.
I've never met anyone with experience and credentials in the security field who believed that computer security expertise could be usefully tested for and certified.
This depends on the extent and focus of your testing. For me to claim that my CISSP proves I'm a security guru would be quite false. To claim that my CISSP proves I understood at the time of my exam (and hopefully still do) the Bell-Lapadula model, OSI layers, telecom security basics, how to do Business Continuity planning, etc. would be quite valid. I've passed a test designed to measure my comprehension of those subjects. If you ask me to design an exam that would test your ability at understanding the properties of TCP/IP, I could do that without much trouble. However, change that criteria to creating a test that would test your ability to effectively implement TCP/IP in business environments and my job has just skyrocketed in complexity. Ultimately, a lot of tests try to meet the later goal and do it so poorly that my view of certification tests is also a bit negative. A Cisco exam, as well as my CISSP test, I took had some obvious grammatical errors that should have been caught in the evaluation process. That doesn't make me feel too comfortable with their overall evaluations if they can't meet even such a basic requirement. However, that doesn't stop me from trying to adapt and add what is perceived by most as value to my career. We'll never get complete agreement from a group of people on the value of X vs. Y, but I hope that my view helps expand the overall understanding in the same way that I've gained insight from others. -- Bruce K. Marshall, CISSP - bkmarsh () feist com - Feist Communications 2424 S. St. Francis - Wichita, KS 67216 - 316-264-2248
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: How do we do our job? darrenr (May 01)
- What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)
- Re: What's in a security policy? (was Re: How do we do our job?) darrenr (May 01)
- Re: What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)
- Re: What's in a security policy? (was Re: How do we do our job?) darrenr (May 01)
- Re: How do we do our job? Bennett Todd (May 01)
- Re: How do we do our job? darrenr (May 01)
- Re: How do we do our job? Bennett Todd (May 01)
- Re: How do we do our job? darrenr (May 01)
- Re: How do we do our job? Bruce K. Marshall (May 01)
- Re: How do we do our job? darrenr (May 01)
- Re: How do we do our job? Damir Rajnovic (May 01)
- What's in a security policy? (was Re: How do we do our job?) Bennett Todd (May 01)