RE: CISSP Question

["Simmons, James" <jsimmons () eds com>]

David, 
A point is that it can be cheap to run these certifications. It is
currently being done, with better results, and with a smaller pool of
customers. Which is why I do have an inherent distrust of certification
companies. Now I cannot say about the degree of work that goes into
creating any IT certs. But I do know that it should be pretty
self-sustaining after the initial investment of research. 

I am not saying that they do not serve a purpose, nor that they are not
needed. If you are trying to make a standardized baseline of skill, then
it should be accessible to everyone. It is the difference between a $400
cert and a $50 cert. If everyone can actually have the chance to obtain
the certification without any adverse financial hardships, then you will
have a cert that will be closer to actually representing a baseline.
Right now there are too many people out there that can easily pass these
tests, but do not take them for one reason or another. (Usually price is
a big motivation.)

Take ISC2 for example (because I am really trying not to pick on them,
but they are the best known). Why are their tests $400? 

-To develop the tests? Their model is in place to minimize the cost of
developing tests. Someone develops a question, it gets reviewed and then
submitted to a current test to determine the percentages of people that
are confused by the question, or what not. 

-To supply training for the certs? This is very counter productive to a
certification. Are you going to teach the people, what they need to
know, to pass a test to prove that they do indeed have experience and
training in this skill (As is the case in SANS certs and boot camps)?  I
can understand offering a review class or something of the sort, just to
go over broadly what is covered and who the test is laid out. That is
test prep work and that is more understandable then an actual class
covering what they are already suppose to know. On a side note, I am not
aware of ISC2 actually hosting training classes other then the review
classes I would love to find out if anyone actually paid for one of
these review tests, and what was the mentality of the tests?

-And as for designing the test, that should have already been done, and
updated as need be. That should have been an original cost at the
beginning. 

-And finally man hours for administrating the tests. I can understand
this cost, but then after taking the test, what is the purpose of the
annual maintance fee?

Now SANS is all messed up. I can understand the use of certifications,
and I think they are more credible them most since they started as a
repository for various Security related information. But then they also
run these boot camps that teach you what they are trying to prove that
you have a skill set in. That is just backwards. No other company I have
found, blatantly offers a crash course in their certifications. That
just reeks of a money making scam.

Regards,

Simmons

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of David Harley
Sent: Thursday, May 10, 2007 3:10 AM
To: 'April Carson'; Simmons, James; 'Yousef Syed'
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

> "I stand on the belief that you should not have to spend tons of money

> to prove your worth."
>
> PERFECT!!

Indeed. But it's an ideal, not real life. 

Forget the security Certs. Most of us are, in the job market and
elsewhere, to some extent defined by our qualifications, from school
level certifications to first and higher degrees, to all manner of
vocational qualifications. And they nearly all cost money. Of course, we
don't always spend our own money on them: I don't think I've ever spent
my own money on a vocational qualification, or even . I realize that
some people do (for instance, to break into an area where they aren't
already working for someone who's prepared to help them with
professional development) and I think it's unreasonable to suggest that
they shouldn't commit money, time and effort into self-development. The
point, though, is that most qualifications cost someone money, and some
of them cost a lot more than CISSP, GIAC etc. But they're an attempt
(however imperfect) to measure baseline ability by objective criteria.
If you're saying that we should assess others purely by our own
instincts and abandon all attempts to assess objectively, you must have
more faith in the human race than I do. 

As for the cost issues, let's remember that it's not cheap to implement
certs, supply training for them, design and implement testing, and so
on. In other words, certifying bodies don't work for free, though not
all are for-profit and keep costs down by using certified volunteers,
for example.  

Mr Simmons, I don't use those letters after my name to "prove" that I'm
"important next to others". I use them (sometimes) because some
customers, publishers etc. find it reassuring that I've signed up to a
baseline level of professional development and ethical standards in the
field in which I work. It helps that unlike most of the vocational certs
I've picked up over the years, they compress to an acronym that doesn't
bloat my signature.
Since I am not "validated" by an impressive job title or affiliation
with a major corporation, they give a very, very slight indication of
where I am in the foodchain. But they don't prove I'm not an idiot. :) 

--
David Harley CISSP, Small Blue-Green World Security
Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html