Penetration Testing mailing list archives
Re: Federally Mandated Certification of cybersecurity professionals?
From: Pete Herzog <lists () isecom org>
Date: Fri, 10 Apr 2009 14:06:47 +0200
Hi,
If hoop jumping bothers anyone, then this is not the industry for them. Security changes almost daily so there should be little difference in actually taking the time to jump through hoops in understanding the threats along with the attack vectors. If you can't talk the talk dot dot dot
I didn't see him say hoop jumping bothered him. He said MORE hoop jumping. I think we can all agree we have enough work ahead of us that having to give ourselves more is a significant detriment.
Will the legislation lead to identifying and hiring the "right" individuals, sure it will. It will lead to the CYA (Cover Your A..) methodology of being able to say they took their due diligence. There is a disconnect many times with those who have a clue NOT being certified and those with certifications still not understanding.
Really? Because mandates to hire CISSPs for example haven't done much good over all. Or maybe (dramatic music) the hackers have also become CISSPs and to secretly figure out how to outsmart them! :) And the CYA motivator has, historically, never been a great reason to do anything productive. We should remove the CYA from business instead of encouraging it. And compliance is not CYA. Compliance is a risk decision of legal consequence where CYA is a risk decision of personal consequence. I'm all for compliance if done right. It just hasn't been done right yet.
Personally, I believe this raises the bar for those unclued and certified to actually go out and re-think/re-examine slash "get a clue". Because it won't be something as easily passed as many trolls would elude to, I think the government is showing that even though they're taking babysteps, they're starting to see through the mud and wisening up on security.
I have to differ with you here. Many certifications are easily passed. They don't make you prove that you can do something. They are mainly akin to Trivial Pursuit Security Edition (TM). For the government to show they are getting wiser up to security, they need to actually fix their own audit guidelines and stop listening to the commercial influences that are muscling their own interests ahead of the nations. And I'm not just speaking of the US.
One of my biggest problem with government is, they isolate themselves far too often. Instead of turning to a "best of breed", dual view of security (private sector/research and their own staff), they often rely far too much on one set of eyes.
They don't isolate themselves ENOUGH especially from self-serving commercial interests. Best of breed doesn't mean anything if it's the most useless breed of the species. Governments have a long history of working directly with great scientists in the private sector and other great minds, especially mathematicians, to benefit a nation. It's only recently that they've turned more to working with corporations and commercial interests instead and it's been a disaster. Yes there's a lot of cool new technologies out there the government can grab but not if they rely of security professionals with a Trivial Pursuit security base to put them together.
What there needs to be in security is a good competition to bring out the best in the profession. Then instead of just showing their license, they show their accomplishments, which just may be more realistic of their ability. It's a fact that licensing has not weeded out bad professionals from an industry. Like the old joke they tell us in med school: "What do you call a doctor who graduates at the bottom of his class?" A: Doctor.
Licensing has been known to lower the bar as a barrier to entry as oppose to lift it. This is because by imposing fees they narrow the number of applicants so they need to lower the know-how bar to make up for it. Only professional competition can raise it. The only reason any industry turns to licensing is because it squashes competition and makes more money for certain commercial interests. Security doesn't need more of that.
-pete. ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteLearn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- RE: Federally Mandated Certification of cybersecurity professionals?, (continued)
- RE: Federally Mandated Certification of cybersecurity professionals? Shenk, Jerry A (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Louis Brooks (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? John Bambenek (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Michal Zalewski (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Louis Brooks (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Michael Painter (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Thomas Lim (Apr 07)
- Re: Federally Mandated Certification of cybersecurity professionals? Wolf (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? J. Oquendo (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Andre Gironda (Apr 15)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)
- RE: Federally Mandated Certification of cybersecurity professionals? Shenk, Jerry A (Apr 03)