Security Basics mailing list archives
RE: Value of certifications
From: "Ackley, Alex" <aackley () epmgpc com>
Date: Fri, 27 Apr 2007 16:50:20 -0400
Do some research before spouting more CISSP non-sense please. Just because you do not see people on their board does not mean they don't have them. The class I took recently was taught by a person who works directly with ISC2 and told us that they have numerous people employed whose only purpose is in designing the best test possible. In the same was that auto repair tests are designed. Just because you don't think it's being done does not mean that it's not. I used to spout this same crap myself I've been reading from you for the last few days, but then broke down and got my certs. I've 20+ years of experience in computer security and didn't need them. But they give employers that idea to hold onto that they like. Just like a college degree does much the same thing. Are you going to argue next that having a BS in Comp Sci is just as worthless as a Cert? It does the same thing for employers and proves just as much as to what the person knows. I've worked with just as many idiots who were college grads as cert holders and just as many who had both. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Simmons, James Sent: Friday, April 27, 2007 3:24 PM To: andrews () rbacomm com Cc: security-basics () securityfocus com Subject: RE: Value of certifications ISACA does have a standard that is used in many places. So does DISA (government entity), ISECOM, OWASP, and many others. Of course if you just blindly follow a standard procedure then you are not worth your pay as a professional to begin with. If you are not re-evaluating your own procedure constantly let alone someone else's, then you are already behind the power curve. Base procedures are a good way to cover the basics, and ensure you don't forget something small. That is why they are considered a set of best practices. There is never a single common procedure that will fit 100% of the situations. That is what you are being paid for as a professional. It is a lot like a lawyer. You can easy use a cookie cutter form for any legal document, but you pay a lawyer to ensure that your particular situation is covered.
Are you seriously arguing that most people who get their CISSP didn't
learn anything new >to pass? Would the same apply to the CISA and CISM tests from ISACA? I am not arguing that people do not learn anything new in the process. I am saying that the purpose of the cert is to prove that you have a baseline of acceptable knowledge in that field. I am making the point that if you are taking a cert to learn something new, then you are confused as to the purpose of a certification. If you are taking the CISSP to learn about security, then you are providing a great disservice to your employer. It is a sampling issue, the difference between creating a test to ensure knowledge, and creating knowledge to pass a test. Unless you want to argue that the CISSP test covers all information that is relevant to computer security, in which case I would just have to laugh at you, and then silently cry at the turn humanity has taken. I would hope that not even ISC2 would take that stance. On a side note, look at the board of directors for ISC2. They are all computer security people. So granted they have enough people for the technical experience, but where is the resource for education and psychology? Only one person (the only professor) has any sort of background in education and training. So how is a group of people suppose to make a general certification to determine the knowledge level for everyone that takes this test? One teacher is not enough for a valid education system. When was the last time you had a horrible teacher/ professor? What are the chances that this guy is such a savant in teaching that he can handle all the executive level education decision needs of this company by himself? At least ISACA has three professors on their board of directors.
While I wish they cost less, since I will be paying for any tests
myself, the are at
what the market will bear. If you can make one cheaper that is just
effective, go ahead
and do so. :)
And that is my point. This is a call to arms of sorts. We need a new system. Who doesn't agree? What points do you have that this system is the best and doesn't need to be changed drastically? I am proposing as an example a system that has been working (ASE). It is far from perfect, but it is better then our current system. The problem, is that nothing is going to change until more people wake up and see the flaws in the current system. Especially with computer security, an industry that was created with the mindset that you can never really trust what people say, because we are always looking for man-in-the-middle attacks, social engineering, and other anomalies that we have to protect against. This should go out to hiring managers, and the decision makers. Point out the flaw in the hiring practices. I can not be the only one who is tired of having to work with someone who is completely unqualified and believes that they are the best. Regards, Simmons -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of andrews () rbacomm com Sent: Friday, April 27, 2007 10:13 AM To: security-basics () securityfocus com Subject: RE: Value of certifications Quoting "Simmons, James" <jsimmons () eds com>:
Do you honestly think that any of these companies have put that much time and effort into their tests?
The ISC2 is far from a startup company. ISACA has also been around a while. And their COBIT standard is used many places.... I may be wrong, but I think they have put some thought into their tests.
They are not getting the certs to learn anything new. They are getting
them to prove that they know.
Are you seriously arguing that most people who get their CISSP didn't learn anything new to pass? Would the same apply to the CISA and CISM tests from ISACA?
And at that point I question why these certs have to cost so much?
While I wish they cost less, since I will be paying for any tests myself, the are at what the market will bear. If you can make one cheaper that is just effective, go ahead and do so. :) Brad
Current thread:
- Re: Value of certifications, (continued)
- Re: Value of certifications Yousef Syed (Apr 27)
- RE: Value of certifications Simmons, James (Apr 27)
- Re: Value of certifications Patrick (Apr 30)
- RE: Value of certifications Craig Wright (Apr 27)
- RE: Value of certifications Simmons, James (Apr 27)
- RE: Value of certifications Craig Wright (Apr 30)
- Re: Value of certifications Yousef Syed (Apr 27)
- RE: Value of certifications Adnan Rafik (Apr 30)
- RE: Value of certifications andrews (Apr 27)
- RE: Value of certifications Simmons, James (Apr 27)
- RE: Value of certifications Ackley, Alex (Apr 30)
- Re: RE: Value of certifications Joey Boyer (Apr 25)
- Re: RE: Value of certifications andrews (Apr 26)
- Re: RE: Value of certifications Nathalie Vaiser, RFC, FMM (Apr 27)
- Re: RE: Value of certifications Yousef Syed (Apr 27)
- RE: RE: Value of certifications Simmons, James (Apr 27)
- Message not available
- Re: RE: Value of certifications Yousef Syed (Apr 27)