Security Basics mailing list archives
RE: CISSP Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 1 May 2007 14:47:15 -0700
Best reference for this is the (ISC)2 web site, www.isc2.org . But off the top of my head: More or less. You need experience in security or security management; I'm not sure generalized IT management qualifies, and some of the domains include security that isn't necessarily just about computers. If I recall correctly, though, you only need three years IF your degree is in the subject, as yours will be. Also, there's a fairly new "Associate" designation available for those who can pass the exam but lack the experience the cert requires. Whether employers give that any weight is up to them, of course. David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Elizabeth Tolson Sent: Friday, April 27, 2007 1:57 PM To: Simmons,James; andrews () rbacomm com Cc: security-basics () securityfocus com Subject: CISSP Question I am in the process of getting my Master's in Information Systems Security and my CCE for KSU. As far as the CISSP, it is my understanding that you need four years of experience in computer security or IT Management. Is that true? Elizabeth -----Original Message-----From: "Simmons, James" <jsimmons () eds com> Sent: Apr 27, 2007 3:24 PM To: andrews () rbacomm com Cc: security-basics () securityfocus com Subject: RE: Value of certifications ISACA does have a standard that is used in many places. So does DISA (government entity), ISECOM, OWASP, and many others. Ofcourse if youjust blindly follow a standard procedure then you are notworth yourpay as a professional to begin with. If you are notre-evaluating yourown procedure constantly let alone someone else's, then youare alreadybehind the power curve. Base procedures are a good way to cover the basics, and ensure you don't forget something small. That iswhy theyare considered a set of best practices. There is never asingle commonprocedure that will fit 100% of the situations. That is what you are being paid for as a professional. It is a lot like a lawyer. You can easy use a cookie cutter form for any legal document, but you pay a lawyer to ensure that your particular situation is covered.Are you seriously arguing that most people who get theirCISSP didn'tlearn anything new >to pass? Would the same apply to theCISA and CISMtests from ISACA? I am not arguing that people do not learn anything new inthe process.I am saying that the purpose of the cert is to prove that you have a baseline of acceptable knowledge in that field. I am makingthe pointthat if you are taking a cert to learn something new, then you are confused as to the purpose of a certification. If you are taking the CISSP to learn about security, then you are providing a great disservice to your employer. It is a sampling issue, the difference between creating a test to ensure knowledge, and creatingknowledge topass a test. Unless you want to argue that the CISSP testcovers allinformation that is relevant to computer security, in which case I would just have to laugh at you, and then silently cry at the turn humanity has taken. I would hope that not even ISC2 wouldtake that stance.On a side note, look at the board of directors for ISC2.They are allcomputer security people. So granted they have enough people for the technical experience, but where is the resource for education and psychology? Only one person (the only professor) has any sort of background in education and training. So how is a group of people suppose to make a general certification to determine the knowledge level for everyone that takes this test? One teacher is not enough for a valid education system. When was the last time you had a horrible teacher/ professor? What arethe chancesthat this guy is such a savant in teaching that he canhandle all theexecutive level education decision needs of this company byhimself? Atleast ISACA has three professors on their board of directors.While I wish they cost less, since I will be paying for any testsmyself, the are atwhat the market will bear. If you can make one cheaper that is justeffective, go aheadand do so. :)And that is my point. This is a call to arms of sorts. We need a new system. Who doesn't agree? What points do you have that thissystem isthe best and doesn't need to be changed drastically? I amproposing asan example a system that has been working (ASE). It is far from perfect, but it is better then our current system. Theproblem, is thatnothing is going to change until more people wake up and seethe flawsin the current system. Especially with computer security, anindustrythat was created with the mindset that you can never reallytrust whatpeople say, because we are always looking for man-in-the-middle attacks, social engineering, and other anomalies that we have to protect against. This should go out to hiring managers, and the decision makers. Point out the flaw in the hiring practices.I can notbe the only one who is tired of having to work with someone who is completely unqualified and believes that they are the best. Regards, Simmons -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of andrews () rbacomm com Sent: Friday, April 27, 2007 10:13 AM To: security-basics () securityfocus com Subject: RE: Value of certifications Quoting "Simmons, James" <jsimmons () eds com>:Do you honestly think that any of these companies have putthat muchtime and effort into their tests?The ISC2 is far from a startup company. ISACA has also beenaround awhile. And their COBIT standard is used many places.... I may be wrong, but I think they have put some thought intotheir tests.They are not getting the certs to learn anything new. They are gettingthem to prove that they know.Are you seriously arguing that most people who get theirCISSP didn'tlearn anything new to pass? Would the same apply to theCISA and CISMtests from ISACA?And at that point I question why these certs have to cost so much?While I wish they cost less, since I will be paying for any tests myself, the are at what the market will bear. If you can make one cheaper that is just effective, go ahead and do so. :) Brad
Current thread:
- RE: CISSP Question, (continued)
- RE: CISSP Question Chris Smith (May 01)
- RE: CISSP Question Nicolas villatte (May 02)
- Re: CISSP Question Florian Rommel (May 02)
- RE: CISSP Question Simmons, James (May 02)
- Re: CISSP Question Florian Rommel (May 02)
- RE: CISSP Question Al Gettier (May 02)
- RE: CISSP Question Simmons, James (May 02)
- RE: CISSP Question Kelly, Robert L (Lee) (May 03)
- Re: CISSP Question Florian Rommel (May 02)
- RE: CISSP Question David Gillett (May 02)
- RE: CISSP Question Lee McDonald (May 04)
- RE: CISSP Question Simmons, James (May 04)
- RE: CISSP Question Lee McDonald (May 04)
- RE: CISSP Question Simmons, James (May 02)
- RE: CISSP Question David Harley (May 03)