Security Basics mailing list archives
RE: CISSP Question
From: "Simmons, James" <jsimmons () eds com>
Date: Thu, 10 May 2007 13:10:01 -0500
David, A point is that it can be cheap to run these certifications. It is currently being done, with better results, and with a smaller pool of customers. Which is why I do have an inherent distrust of certification companies. Now I cannot say about the degree of work that goes into creating any IT certs. But I do know that it should be pretty self-sustaining after the initial investment of research. I am not saying that they do not serve a purpose, nor that they are not needed. If you are trying to make a standardized baseline of skill, then it should be accessible to everyone. It is the difference between a $400 cert and a $50 cert. If everyone can actually have the chance to obtain the certification without any adverse financial hardships, then you will have a cert that will be closer to actually representing a baseline. Right now there are too many people out there that can easily pass these tests, but do not take them for one reason or another. (Usually price is a big motivation.) Take ISC2 for example (because I am really trying not to pick on them, but they are the best known). Why are their tests $400? -To develop the tests? Their model is in place to minimize the cost of developing tests. Someone develops a question, it gets reviewed and then submitted to a current test to determine the percentages of people that are confused by the question, or what not. -To supply training for the certs? This is very counter productive to a certification. Are you going to teach the people, what they need to know, to pass a test to prove that they do indeed have experience and training in this skill (As is the case in SANS certs and boot camps)? I can understand offering a review class or something of the sort, just to go over broadly what is covered and who the test is laid out. That is test prep work and that is more understandable then an actual class covering what they are already suppose to know. On a side note, I am not aware of ISC2 actually hosting training classes other then the review classes I would love to find out if anyone actually paid for one of these review tests, and what was the mentality of the tests? -And as for designing the test, that should have already been done, and updated as need be. That should have been an original cost at the beginning. -And finally man hours for administrating the tests. I can understand this cost, but then after taking the test, what is the purpose of the annual maintance fee? Now SANS is all messed up. I can understand the use of certifications, and I think they are more credible them most since they started as a repository for various Security related information. But then they also run these boot camps that teach you what they are trying to prove that you have a skill set in. That is just backwards. No other company I have found, blatantly offers a crash course in their certifications. That just reeks of a money making scam. Regards, Simmons -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Harley Sent: Thursday, May 10, 2007 3:10 AM To: 'April Carson'; Simmons, James; 'Yousef Syed' Cc: security-basics () securityfocus com Subject: RE: CISSP Question
"I stand on the belief that you should not have to spend tons of money
to prove your worth." PERFECT!!
Indeed. But it's an ideal, not real life. Forget the security Certs. Most of us are, in the job market and elsewhere, to some extent defined by our qualifications, from school level certifications to first and higher degrees, to all manner of vocational qualifications. And they nearly all cost money. Of course, we don't always spend our own money on them: I don't think I've ever spent my own money on a vocational qualification, or even . I realize that some people do (for instance, to break into an area where they aren't already working for someone who's prepared to help them with professional development) and I think it's unreasonable to suggest that they shouldn't commit money, time and effort into self-development. The point, though, is that most qualifications cost someone money, and some of them cost a lot more than CISSP, GIAC etc. But they're an attempt (however imperfect) to measure baseline ability by objective criteria. If you're saying that we should assess others purely by our own instincts and abandon all attempts to assess objectively, you must have more faith in the human race than I do. As for the cost issues, let's remember that it's not cheap to implement certs, supply training for them, design and implement testing, and so on. In other words, certifying bodies don't work for free, though not all are for-profit and keep costs down by using certified volunteers, for example. Mr Simmons, I don't use those letters after my name to "prove" that I'm "important next to others". I use them (sometimes) because some customers, publishers etc. find it reassuring that I've signed up to a baseline level of professional development and ethical standards in the field in which I work. It helps that unlike most of the vocational certs I've picked up over the years, they compress to an acronym that doesn't bloat my signature. Since I am not "validated" by an impressive job title or affiliation with a major corporation, they give a very, very slight indication of where I am in the foodchain. But they don't prove I'm not an idiot. :) -- David Harley CISSP, Small Blue-Green World Security Author/Editor/Consultant/Researcher AVIEN Guide to Malware: http://www.smallblue-greenworld.co.uk/pages/avienguide.html Security Bibliography: http://www.smallblue-greenworld.co.uk/pages/bibliography.html
Current thread:
- RE: CISSP Question, (continued)
- RE: CISSP Question David Harley (May 10)
- RE: CISSP Question April Carson (May 10)
- RE: CISSP Question David Harley (May 10)
- RE: CISSP Question David Gillett (May 10)
- RE: CISSP Question David Harley (May 10)
- RE: CISSP Question Eric Zatko (May 10)
- RE: CISSP Question Ruiz, Michael S. (Security) (May 10)
- RE: CISSP Question David Gillett (May 10)
- RE: CISSP Question Craig Wright (May 10)
- RE: CISSP Question April Carson (May 10)
- RE: CISSP Question Simmons, James (May 10)
- RE: CISSP Question David Harley (May 11)
- RE: CISSP Question Simmons, James (May 14)
- RE: CISSP Question David Harley (May 14)
- RE: CISSP Question Craig Wright (May 14)
- RE: CISSP Question Simmons, James (May 15)
- RE: CISSP Question David Harley (May 15)
- RE: CISSP Question Simmons, James (May 15)
- Re: CISSP Question Florian Rommel (May 15)
- RE: CISSP Question David Harley (May 16)
- RE: CISSP Question Ken Kousky (May 16)