RE: CISSP Question

["David Harley" <david.a.harley () gmail com>]

> You addressed the issues with your research and provided 
> links. 

Thanks. It so happens I wrote a chapter section on security certs recently,
so it didn't take a lot of research. :)

>       "a valued credential awarded in several fields that 
> proves competency upon satisfactory demonstration of 
> particular knowledge and skills."

I'd say knowledge and/or skills, perhaps, but that's a reasonable working
definition.

> can agree that a certification is implying to the hiring 
> company that the holder of this certificate is in possession 
> of at least a minimum level of skill and knowledge. That the 
> employer can reasonably expect that the holder of this 
> certificate will be able to perform to this minimum level 
> without any extra training, or otherwise expenditure incurred 
> upon by the company.

I think I agree with your underlying premise, but not the way you've
expressed it. There are scenarios where you would take on someone who can't
do the job right now, because they have attributes (which might include
certification) that convince you that it's worth giving them training (or
time to self-train.) For example, in a package they don't at present have
adequate knowledge of.

> The GIAC, SANS Institute and SANS Technology Institute are 
> different Trade name as is pointed out in the link you 
> provided.

Whoa! I'm the last person to "defend" SANS. I respect some of their work,
and some of their associates are first-class people. I've also been sharply
critical, sometimes publicly, and I don't think I'd be Alan Paller's first
choice as their "advocate." So I'll make one or two general points and let
it go. 

* There are many instances in education in general, never mind IT where the
body that awards some form of certification (degree, diploma, certificate
etc) is also the body (or part of the body) that does the teaching. There
may be scope for abuse there, but you'd see enormous holes in current
educational systems if it suddenly became compulsory to introduce complete
separation. What's more, I could certainly point you to instances where
complete separation between teaching establishments and examining bodies
fails to dispel doubts about the system, but that won't interest this list.
* I commend your painstaking research into SANS, but what you're telling me
doesn't disprove their honesty, competence or ethical standards. And I only
said they had some degree of separation: there's no suggestion that they
aren't allied, from me, their web pages, or anywhere else.

> Moving on, certification prices. They are more expensive then 
> they need to be. That is my view, though some believe that it 
> is a fair and decent price. I believe that it can be much 
> cheaper, and the only reason that it isn't is because of 
> obvious greed, and not out of operating costs.

I'm not privy to the details of SANS or (ISC)2 finances. I can't possibly
comment on the accuracy or otherwise of your conjectures. And I don't want
to get snagged on this sort of debate. 

-- 
David Harley CISSP, Small Blue-Green World
Security Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html