INFOSEC: Certifiably Certified

[InfoSec News <isn () c4i org>]

Forwarded from: Richard Forno <rforno () infowarrior org>

As security certifications become more plentiful, they are losing
their real value.

By Richard Forno Oct 23, 2002
© 2002 Securityfocus.Com
http://online.securityfocus.com/cgi-bin/sfonline/columnists-item.pl?id=118

A recent issue of SC Magazine, one of the information security
industry¹s cheerleading trade rags, featured a full-page advertisement
with the following emblazoned across the top of the page: "How to
increase your salary by 21.39% in 7 days or less."

At first glance, I thought it was from the same people sending "Get
Your Green Card Now" messages to USENET during the 1990s. But to my
dismay I saw it was from a firm offering intensive bootcamp-style
training to technology professionals to earn their security
certifications from ISC2, Cisco, TruSecure, and a suite of other
organizations.The advertisement also had the spamorific phrase "Get IT
Security Certifications Fast" and cited research reports showing that
certified people command higher salaries.

This illustrated one of my latest pet peeves: certifications that are
marketed more towards personal advancement and money than to training
technology professionals for the demanding and important job of
securing networks. Security certifications represent an industry
paradox: they're becoming more numerous and easier to obtain, yet,
bucking all laws of supply and demand, they seem to be more valuable
on the job market.

Acronyms or Experience

> From where I sit, security certifications are nothing more than a cash
cow for the companies offering them (see here for a partial list).
Rather than educating aspiring security pros how to secure valuable
network resources, the wave of pyrrhic certifications is a means for
non-technical recruiters and otherwise clueless corporate officers to
separate resumes when hiring security people. The only problem is, the
certifications don't necessarily guarantee that the holder is
qualified to secure a network or to react to a potentially costly
security incident. Instead of serving as a device for identifying
qualified candidates for hiring, certifications are simply a time
efficient way to sort resumes.

Through clever marketing efforts of the certifying entity, HR
personnel may be led to believe that applicants without such
credentials are not legitimate candidates for the job. The other side
of this coin is that these efforts will likely lead HR people to
conclude that the possession of a cert is evidence of adequate,
working knowledge of information security. As a result, a seasoned
veteran with years of hands-on experience in hardening systems will be
deemed less qualified than a wet-behind-the-ears pup with three or
four fancy acronyms behind his name.

Some of these certifications are offered by established credible
entities such as SANS. But there are others from more dubious sources
that don¹t provide much in the way of information about its
certification program contents or instructor expertise. All come with
fancy diplomas and letters you can use on business cards to look down
on other who don¹t have the intelligence or ability to accumulate an
alphabet soup of letters after their name. But all of these acronyms
are so much hollow clanging: sound and fury signifying nothing. Not
only that, but most must be renewed every few years ­ thereby
guaranteeing a perpetual stream of income pouring into the coffers of
the certificate-granting 'authority,' Ka-ching!

Obviously, it's not about security, it's about the money, stupid.

Too many people forget that letters after your name don¹t make you a
better security or technology professional. The problem is that many
certifications are simply not stringent enough. The emphasis is not on
establishing compliance for rigorous industry standard, but in
generating revenue for the certifying body. Given enough time and
money to throw at the challenge anyone with half a clue about security
can pass a test or write a halfway-acceptable paper, particularly when
many certifications are granted on a pass/fail basis, the threshold of
which may be as low as sixty per cent. Furthermore, candidate can
often challenge substandard marks thereby snatching an undeserved
certification from the jaws of failure. Let¹s face it, if your
security administrator is only capable of protecting against sixty per
cent of exploits, your network will be a playground for malicious
hackers.

Introducing people into a trusted internal environment and charging
them to protect it simply because they appear to be competent in the
eyes of a third party is foolish. Haphazardly hiring security
personnel on the basis of a certification for which there is not even
a standard (such as ISO 17799) is a reckless endangerment of the
hiring organization's resources. Furthermore, given the interconnected
nature of the Internet, in some cases, this has the real possibility
of adversely affecting security across the Internet in general.

Doing the Time to Prevent the Crime

Having been a Chief Security Officer for a multi-billion dollar
company, my hiring philosophy is this: give me someone with an
outstanding command of the basics of systems and networks (which
includes security fundamentals) and years of demonstrated operational
experience "in the trenches" over someone with a few years of training
and a few certifications anytime. Expertise and professional
competence in anything comes from time doing the work, either
professionally or as a hobby. Certifications are great ways to impart
theoretical knowledge, but they are no substitute for real-world
experience and lessons-learned in the workplace.

If a candidate for a security position is competent, you'll find that
out by due diligence during the interview process and reference checks
easily enough. But if they¹re truly professional, their successful
history in technology security operations and management and ongoing
writing, speaking, or teaching activities among their colleagues
verifies their security competencies far more effectively than any
certification or training regime.

Someone who truly knows how to implement security the right way should
be evaluated and respected accordingly by their demonstrated work
experience and by a diligent informed interview process conducted by
security professionals. They should not be hired by an HR hack who
knows nothing about security but the acronyms of numerous half-baked
certifications.

Now, for a Limited Time Only...

That having been said, I'm happy to announce that I'm going into the
certification business. If anyone cares to send me $500 and copies of
their alphanumeric passwords, I'll return to them a diploma conferring
on them the title "Certified Strong Password-Using Professional"
(CSPUP) that's good for four years from the date on their check or
money order.

Within weeks, you'll be worth more as a security professional in the
eyes of your employer. Trust me.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.