Re: Mile2 Training (Certifications)

[Pete Herzog <lists () isecom org>]

Hi Ken,

Unfortunately, skills-based certification is the closest thing that exists 
to what is really required, decent apprenticeships.  While "virtual" 
apprenticeships happen through hacker groups and to some regards in certain 
on-line training venues, that doesn't come close to giving the well-rounded 
skills a professional security tester needs in the modern workplace.

I was lucky enough to have a great mentor during my time at IBM and what 
Peter Klee didn't teach me about just knowing how to be a "smart security 
consultant" as he called it could fit in a thimble.  For a year that guy 
dragged me to analyst meetings and customer meetings and presentations and 
internal department meetings where I just sat there with my mouth shut and 
learned how security professionals handle themselves.  That doesn't happen 
these days.  Kids leave college with a few infosec courses under their belt 
and they become security professionals already assessing other people's 
business.  There's no substitute for proper apprenticeship.  But since that 
won't happen much anymore we need to find other ways to prove ourselves. 
We do that by showing it to an independent 3rd party to rate our ability to 
apply knowledge and skills to realistic problems in a timely manner. And 
that's what ISECOM is doing. It's the closest thing you can get to proving 
experience and ability like in an apprenticeship.

This whole thing about work experience voucher and all that is a sham that 
more and more people get around.  That doesn't mean anything!  We all work 
with people who share the same job title but not the same work ethic or 
skills.  Yet after 2 years they are the same level as you according to 
these business experience certification requirements.  It's so hokey that I 
even have to use the word "hokey" and that alone is upsetting! ;)

Sincerely,
-pete.



Ken Kousky wrote:
> When exploring certification programs it's also important to note that
> ANSI/OSI have a standard for the certification of professional licensing and
> certification programs. The ANSI/OSI framework does not allow for this kind
> of approach, where you have to buy a specific training product or program. 
>
> A professional licensing process should be an independent test of
> competencies and not a measure of the training program an individual
> purchases. 
>
> The DoD 8570 directive endorses ANSI/OSI certified certification programs -
> I think for this reason. It's not buying training but establishing
> competencies that matters.
>
> It's what you know, not what you buy. I think mostgood professional
> certifications are moving in this direction. 
>
> We still have a long way to go before the processional standards for
> competency are clearly codified. Right now, the targeted skills continue to
> evolve with the exploits but we're starting to better understand the need
> for foundation skills and then specific applications of these skills.
>
> KWK 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------